08-29-2006 10:46 AM
Hi folks.
I've configured WebVPN on an IOS router, and the VPN part seems to be working OK (I can ping by IP address, etc) I have several users who have laptops (WinXP SP2) that are members of the domain (lets call the AD domain "DOMAIN" for the purpose of this post.) The users go home, reboot their laptop, and log into the laptop with their cached DOMAIN credentials. They WebVPN in, and again they can ping, browse the web, etc. However, the CANNOT browse the Active Directory domain. When the try to access shares on the server WinXP throws an error saying "Access is Denied. Local Device is already in use".
I've looked up everything possible on the Win2k3/AD side, and the best I've seen is that users should delete and re-create the drive mappings. Something about cached credentials, but no matter what I do the inherent credentials on the laptop aren't passing through.
I have a decent amount of Windows AD experience to know that the laptop, which is a member of the domain, and the user logging into the laptop, which is in the domain, should just authenticate and get into the server and any other member servers.
I think though that somehow the SSL VPN Client (SVC) is messing up the kerberos authentication to the server. I'm running the latest SVC on top of IOS 12.4(6)T.
Here's the config. Anyone who helps me solve this gets a beer of their choice, at the bar of their choice (as long as its in Boston!)
webvpn gateway SSL_GATEWAY
ip address [A.B.C.D] port 443
ssl trustpoint t3
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context testvpn
title
logo none
title-color #FFFFFF
secondary-color white
text-color black
ssl trustpoint thawte.com
ssl authenticate verify all
!
nbns-list localnbns
login-message
!
policy group SSL_POLICY
functions svc-required
hide-url-bar
svc address-pool "vpn_pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 192.168.1.2
svc wins-server primary 192.168.1.2
default-group-policy SSL_POLICY
aaa authentication list sdm_vpn_xauth_ml_2
gateway SSL_GATEWAY
inservice
!
end
09-04-2006 08:57 AM
It is very important that you have at least one user with administrator privilege (15), if not you will need to do the password recovery procedure. Also, you can review the current privileges of the commands by typing:
show privilege all
You can change them with the
privilege
Sample config:
config t
aaa authentication enable console LOCAL
username admin password cisco123 privilege 15 <--- this is for the administrator
username xx password access1 privilege 5 <---- read only for user xx
aaa authentication command:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1111727
Privilege command:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1027446
09-06-2006 05:06 AM
thanks for the reply, but I think you misunderstood the message. The problem is not with my local admin (priv 15) access into the router. The problem is with users that VPN into the network via IOS WebVPN. They /were/ using a generic account for webvpn access (i.e. username webvpn priv 5 password vpnaccess) However, once the SSL Tunnel Client (STC) connects, and the users are "in" the network, they can't access their previously mapped shared drives, and can't browse the domain etc. They keep getting access denied messages.
Since my previous post, however, I tried something different: I created an account on the router with a username/password that matched the users' domain account (i.e. username jdoe priv 5 password domainpass) and THAT seems to work.
So here's my question: is the WebVPN service, running with the FULL tunnel client (not web only, not thin client or port-forwarding) acting as a type of proxy between the VPN'd user and the resources the user is trying to access? Is it using the credentials that the user used to connect to the WebVPN to then connect to other resources? If so, then my guess is that I should set up the Microsoft Internet Authentication Service (IAS), aka MS Radius, for the WebVPN authentication?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide