cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1340
Views
10
Helpful
5
Replies

Setting up Cisco ASA to allow VPN authentication via Radius or LOCAL users

Darinth.Malacoy
Level 1
Level 1

I have a cisco ASA 5512-X performing routing and firewall for our office. It's also setup to act as our VPN server using the standard windows 7 L2TP/IPSec client. Currently, I have no issues with authenticating users via our RADIUS server. However, all of my attempts to get it to authenticate via the local user list have failed. Initially, I just turned on the "User Local if Server Group Fails" because the only real reason that I need local user authentication is in case something happens to the RADIUS server. However, when I stop the RADIUS server for tests and leave it offline for over an hour I still wasn't able to connect with the local account I made on the ASA.

So today, I've been attempting to get it setup to constantly have both LOCAL and RADIUS users available, which I'm fine with. The password to the local ASA account is secure enough that I'm perfectly comfortable with that. So I have two connection profiles now: DefaultRAGroup which is what got setup by the initial VPN wizard, and LocalTunnelGroup which is the one I created today. Initially I had both profiles setup identically, save for one used the RADIUS server group for authentication and the other used LOCAL for authentication. Under this setup, I was still able to connect to it using RADIUS users, but not still not with local users. So I changed the PSK on the LocalTunnelGroup, thinking that might be able to help it differentiate between users. Now I am still able to connect to the DefaultRAGroup using the the original PSK, everything there is still working great. When I attempt to connect to the ASA to LocalTunnelGroup using the new PSK for it, there's an error during initial connection setup.

Am I just entirely going about this the wrong way? Is there something I missed in the user account that I might need to turn on to make it valid for VPN connections? Is the setup of using two connection profiles with differing keys invalid? I just want to make sure I can VPN in to the building to connect to and turn my servers back on if they shut down due to a power outage (or if something should happen to the RADIUS server, though that's much less likely). Is there a better way of achieving that?

5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Darnith,

I do not see any issues with the setup.

It should work fine.

You just need to make sure that the connection lands on the correct tunnel-group.

Also when you made this change did you create a new connection entry on the Windows PC with the correct PSK ?

You just need to use the local username/password created on the ASA.

Also what error do you get ?

Under tunnel group you need to do this change:

hostname(config-tunnel-general)# authentication-server-group LOCAL
And the local username you create has nt-encrypted added to it:

username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted

Regards,

Aditya

Please rate helpful posts.

Thanks! Combined with the post here, I was able to identify that VPN attempts are landing in the wrong tunnel group. The question at this point is, how do I fix it? I have two seperate VPN connections on the windows PC. One has the PSK for DefaultRAGroup and the other has the PSK for LocalTunnelGroup.

Logs are showing

"Connection landed on tunnel_group DefaultRAGroup" followed by

"WARNING, had problems decrypting packet, probably due to mismatched pre-shared key.  Switching user to tunnel-group: DefaultL2LGroup" followed by

"ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting"

There's no mention anywhere in the logs of LocalTunnelGroup.

Hi Darinth,

I think you should use the Tunnel Group Switching feature for this.

Here is the link for the same:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/l2tp_ips.html#wp1044248

But I am not sure it would work with Local user accounts.

However you can go through this link and test.

Regards,

Aditya

Please rate helpful posts.

My apologies for not getting back to this sooner, I got wisdom teeth pulled tuesday and have been out of the office. I've been testing this all morning with no success, the VPN connections continue to land on DefaultRAGroup rather than LocalTunnelGroup. I've set the group delimeter to "!" and am signing in with "Username!LocalTunnelGroup" as the username. I suspect this might not work with the local database due to the following issue: Local database authentication is only support for PAP, MS-CHAPv1, MS-CHAPv2. It is not supported for CHAP. Windows 7 and later do not support MS-CHAPv1. You cannot use strip-group with MS-CHAPv2 because the hash generated depends on the username and wouldn't match if the username is changed, such as stripping off the tunnel-group. This means that only PAP is supported. 

PAP doesn't encrypt passwords, so I cannot use it, but I've been trying to test with it anyways just to see if I can even get the connections to land in the right tunnel group and haven't had any success. Every time I attempt to establish a connection, it continues to land in DefaultRAGroup and when that fails it gets shunted over to DefaultL2LGroup which of course fails as well and the connection gets aborted. I'm going to keep experimenting and will post if I'm able to get any further resolution. If anybody has any further insight I'd much appreciate it. I'm really just looking for a good way to connect to the iDRACs of my servers if the radius server is down.

Peter Koltl
Level 7
Level 7

Did you enable PAP in the tunnel-group PPP attributes?

Don't worry about PAP cleartext. It is encapsulated in encrypted IPsec after all.

Have you tried setting the group-policy with RADIUS class attribute? The tunnel group could be always DefaultRAGroup but a custom group-policy could be applied.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: