12-29-2006 04:15 PM - edited 03-11-2019 02:14 AM
Hello,
Just inheritated an ASA 5510 in production, and am trying to logic out the existing config, and I am confused by the following entries:
tunnel-group vpntunnel type ipsec-ra
tunnel-group vpntunnel general-attributes
address-pool vpnpool
authentication-server-group Radius LOCAL
default-group-policy vpntunnel
tunnel-group vpntunnel ipsec-attributes
pre-shared-key xxx
Ok, so it appears to me, please correct me if I am wrong, that the initial IPSec connection from the cisco vpn client to the ASA is using a pre-shared key? and then the user is authenticated by RADIUS for access to services, or the LOCAL db if that fails?
Please advise. All of the clients have the pre-shared key configured, but they are also forced to use their MS login and password to access anything.
Thanks a lot for your help.
Solved! Go to Solution.
01-01-2007 02:58 PM
Hi .. below a brief explanation
tunnel-group vpntunnel type ipsec-ra
* vpntunnel is remote access vpn group *
tunnel-group vpntunnel general-attributes
address-pool vpnpool
* vpntunnel group is assigned IP addresses from pool vnppool *
authentication-server-group Radius LOCAL
* User authentication for vpntunnel group is by the servers defined under the Radius group . If that server(s) are unavailable then the local database will be used *
default-group-policy vpntunnel
tunnel-group vpntunnel ipsec-attributes
pre-shared-key xxx
* First phase of ISAKMP authntication is based on a preshared password.
In summary, The IPsec tunnel will be established after satisfying 2 steps:
1.- using the name group vpntunnel and the preshared password which are configured on the vpn client.
2.- After the above is successfull then the user will be challenged for a username and password which then will be checked against the Radius server(s) .. if authentication is successfull then the tunnel is established.
That is the normal behaviour.
I hope it helps .. please rate it if it does !!!
01-01-2007 02:58 PM
Hi .. below a brief explanation
tunnel-group vpntunnel type ipsec-ra
* vpntunnel is remote access vpn group *
tunnel-group vpntunnel general-attributes
address-pool vpnpool
* vpntunnel group is assigned IP addresses from pool vnppool *
authentication-server-group Radius LOCAL
* User authentication for vpntunnel group is by the servers defined under the Radius group . If that server(s) are unavailable then the local database will be used *
default-group-policy vpntunnel
tunnel-group vpntunnel ipsec-attributes
pre-shared-key xxx
* First phase of ISAKMP authntication is based on a preshared password.
In summary, The IPsec tunnel will be established after satisfying 2 steps:
1.- using the name group vpntunnel and the preshared password which are configured on the vpn client.
2.- After the above is successfull then the user will be challenged for a username and password which then will be checked against the Radius server(s) .. if authentication is successfull then the tunnel is established.
That is the normal behaviour.
I hope it helps .. please rate it if it does !!!
01-01-2007 06:14 PM
Thanks for the confirmation.
I appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide