How to Use Microsoft IAS with Cisco VPN Concentrator/ASA/PIX

Posted July 2, 2006 by CCIE14019 in Cisco networking

VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every VPN user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX, and the pix puts them in that group.


VPN Concentrator(s) setup

Example:

– Login to concentrator/ASA.
– Duplicate the steps below on BOTH ASA/concentrators.
– Go to configuration > policy mgmt > traffic mgmt > network lists.
– Add
– name: “g_Radius_VPN”
– Enter hosts/networks “10.224.3.3/0.0.0.0”
– Add
– Go to configuration > user managment > groups.
– Add group
– Group name: “g_Radius_VPN”
– Password: [password]
– Verify: [password]
– Type: internal
– Go to: Client Config TAB
– Split Tunneling Policy
– Check: only tunnel networks in the list
– Split Tunneling List
– Choose: g_Radius_VPN
– Add
– SAVE CONFIGURATION SETTINGS

AD User / Group Setup

– Log in to Domain Controller
– Go to: Active Director Users and Computers
– OU: austin.mgam > Radius
– Add group
– “g_Radius_VPN
– OU: austin.mgam > Vendor
– Add user
– User name:
– Next
– Password: [user password]
– Uncheck: User must change password at next login
– Check: user cannot change password
– Check: password never expires
– Finish
– Open properties for user: [Temporary]
– Member Of TAB
– Add
– “g_Radius_VPN_[Temporary]”
– OK
– Choose “g_Radius_VPN_[Temporary]”
– Click Set Primary Group
– Remove “Domain Users” group
– OK

Radius / IAS Setup example

– Log in to Radius Server
– Go to: Internet Authentication Service
– Open Remote Access Policy
– Create New Remote Access Policy
– Next
– Set up a custom policy
– Name: “g_Radius_VPN_[Temporary]”
– Next
– Add policy conditions
– Windows-Group = “g_Radius_VPN_[Temporary]”
– Client-Friendly-Name = “AusVPN”
– Next
– Grant remote access permission
– Next
– Edit Profile
– Advanced TAB
– Remove Service-Type
– Remove Framed-Protocol
– Add
– Class
– “OU=g_Radius_VPN_[Temporary];”
– Next
– Finish
– Move policy down to be within the group of other “g_Radiuis_VPN_XXXXX” policys

Test account on both VPN’s before deploying to user,

– Issue VPN Client and also Standard PCF file

The Conversation

Follow the reactions below and share your own thoughts.