VPN and Radius with Cisco ASA and Windows 2003 Server

Here's an article about integrating the Cisco ASA firewall/VPN concentrator 5500 family with Windows 2003 Server's RADIUS server, called Internet Authentication Server - AIS. What I will describe is setting up a ASA 5500 appliance to do Remote Access VPNs authenticating against a MS IAS RADIUS server; the twist to this setup is differentiating between multiple Windows user groups - linking a Windows AD group to a specific tunnel-group.

I decided to write this article becouse I had to search for too much how to do some of the things described below.

In the first part we'll take care of setting up the 2003 Server.

First of all make sure that if you're deploying RADIUS for a large organization you're using the Enterprise flavor of Windows 2003 Server. It has more extensive capabilities than the Standard edition - see http://www.winsupersite.com/showcase/winserver2003_editions.asp for example.

Second, install IAS on the 2003 Server - it doesn't come installed by default:


In order to use the IAS with a client (in our case, the ASA device) you have to declare the client to IAS, otherwise the server will not answer to the queries: enter the IAS management console, right click on the "RADIUS Clients" on the left > New RADIUS Client. Here choose a name for the ASA device; this will be unique and you'll be using it later. Next, as Client-Vendor choose RADIUS standard, and as secret - a phrase that you'll use later in your ASA config to pair with the IAS server.

Next, the server needs a Connection request policy to allow the client to connect: Connection Request Processing > Connection Request Policies > New... Here make a custom policy and as Policy Condition you can use for example "Client-Friendly-Name" and specify the name you chose in the previous step when you declared the client:


The next thing to do is to create a Remote Access Policy, again a custom one. For this you have to have prepared one or more Windows groups (local or better - AD groups) in which you include the users that can access the VPN. So, in policy conditions add the Client Friendly name (for example) and the Windows-Groups attribute; here you'll be asked for the group. Next, "Grant remote access permision" and edit the profile. In the Authentication tab choose only "Unencrypted authentication" and in the Encryption tab choose only "No encryption". We'll handle the Advanced tab later.

Now, the ASA appliance.

I won't describe in detail how to set up a Remote Access VPN, there are plenty of tutorials and guides for doing this. One would be http://www.cisco.com/warp/public/110/asa-remotevpn-asdm.pdf.
Here's a sample setup of doing this:

aaa-server group1 protocol radius aaa-server group1 host 192.168.1.2 key secret

group1 will be used to authenticate the VPN users against the 192.168.1.2 server (this is the IP of the 2003 Server box with IAS). Before continuing with the setup let's test the RADIUS communication:

ASA# test aaa-server authentication group1 username user password passwd
Server IP Address or name: 192.168.1.2
INFO: Attempting Authentication test to IP address <192 .168.1.2=""> (timeout: 12 seconds)
INFO: Authentication Successful

If the authentication was successful you will get the above message. If not, you need to debug it. On the IAS server side you can check the Event Log in the System category. Every attempt of authentication is logged there is successful or not. Typical pitfalls are misconfigured Remote Access Policies of Connection Request Policies. You will get a "Reason" for the failure.

If you don't even get a Event Log message then you need to check your security device configuration or IP connectivity.

The rest of the configuration:

ip local pool vpn-pool 10.0.1.2 - 10.0.1.255
group-policy testvpn internal
group-policy testvpn attributes
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec
default-domain value test.local
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map Outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group testvpn-group type ipsec-ra
tunnel-group testvpn-group general-attributes
address-pool vpn-pool
authentication-server-group group1
default-group-policy testvpn
tunnel-group testvpn-group ipsec-attributes
pre-shared-key *

Please note that is only an example config and your needs may require some other config options.
To complicate matters, if you have multiple VPN tunnel groups then you need to differentiate between users that are allowed to access each tunnel then you need to add a special attribute in the Remote Access Policy: go to the Remote Access Policy you're editing and in the Advanced tab add a Class attribute with a string value of OU=value. The value must match the name of the tunnel group:


On the ASA:

group-policy testvpn attributes
group-lock value testvpn-group

What I couldn't figure out is how to differentiate the VPN users from the management users (console, ASDM etc). If anybody knows please let me know.
   

Comments

24 Responses to " VPN and Radius with Cisco ASA and Windows 2003 Server "

kugar said... April 17, 2008 at 3:33 PM

Very helpful article, I was just trying to make this configuration and thanks to you it works now !

The editor said... April 17, 2008 at 3:56 PM

Thanks.
I had a hard time myself doing the config as I found no clear reference on the web about this.

Dr3D said... April 24, 2008 at 12:53 AM

If you need additional info, it is all described here... Only found it after we followed your method :)
Troubleshooting info included.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml#configuringthemicrosoftserverwithias

Daniyar said... May 2, 2008 at 6:41 PM

in my config I have ADSM users in Local authentication and then IPSEC/WebVPN users use MSIAS. This way differenciation is done in Cisco, not in MS

Editor said... May 2, 2008 at 7:49 PM

That's how I did it eventually, but I was looking to have my administrative users authenticate againts IAS.
Thanks though.

mad.sai.entist said... May 5, 2008 at 4:48 PM

I have gotten the IAS setup and when I test the authentication it is successful but when I tried to actually use it to authenticate a VPN session it doesn't even send a request to the IAS. Any ideas?

Editor said... May 5, 2008 at 5:01 PM

Make sure that authentication-server-group group1 matches the Radius group you defined.

mad.sai.entist said... May 6, 2008 at 5:33 PM

For some reason the problem was with the "ppp authentication" method. It was trying to authenticate with the IAS using ms-chap-v1 and chap but not pap. I had to explicitly enable pap and disable ms-chap-v1 and chap. The everything worked fine.

gneNchris said... May 13, 2008 at 9:16 PM

Can you please provide the full link from dr3d's comment? It looks like blogger truncated it...

The editor said... May 14, 2008 at 11:21 AM

Here's the URL:
http://tinyurl.com/yxjvxl

Anonymous said... May 16, 2008 at 3:47 PM

Where, exactly, did you configure the PPP authentication?

My IAS server doesn't support PAP, but only CHAP, MS-CHAP - and I can't determine where on the VPN server I can change that...

pjmac said... July 11, 2008 at 7:01 PM

One note is that the IAS server should be a x32 OS and not a x64 as I spent a couple hours until I realized this IAS was x64. I would receive a cannot connect with 'no error' even though the ASA was able to access the IAS x64 server.

jash said... September 4, 2008 at 9:53 AM

For both VPN and telnet/ssh auth, try using Called-Station-ID to distinguish between the RADIUS requests coming from the VPN process (Called-Station-ID will be the public IP) vs from telnet/ssh sessions (Called-Station-ID will not be present). You can have two policies - one that specifies Called-Station-ID plus a VPN group, and one that does not specificy Called-Station-ID but does specify a NetAdmin group for telnet/ssh access.

Anonymous said... September 18, 2008 at 6:31 AM

Hello Anjin.
Congatulations for this configuration, I used it and everything work perfect...

Thank You.

Gleidson

Anonymous said... November 5, 2008 at 11:57 PM

This works great for WebVPN but I cannot get SVC to work, even though it is selected. The logs indicate: "WebVPN session terminated: Client Type not supported>" But i have svc selected in the group profile, not WebVPN!

The editor said... November 6, 2008 at 12:46 PM

What exactly are you refering to with SVC?

Greg said... December 8, 2008 at 5:50 PM

Jash's method in his comment worked. I used called station ID to differentiate between VPN access authentication requests and admin access authentication requests.
I suggest downloading IAS Log Viewer http://www.deepsoft.ru/iasviewer/

Anonymous said... December 10, 2008 at 12:08 AM

Thanks for the article. I'm struggling to get this working with Windows using Active Directory instead of Radius. I'd like to be able to only allow specific groups of users to access VPN on the ASA, instead of the entire domain. Can this be done, or only with Radius?

Trevor said... January 16, 2009 at 6:36 PM

I've tried this on multiple servers and I'm never given the option to add "Windows-Groups" to the client policy. That option is completely missing from the list. What's up?

Matthew X. Economou said... April 22, 2009 at 7:44 PM

Trevor: Is your IAS server registered in Active Directory?

Mike said... May 5, 2009 at 4:29 PM

what I couldn't figure out is how to differentiate the VPN users from the management users (console, ASDM etc). If anybody knows please let me know.

Regarding differentiating your VPN users from management users: Under the advanced tab in you Remote Access Policy, add a Service-Type with a value of "Administrative" (vendor is RADIUS Standard)
This is the value that the ASA passes when requesting console or ASDM access verification.

Hope that helps.

mike.

tvaniderstine said... July 9, 2009 at 10:04 PM

The way i solved the problem was to define my administrative access policy first as:

Calling-Station-id matches ip:source-ip=*
NAS-Port-Type matches VPN
Windows-Groups matches "DOM1\netadmin"
Client-IP-Address matches 10.20.30.40

my 2nd policy is my remote access policy and it is set up as:
NAS-Port-Type matches VPN
Windows-Groups matches "DOM1\remoteusr"
Client-IP-Address matches 10.20.30.40

This is running on Win2k3 and IAS.

I hope this helps someone.
remote access users can connect using the VPN client and their DOM1 credentials, and Network Administrators can connect via SSH to the PIX...AND...log in via the VPN client.

Anthony said... September 11, 2009 at 10:34 PM

Thanks for this article. It help me with a pix 506 to ASA 5510 cutover.

Tom Sawyer said... October 22, 2010 at 10:55 PM

Awesome.. I just finished setting up my ASA with Radius server 2008 with the help of your post and one here

Thank you.

Post a Comment

Follow by Email

Sponsored Links

Labels