How to Use Microsoft IAS with Cisco VPN Concentrator/ASA/PIX

VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every VPN user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX, and the pix puts them in that group.


VPN Concentrator(s) setup

Example:

– Login to concentrator/ASA.
– Duplicate the steps below on BOTH ASA/concentrators.
– Go to configuration > policy mgmt > traffic mgmt > network lists.
– Add
– name: “g_Radius_VPN”
– Enter hosts/networks “10.224.3.3/0.0.0.0”
– Add
– Go to configuration > user managment > groups.
– Add group
– Group name: “g_Radius_VPN”
– Password: [password]
– Verify: [password]
– Type: internal
– Go to: Client Config TAB
– Split Tunneling Policy
– Check: only tunnel networks in the list
– Split Tunneling List
– Choose: g_Radius_VPN
– Add
– SAVE CONFIGURATION SETTINGS

AD User / Group Setup

– Log in to Domain Controller
– Go to: Active Director Users and Computers
– OU: austin.mgam > Radius
– Add group
– “g_Radius_VPN
– OU: austin.mgam > Vendor
– Add user
– User name:
– Next
– Password: [user password]
– Uncheck: User must change password at next login
– Check: user cannot change password
– Check: password never expires
– Finish
– Open properties for user: [Temporary]
– Member Of TAB
– Add
– “g_Radius_VPN_[Temporary]”
– OK
– Choose “g_Radius_VPN_[Temporary]”
– Click Set Primary Group
– Remove “Domain Users” group
– OK

Radius / IAS Setup example

– Log in to Radius Server
– Go to: Internet Authentication Service
– Open Remote Access Policy
– Create New Remote Access Policy
– Next
– Set up a custom policy
– Name: “g_Radius_VPN_[Temporary]”
– Next
– Add policy conditions
– Windows-Group = “g_Radius_VPN_[Temporary]”
– Client-Friendly-Name = “AusVPN”
– Next
– Grant remote access permission
– Next
– Edit Profile
– Advanced TAB
– Remove Service-Type
– Remove Framed-Protocol
– Add
– Class
– “OU=g_Radius_VPN_[Temporary];”
– Next
– Finish
– Move policy down to be within the group of other “g_Radiuis_VPN_XXXXX” policys

Test account on both VPN’s before deploying to user,

– Issue VPN Client and also Standard PCF file

The Conversation

Follow the reactions below and share your own thoughts.

  • I would like to control user access on cisco devices using MS IAS. for example user A should be able to access only network 192.168.1.X, user should be able to access network B and so on. Please help me in this regard. I have ASA, PIX, 3560 switch etc.