Re: VPN auth via AD Radius > whats the trick?

weales · ‎11-10-2006

It appears that to authenticate a user connecting via remote vpn to AD is to use MS IAS (radius). I have enabled IAS on the DC, created the radius client (ASA 5510) and successfully tested a connection in the ASDM.

I have a few questions/issues though.

1. Currently, I can only get PAP to test connect from the ASA AAA server setup to the DC IAS radius server. How can I change it use an encrypted mode?

2. Cisco docs indicate that to get a security device like an ASA to communcate and authenticate vpn users from an AD radius or ldap server requires an .ldif file be created with ldap attribute mappings and then imported back to AD using ldifde. There are quite a few ldap attributes, what security appliance authorication attribute mappings are required for user authentication?

campbellian · ‎11-10-2006

Regarding 1) All Cisco devices will only use PAP when set to RADIUS auth. You can use MSCHAP V2 if you set auth to RADIUS with expiry instead.

PAP is theoretically unencrpyted, but the passwords and user info are encrypted in transit between the ASA and IAS server using the salt password (preshared key).

Hope this helps.

scottyschafer · ‎01-08-2007

Hello i noticed that you were able to get your ASA to authenticate via radius with your active directory box. I was wondering what configuration you used. I am currently getting an error code 48 about a connection attempt not matching a remote access policy, on the domain controller. which i believe has something to do with our encryption. I am running AD 2000 on Server 2003 Is there anything special you had to do to get this to work? I have seen some posts about having to scale back the encryption when using 2003 so it will handle the PAP. Any help is appreciated.

Scott