12-11-2012 07:24 PM
Hi guys,
I am trying to configure my ASA 5520 to allow internal staff to work from remote via VPN. I need them to authenticate via Radius to MYCOMPANY-DC1 and allow them to access only if they are part of the Windows group VPNusers.
Using the VPN wizard I've created the (purged) configuration below. Now when I try to connect, the debug returns the following error.
Dec 12 02:57:28 [IKEv1]: Group = DefaultRAGroup, IP = 120.156.45.246, Session is being torn down. Reason: L2TP initiated
I haven't found where to define the name of the Windows gouup the users have to be part of in order to have the access granted and I guess that this missing configuration is the cause of the problem. Can you please tell me where is the error on my config and where I do have to add the missing configuration?
object-group network DM_INLINE_NETWORK_5
network-object LAN-network 255.255.0.0
access-list INTERNAL_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5 172.16.4.0 255.255.255.128
aaa-server windows_DC protocol radius
aaa-server windows_DC (INTERNAL) host MYCOMPANY-DC1
timeout 5
key *****
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.0.4 8.8.8.8
dns-server value 172.16.0.4 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
default-domain value mycompanycorp.com.au
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Cisco_Pool
authentication-server-group windows_DC
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
On the Windows Server side, I have the following event:
User myuser was denied access.
Fully-Qualified-User-Name = myuser
NAS-IP-Address = 172.16.1.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = ASA5520
Client-IP-Address = 172.16.1.1
NAS-Port-Type = Virtual
NAS-Port = 94208
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.
Thanks,
Dario Vanin
12-11-2012 08:19 PM
What missing was a MS Windows server configuration. Problem closed
06-25-2014 02:34 AM
Hi,
What configuration was missing? I have the same problem.
06-25-2014 05:52 PM
Unfortunately I did not manage Windows Server, so I can't help you on that.
The ASA was correctly configured and the problem was on the Windows policies.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: