Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
0
Helpful
1
Replies

Cisco 2921 VPN with LDAP authentication

Finread
Level 1
Level 1

‎11-05-2019 05:09 AM - edited ‎11-05-2019 05:59 AM

Hi together,

 

i would like to create a VPN connection with LDAP authentication trough my Cisco 2921.

At the moment i can established a connection from a pc to my Router without any problems but only with users they are created on the Router.

 

I would like to connect to the VPN only with Users in my Active Directory "VPN-Users" group.

 

Here my working Config for VPN:

 

cerberus#show run
Building configuration...

Current configuration : 6300 bytes
!
! Last configuration change at 13:42:53 UTC Tue Nov 5 2019 by power
! NVRAM config last updated at 08:09:57 UTC Tue Nov 5 2019
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *secret*
!
aaa new-model
!
!
aaa authentication login local_access local
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 1.1.1.1
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
license udi pid CISCO2921/K9 sn FCZ211140F5
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network ldap_dst_net
any
!
object-group network ldap_src_net
any
!
object-group service ldap_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username cisco password 0 cisco
username power privilege 15 password *secret*
username test password 0 test
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any ldap_app
match protocol ldap
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all ldap
match access-group name ldap_acl
match class-map ldap_app
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
policy-map type inspect WAN-LAN-POLICY
class type inspect ldap
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key key address 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback0
ip address 192.168.47.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Loopback1
description loopback for IPsec-pool
ip address 1.1.1.11 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly in
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
ip forward-protocol nd
!
ip http server
ip http access-class 75
no ip http secure-server
!
ip nat inside source list 75 interface GigabitEthernet0/0 overload
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
ip access-list extended NAT
deny ip 192.168.47.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip 192.167.47.0 0.0.0.255 any
permit ip 1.1.1.0 0.0.0.255 any
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended ldap_acl
permit object-group ldap_svc object-group ldap_src_net object-group ldap_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
!
!
access-list 75 permit 192.168.100.0 0.0.0.255
access-list 75 deny any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq domain any
access-list 111 permit tcp any eq domain any
access-list 111 permit udp any eq ntp any
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 443
access-list 111 permit ip 1.1.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server time-pnp.cisco.com
!
end

 

 

I searched for a solution  and found this
https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ldap/configuration/15-2mt/sec_conf_ldap.html#GUID-C5C0527D-6C0F-42AB-B9FE-8274CC0564EE

But i don't know how i combine it with my config.

 

Could someone give me a hint how i can accomplished this please? 

Thank you

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎11-05-2019 07:06 AM

Hi,

The configuration syntax you are using isn't common, so I think you'll struggle to find exactly what you want. Alternatively, you could consider using FlexVPN this supports LDAP, RADIUS or Certificate authentication, this is a more common and current VPN implementation on cisco routers. Example here and here.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents