Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1875
Views
0
Helpful
5
Replies

SSL VPN with Active Directory

Tommy Svensson
Level 1
Level 1

‎05-31-2011 04:27 AM

Hi.

I have implemented PPTP connections to authenticate to an windows IAS wich then looks in the AD user database for authentication. Now i want to accomplish the exact same thing for SSL VPN connections. How do i proceed my configuration on the router?

This is what i did for the PPTP on the router:

aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login console none
aaa authentication login SSH local
aaa authentication ppp default group radius local
aaa authorization network default group radius local


radius-server host 10.10.50.5 auth-port 1645 acct-port 1646
radius-server key 7 121810031A1D1C0A

interface Virtual-Template1
ip unnumbered GigabitEthernet0/2
ip nat inside
ip virtual-reassembly
peer default ip address pool test
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap-v2

Labels:
0 Helpful
5 Replies 5

andamani
Cisco Employee
Cisco Employee

‎05-31-2011 08:24 AM

Hi,

please look at the link below for configuration of SSL VPN on router. you can select external AAA server for authentication instead of Local i.e. 8th screenshot:

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a0080720346.shtml#step2

Changes via CLI will be:

aaa authentication login sdm_vpn_xauth_ml_4 group radius

 policy group policy_1
   url-list "WebServers"
   functions svc-enabled
   svc address-pool "Intranet"
   svc default-domain "cisco.com"
   svc keep-client-installed
   svc dns-server primary 172.22.1.100
   svc wins-server primary 172.22.1.101
 default-group-policy policy_1
 aaa authentication list sdm_vpn_xauth_ml_4
 gateway gateway_1 domain sales
 max-users 2
 inservice

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Tommy Svensson
Level 1
Level 1
In response to andamani

‎06-09-2011 02:16 AM

Hi.

I have now tested it out and without success.

Here is what i have done:

aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpn_auth local

aaa authentication login VPN_RADIUS group radius local

aaa authorization exec default local

aaa authorization network VPN_RADIUS group radius local

radius-server host 10.99.0.52 auth-port 1645 acct-port 1646

radius-server key xxxxxxxx

webvpn context vpn

  aaa authentication list VPN_RADIUS

This is the output shown in my log on the router:

Jun  9 09:12:14.500: RADIUS/ENCODE(00004D26):Orig. component type = SSLVPN

Jun  9 09:12:14.500: RADIUS/ENCODE(00004D26): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Jun  9 09:12:14.500: RADIUS(00004D26): Config NAS IP: 10.99.0.221

Jun  9 09:12:14.500: RADIUS/ENCODE(00004D26): acct_session_id: 19740

Jun  9 09:12:14.500: RADIUS(00004D26): sending

Jun  9 09:12:14.500: RADIUS(00004D26): Send Access-Request to 10.99.0.52:1645 id 1645/17, len 54

Jun  9 09:12:14.500: RADIUS:  authenticator 44 BA 64 51 EF C9 21 AC - A0 4A 00 37 CD 6C 0A 17

Jun  9 09:12:14.500: RADIUS:  User-Name           [1]   10  "iostommy"

Jun  9 09:12:14.500: RADIUS:  User-Password       [2]   18  *

Jun  9 09:12:14.500: RADIUS:  NAS-IP-Address      [4]   6   10.99.0.221

Jun  9 09:12:14.500: RADIUS(00004D26): Started 5 sec timeout

Jun  9 09:12:14.504: RADIUS: Received from id 1645/17 10.99.0.52:1645, Access-Reject, len 20

Jun  9 09:12:14.504: RADIUS:  authenticator F1 14 29 D9 5A F9 6C 77 - 1F 78 52 97 E9 FB 02 5B

Jun  9 09:12:14.504: RADIUS(00004D26): Received from id 1645/17

What is wrong here?

Regards Tommy Svensson

0 Helpful

AZaburdyayev
Level 1
Level 1
In response to Tommy Svensson

‎03-25-2020 08:58 AM

Nothing. RADIUS server send reject. All work as expected.

Check IAS logs on windows machine.

0 Helpful

Antonio Knox
Level 7
Level 7

‎05-31-2011 11:01 AM

!-------------Create the server group

ASA(config)#aaa-server DC1 protocol nt

ASA(config-aaa-server-group)#aaa-server CD1 host 10.1.1.200

!-------Apply the server group to the tunnel group authentication config

ASA(config)#tunnel-group sslvpngroup ipsec-ra

ASA(config)#tunnel-group sslvpngroup general-attributes

ASA(config-tunnel-general)#authentication-server-group DC1

Please rate if helpful.

0 Helpful

M-Square
Level 1
Level 1
In response to Antonio Knox

‎03-24-2020 10:02 PM

AK: The user is going to have a hard time with ASA commands on an IOS router.  Just sayin

0 Helpful
Customers Also Viewed These Support Documents