Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
2
Replies

IOS WebVPN and Win2k3 domain access

clausonna
Level 3
Level 3

‎08-29-2006 10:46 AM

Hi folks.

I've configured WebVPN on an IOS router, and the VPN part seems to be working OK (I can ping by IP address, etc) I have several users who have laptops (WinXP SP2) that are members of the domain (lets call the AD domain "DOMAIN" for the purpose of this post.) The users go home, reboot their laptop, and log into the laptop with their cached DOMAIN credentials. They WebVPN in, and again they can ping, browse the web, etc. However, the CANNOT browse the Active Directory domain. When the try to access shares on the server WinXP throws an error saying "Access is Denied. Local Device is already in use".

I've looked up everything possible on the Win2k3/AD side, and the best I've seen is that users should delete and re-create the drive mappings. Something about cached credentials, but no matter what I do the inherent credentials on the laptop aren't passing through.

I have a decent amount of Windows AD experience to know that the laptop, which is a member of the domain, and the user logging into the laptop, which is in the domain, should just authenticate and get into the server and any other member servers.

I think though that somehow the SSL VPN Client (SVC) is messing up the kerberos authentication to the server. I'm running the latest SVC on top of IOS 12.4(6)T.

Here's the config. Anyone who helps me solve this gets a beer of their choice, at the bar of their choice (as long as its in Boston!)

webvpn gateway SSL_GATEWAY

ip address [A.B.C.D] port 443

ssl trustpoint t3

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

!

webvpn context testvpn

title

logo none

title-color #FFFFFF

secondary-color white

text-color black

ssl trustpoint thawte.com

ssl authenticate verify all

!

nbns-list localnbns

login-message

!

policy group SSL_POLICY

functions svc-required

hide-url-bar

svc address-pool "vpn_pool"

svc default-domain "domain.com"

svc keep-client-installed

svc split dns "domain.com"

svc split include 192.168.1.0 255.255.255.0

svc dns-server primary 192.168.1.2

svc wins-server primary 192.168.1.2

default-group-policy SSL_POLICY

aaa authentication list sdm_vpn_xauth_ml_2

gateway SSL_GATEWAY

inservice

!

end

Labels:
0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎09-04-2006 08:57 AM

It is very important that you have at least one user with administrator privilege (15), if not you will need to do the password recovery procedure. Also, you can review the current privileges of the commands by typing:

show privilege all

You can change them with the

privilege level command

Sample config:

config t

aaa authentication enable console LOCAL

username admin password cisco123 privilege 15 <--- this is for the administrator

username xx password access1 privilege 5 <---- read only for user xx

aaa authentication command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1111727

Privilege command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1027446

0 Helpful

clausonna
Level 3
Level 3
In response to amritpatek

‎09-06-2006 05:06 AM

thanks for the reply, but I think you misunderstood the message. The problem is not with my local admin (priv 15) access into the router. The problem is with users that VPN into the network via IOS WebVPN. They /were/ using a generic account for webvpn access (i.e. username webvpn priv 5 password vpnaccess) However, once the SSL Tunnel Client (STC) connects, and the users are "in" the network, they can't access their previously mapped shared drives, and can't browse the domain etc. They keep getting access denied messages.

Since my previous post, however, I tried something different: I created an account on the router with a username/password that matched the users' domain account (i.e. username jdoe priv 5 password domainpass) and THAT seems to work.

So here's my question: is the WebVPN service, running with the FULL tunnel client (not web only, not thin client or port-forwarding) acting as a type of proxy between the VPN'd user and the resources the user is trying to access? Is it using the credentials that the user used to connect to the WebVPN to then connect to other resources? If so, then my guess is that I should set up the Microsoft Internet Authentication Service (IAS), aka MS Radius, for the WebVPN authentication?

0 Helpful
Customers Also Viewed These Support Documents