How to use Microsoft IAS with Cisco VPN concentrator/ASA/PIX

Contributor Icon Contributed by CCIE14019 Date Icon July 2, 2006  
Tag Icon Tagged: Cisco networking

VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every vpn user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX and the pix puts them in that group.


VPN Concentrator(s) setup

Example:

- Login to concentrator/ASA
- Duplicate the steps below on BOTH ASA/concentrtors
- go to: configuration > policy mgmt > traffic mgmt > network lists
- add
- name: “g_Radius_VPN”
- enter hosts/networks “10.224.3.3/0.0.0.0″
- add
- go to: configuration > user managment > groups
- add group
- group name: “g_Radius_VPN”
- password: [password]
- verify: [password]
- Type: internal
- go to: Client Config TAB
- Split Tunneling Policy
- check: only tunnel networks in the list
- Split Tunneling List
- choose: g_Radius_VPN
- add
- SAVE CONFIGURATION SETTINGS

AD User / Group Setup

- Login to Domain Controller
- go to: Active Director Users and Computers
- OU: austin.mgam > Radius
- add group
- “g_Radius_VPN
- OU: austin.mgam > Vendor
- add user
- User name:
- next
- password: [user password]
- uncheck: User must change password at next login
- check: user cannot change password
- check: password never expires
- finish
- open properties for user: [Temporary]
- Member Of TAB
- add
- “g_Radius_VPN_[Temporary]”
- OK
- choose “g_Radius_VPN_[Temporary]”
- click Set Primary Group
- Remove “Domain Users” group
- OK

Radius / IAS Setup example

- Login to Radius Server
- go to: Internet Authentication Service
- open Remote Access Policy
- create New Remote Access Policy
- next
- Set up a custom policy
- name: “g_Radius_VPN_[Temporary]”
- next
- add policy conditions
- Windows-Group = “g_Radius_VPN_[Temporary]”
- Client-Friendly-Name = “AusVPN”
- next
- Grant remote access permission
- next
- Edit Profile
- Advanced TAB
- remove Service-Type
- remove Framed-Protocol
- Add
- Class
- “OU=g_Radius_VPN_[Temporary];”
- next
- finish
- Move policy down to be within the group of other “g_Radiuis_VPN_XXXXX” policys

DONE, Test account on both vpn’s before deploying to user

- Issue VPN Client and also Standard PCF file

Previous recipe | Next recipe |
 

Viewing 1 Comment

 
close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus