cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Remote Access VPN authentication with ACS 5.x using Radius Protocol

5533
Views
11
Helpful
0
Comments

 

 

Introduction

This document provides an example on how to configure Remote Access VPN on  ASA and do the authentication using ACS as Radius server

Prerequisites

ACS  should have ASA added as a AAA client with correct secret key. Both  should be reachable. Please take up back up of ASA before adding any  configuration of the AAA.

Components Used

1. ASA 8.2

2. ACS 5.2 (as RADIUS)

Configuration Remote Access VPN on ASA

Interface configuration

hostname(config)# interface ethernet0
hostname(config-if)# ip address 192.168.1.5 255.255.0.0
hostname(config-if)# nameif outside
hostname(config)# no shutdown
hostname(config)# interface ethernet1
hostname(config-if)# ip address 192.168.1.4 255.255.0.0
hostname(config-if)# nameif inside
hostname(config)# no shutdown

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha 
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside

Configuring an Address Pool

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

Adding a User

hostname(config)# username testuser password 12345678

Creating a Transform Set

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

Creating a Tunnel group

hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

Creating a Dynamic crypto map

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSethostname(config)# crypto dynamic-map dyn1 1 set reverse-route

Creating a Crypto Map Entry to Use the Dynamic Crypto Map

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

Configuring Radius server on the ASA

ciscoasa(config)# aaa-server RADIUS protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server RADIUS (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)# key CISCO123
ciscoasa(config-aaa-server-host)# exit

Assigning RADIUS server under tunnel group

ciscoasa(config)#tunnel-group testgroup general-attributes
ciscoasa(config-tunnel-general)#authentication-server-group RADIUS

Adding ASA as a client on the ACS server

Add the ip address of the ASA on the ACS which is 192.168.1.4 and shared secret key which is CISCO123:

vpn2.jpg

Creating a rule in Default Network Access policy

1.select an identity store (means define whether users are internal to ACS or in external database)

2. Authorization policy:  (allowing permit or deny access)

Access policy.jpg

 

internal users.jpg

 

rule for permit access.jpg

 

authorization.jpg

Verification

Test with CLI:

You can use the test command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication RADIUS host 192.168.1.2
   username cisco password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2>
   (timeout: 12 seconds)
INFO: Authentication Successful

Troubleshoot

Run the following command to see the debugs:

  • #Debug Radius
  • #Debug aaa common 255

Scenario 2

Problem:

ACS 5.5 secondary registration - Registration failed due to Invalid Certificate

 

Solution

When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
– If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 

Please post comments if there are any queries and rate if useful.