11-06-2008 03:44 AM - edited 03-10-2019 04:10 PM
Hi,
I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.
Server configuration:
1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).
2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.ï On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.
4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.
On the Dial-in tab, select the option for Allow access
ASA configuration:
aaa-server vpn protocol radius
aaa-server vpn host 10.155.20.25 (RADIUS server IP )
key cisco321
tunnel-group vpnacc type ipsec-ra
tunnel-group vpnacc general-attributes
authentication-server-group vpn
but it is not working. Please guide to resolve this issue.
Regards,
som
11-06-2008 07:00 AM
Hi,
Did you add the asa to the list of nas in RADIUS server?
Massimiliano.
11-10-2008 04:30 AM
how to add that one...plz guide..
regards,
som
11-10-2008 10:18 AM
Hi,
Are you using a Cisco Secure ACS for your radius authentication?
Craig
11-10-2008 08:39 PM
I m using Windows 2003...
11-12-2008 08:02 AM
I assume by your answer of Windows 2003 that you are using the ISA server for Radius authentication then?
Craig
11-13-2008 10:17 AM
You dont say which version of ASA code you are running, but I dont see your specification of interface on your aaa statement. Wouldnt it look something like:
aaa-server vpn (INSIDE) host x.x.x.x key xxxxxxx?
That is how mine look on 8.0(4)
11-13-2008 10:25 AM
Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"
Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide