cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Remote Access VPN authentication with ACS 5.x using Radius Protocol.

2144
Views
0
Helpful
0
Comments

 

Introduction

Remote Access VPN authentication with ACS 5.x using Radius Protocol.

This  document provides an example on how to configure Remote Access VPN on ASA and do the authentication using ACS as Radius server.

 

Prerequisites

ACS  should have ASA added as a AAA client with correct secret key. Both  should be reachable. Please take up back up of ASA before adding any  configuration of the AAA.

Components Used

1. ASA 8.2
2. ACS 5.2 (as RADIUS)

Anchor

Configuration Remote Access VPN on ASA:

Interface configuration 

hostname(config)# interface ethernet0
hostname(config-if)# ip address 192.168.1.5 255.255.0.0
hostname(config-if)# nameif outsidehostname(config)# no shutdown
hostname(config)# interface ethernet1
hostname(config-if)# ip address 192.168.1.4 255.255.0.0
hostname(config-if)# nameif insidehostname(config)# no shutdown

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface:

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha 
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside

Configuring an Address Pool:

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

Adding a User: 

hostname(config)# username testuser password 12345678

Creating a Transform Set:

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

Creating a Tunnel group:

hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributeshostname(config-general)# address-pool testpoolhostname(config)# tunnel-group testgroup ipsec-attributeshostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

Creating a Dynamic crypto map:

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

 Creating a Crypto Map Entry to Use the Dynamic Crypto Map:

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

 Configuring Radius server on the ASA:

ciscoasa(config)# aaa-server RADIUS protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server RADIUS (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)# key CISCO123
ciscoasa(config-aaa-server-host)# exit

Assigning RADIUS server under tunnel group:

ciscoasa(config)#tunnel-group testgroup general-attributes
ciscoasa(config-tunnel-general)#authentication-server-group RADIUS

Adding ASA as a client on the ACS server:

add the ip address of the ASA on the ACS which is 192.168.1.4 and shared secret key which is CISCO123:

 

vpn2.jpg

 

Creating a rule in Default Network Access policy:

1.select an identity store (means define whether users are internal to ACS or in external database)
2. Authorization policy:  (allowing permit or deny access):

Access policy.jpginternal users.jpgrule for permit access.jpgauthorization.jpg

 

Verification

Test with CLI:

You can use the test command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication RADIUS host 192.168.1.2
   username cisco password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2>
   (timeout: 12 seconds)
INFO: Authentication Successful

Troubleshoot:

Run the following command to see the debugs:

#Debug Radius
#Debug aaa common 255

The debug radius command can help you to troubleshoot authentication problems in this scenario. This command enables RADIUS session debugging as well as RADIUS packet decoding. In each debug output presented, the first packet decoded is the packet sent from the ASA to the ACS server. The second packet is the response from the ACS server.

Note: Refer to Important Information on Debug Commands before you use debug commands.

When authentication is successful, the RADIUS server sends an access-accept message.

ciscoasa#debug radius

!--- First Packet. Authentication Request.

ciscoassa#radius mkreq: 0x88
alloc_rip 0xd5627ae4
    new request 0x88 --> 52 (0xd5627ae4)
got user ''
got password
add_req 0xd5627ae4 session 0x88 id 52
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 62).....
01 34 00 3e 18 71 56 d7 c4 ad e2 73 30 a9 2e cf    |  .4.>.qV....s0...
5c 65 3a eb 01 06 6b 61 74 65 02 12 0e c1 28 b7    |  \e:...kate....(.
87 26 ed be 7b 2c 7a 06 7c a3 73 19 04 06 c0 a8    |  .&..{,z.|.s.....
01 01 05 06 00 00 00 34 3d 06 00 00 00 05          |  .......4=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 52 (0x34)
Radius: Length = 62 (0x003E)
Radius: Vector: 187156D7C4ADE27330A92ECF5C653AEB
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
6b 61 74 65                                        |  kate
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
0e c1 28 b7 87 26 ed be 7b 2c 7a 06 7c a3 73 19    |  ..(..&..{,z.|.s.
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.1.1 (0xC0A80101)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x34
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.1.2/1645
rip 0xd5627ae4 state 7 id 52
rad_vrfy() : response message verified
rip 0xd544d2e8
 : chall_state ''
 : state 0x7
 : timer 0x0
 : reqauth:
     18 71 56 d7 c4 ad e2 73 30 a9 2e cf 5c 65 3a eb
 : info 0x88
     session_id 0x88
     request_id 0x34
     user 'kate'
     response '***'
     app 0
     reason 0
     skey 'secretkey'
     sip 192.168.1.2
     type 1

!--- Second Packet. Authentication Response.

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 50).....
02 34 00 32 35 a1 88 2f 8a bf 2a 14 c5 31 78 59    |  .4.25../..*..1xY
60 31 35 89 08 06 ff ff ff ff 19 18 43 41 43 53    |  `15.........CACS
3a 30 2f 32 61 36 2f 63 30 61 38 30 31 30 31 2f    |  :0/2a6/c0a80101/
35 32                                              |  52

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 52 (0x34)
Radius: Length = 50 (0x0032)
Radius: Vector: 35A1882F8ABF2A14C531785960313589
Radius: Type = 8 (0x08) Framed-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 255.255.255.255 (0xFFFFFFFF)
Radius: Type = 25 (0x19) Class
Radius: Length = 24 (0x18)
Radius: Value (String) =
43 41 43 53 3a 30 2f 32 61 36 2f 63 30 61 38 30    |  CACS:0/2a6/c0a80
31 30 31 2f 35 32                                  |  101/52
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xd5627ae4 session 0x88 id 52
free_rip 0xd5627ae4
radius: send queue empty
When authentication fails, the ACS server sends an access-reject message.

ciscoasa#debug radius

!--- First Packet.  Authentication Request.

ciscoasa# radius mkreq: 0x85
alloc_rip 0xd5627ae4
    new request 0x85 --> 49 (0xd5627ae4)
got user ''
got password
add_req 0xd5627ae4 session 0x85 id 49
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 62).....
01 31 00 3e 88 21 46 07 34 5d d2 a3 a0 59 1e ff    |  .1.>.!F.4]...Y..
cc 15 2a 1b 01 06 6b 61 74 65 02 12 60 eb 05 32    |  ..*...kate..`..2
87 69 78 a3 ce d3 80 d8 4b 0d c3 37 04 06 c0 a8    |  .ix.....K..7....
01 01 05 06 00 00 00 31 3d 06 00 00 00 05          |  .......1=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 49 (0x31)
Radius: Length = 62 (0x003E)
Radius: Vector: 88214607345DD2A3A0591EFFCC152A1B
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
6b 61 74 65                                        |  kate
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
60 eb 05 32 87 69 78 a3 ce d3 80 d8 4b 0d c3 37    |  `..2.ix.....K..7
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.1.1 (0xC0A80101)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x31
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.1.2/1645
rip 0xd5627ae4 state 7 id 49
rad_vrfy() : response message verified
rip 0xd544d2e8
 : chall_state ''
 : state 0x7
 : timer 0x0
 : reqauth:
     88 21 46 07 34 5d d2 a3 a0 59 1e ff cc 15 2a 1b
 : info 0x85
     session_id 0x85
     request_id 0x31
     user 'kate'
     response '***'
     app 0
     reason 0
     skey 'secretkey'
     sip 192.168.1.2
     type 1

!--- Second packet.  Authentication Response.

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 32).....
03 31 00 20 70 98 50 af 39 cc b9 ba df a7 bd ff    |  .1. p.P.9.......
06 af fb 02 12 0c 52 65 6a 65 63 74 65 64 0a 0d    |  ......Rejected..

Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 49 (0x31)
Radius: Length = 32 (0x0020)
Radius: Vector: 709850AF39CCB9BADFA7BDFF06AFFB02
Radius: Type = 18 (0x12) Reply-Message
Radius: Length = 12 (0x0C)
Radius: Value (String) =
52 65 6a 65 63 74 65 64 0a 0d                      |  Rejected..
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xd5627ae4 session 0x85 id 49
free_rip 0xd5627ae4
radius: send queue empty

More Information

Content for Community-Ad