Core issue
This is a list of the necessary procedures in order to setup the Microsoft Windows Authentication server for the VPN.
Resolution
Complete these steps:
- Configure an authentication server on the ASA with Kerberos:
hostname(config)#aaa-server TACACS+_Servers protocoltacacs+
hostname(config)#aaa-server TACACS+_Servers host x.x.x.x key pqrs
hostname(config)#aaa-server TACACS+_Servers host x.x.x.x key pqrs
hostname(config)#aaa-server WindowsAuth protocol kerberos
hostname(config)#aaa-server WindowsAuth host y.y.y.y
hostname(config-aaa-server-host)# kerberos-realm Example.LOCAL
Note: Assume x.x.x.x and y.y.y.y are the IP addresses of the authentication servers and pqrsis the key.
- Test the authentication after the Kerberos realm connects to the clock on the ASA. This example displays a successful authentication test:
5510(config-aaa-server-host)#test aaa-server authentication WindowsAuth host Y.Y.Y.Y
Username: abcd
Password: *********
INFO: Attempting Authentication test to IP address
(timeout: 12 seconds)
INFO: Authentication Successful
- Add the authentication server to the tunnel-group:
hostname(config)#tunnel-group CommunitySavingsBank type ipsec-ra
hostname(config)#tunnel-group CommunitySavingsBank general-attributes
hostname(config-tunnel-general)#address-pool Remote_User_IP_Pool
hostname(config-tunnel-general)# authentication-server-group WindowsAuth
hostname(config)#tunnel-groupCommunitySavingsBank ipsec-attributes
hostname(config-tunnel-ipsec)#pre-shared-key ***
- Configure the ASA in order to bypass the nat command for the VPN IP pool. Configure the NAT exemption rule( NAT 0 ) in order to bypass the traffic without NATting.
Refer to the Kerberos Server Support section of Configuring AAA Servers and the Local Database for more information.