cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
460
Views
0
Helpful
10
Replies

Setting up VPN group for ACS5.5

bmack2121
Level 1
Level 1

I am trying to a group in the ACS5.5 that allows users to be able to connect. I have created a network group called ASA-VPN and have it set for radius and tacacs. The ACS is linked to AD. I am lost on what to do next as far ass rules or attributes. I've dealt with ISE before but not the ACS.

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Take a look at the following link as it outlines a step-by-step process:

https://supportforums.cisco.com/document/139141/remote-access-vpn-authentication-acs-5x-using-radius-protocol

Let us know if you are still having issues. 

 

Thank you for rating helpful posts!

View solution in original post

10 Replies 10

nspasov
Cisco Employee
Cisco Employee

Take a look at the following link as it outlines a step-by-step process:

https://supportforums.cisco.com/document/139141/remote-access-vpn-authentication-acs-5x-using-radius-protocol

Let us know if you are still having issues. 

 

Thank you for rating helpful posts!

I am still a little lost. The default network access policy has already been set up. I've defined my ASA in the Network and AAA client list. I've went to AD under External Identity and add the VPN Allowed geoup under directory Groups. Now I am stuck on what to do next as far as policy Elements and Access Policies.

Did you get it resolved? I see the thread is marked as "answered" but still wanted to confirm. If you are still having issues please post screen shots of your policies. 

I was trying to rate your post 5/5 but I guess that marks it as answered. I can't do screen shots due to our policy but I will describe it the best I can.

 

1. Under Policy Elements > Auth & Permissions > Network Access > Authroization Profiles:

I created a profile (I didn't touch common tasks)

 a. RADIUS Attributes: I've added a class string value similar to what was in ACS4.x

2. Under Access Policies > Access Services > "VPN" > I checked Identity and Authorization

 a. Under Allowed Protocols I've selected them all except preffered EAP and marked Radius Access Request User name

3. Under Identity I chose AD_CERT

4. Under Authorization I created a policy called  "VPN Ac" > Compound condition from AD/VPN Access which results to VPN Access and login allow

 

5. The network devices has been created as well.

 

From a high level it sounds correct. What happens when a user tries to authenticate?

I haven't went live on this ACS yet. Still using the old. I have to go in to the ASA and do a few more configurations then I will test it out tonight. Fingers Crossed!

Ah ok, so one thing you could do is create a new VPN tunnel group and tied that to the the ACS server(s) so you can test it that way. 

That may be safer but I am truely lost on how to do that one. You mean create a tunnel group in the ASA then create it in the ACS correct?

What I meant is:

1. Create a new AAA group in the ASAs that reference the new ACS servers

2. Create another VPN profile (tunnel-group) in the ASAs. For example, test-vpn

3. Tie the AAA (authentication and authorization) of the new test-vpn to the new AAA server group that has the new ASAs

4. Test connection

I hope this helps!

Now I can connect through my new ACS. It will show my username on the ACS when I log in via VPN and it will also show clientless, subject not found in identity store" with my same IP listed in red right above it. I must have a rule set wrong or something.   Any idea?