12-11-2012 07:24 PM
Hi guys,
I am trying to configure my ASA 5520 to allow internal staff to work from remote via VPN. I need them to authenticate via Radius to MYCOMPANY-DC1 and allow them to access only if they are part of the Windows group VPNusers.
Using the VPN wizard I've created the (purged) configuration below. Now when I try to connect, the debug returns the following error.
Dec 12 02:57:28 [IKEv1]: Group = DefaultRAGroup, IP = 120.156.45.246, Session is being torn down. Reason: L2TP initiated
I haven't found where to define the name of the Windows gouup the users have to be part of in order to have the access granted and I guess that this missing configuration is the cause of the problem. Can you please tell me where is the error on my config and where I do have to add the missing configuration?
object-group network DM_INLINE_NETWORK_5
network-object LAN-network 255.255.0.0
access-list INTERNAL_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5 172.16.4.0 255.255.255.128
aaa-server windows_DC protocol radius
aaa-server windows_DC (INTERNAL) host MYCOMPANY-DC1
timeout 5
key *****
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.0.4 8.8.8.8
dns-server value 172.16.0.4 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
default-domain value mycompanycorp.com.au
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Cisco_Pool
authentication-server-group windows_DC
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
On the Windows Server side, I have the following event:
User myuser was denied access.
Fully-Qualified-User-Name = myuser
NAS-IP-Address = 172.16.1.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = ASA5520
Client-IP-Address = 172.16.1.1
NAS-Port-Type = Virtual
NAS-Port = 94208
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.
Thanks,
Dario Vanin
12-11-2012 08:19 PM
What missing was a MS Windows server configuration. Problem closed
06-25-2014 02:34 AM
Hi,
What configuration was missing? I have the same problem.
06-25-2014 05:52 PM
Unfortunately I did not manage Windows Server, so I can't help you on that.
The ASA was correctly configured and the problem was on the Windows policies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide