Wednesday, 20 January 2010

Authenticating VPN user from Active Directory

Hi Guys Today we are going to discuss how to setup Remote access
VPN connection between Remote Clients / Mobile Users / Cisco VPN
Clients ... (its same names) and ASA 5500 by authenticating Users
Against Active directory using MS 2003 IAS server (which is MS
RADIUS server)

IPSEC is configured in this example with these considerations

Cryptomap is applied on outside interface of ASA Appliance

Xauth (extended Authentication) of VPN clients will be happening against RADIUS (which would be ISA server Windows 2003)

DNS ( and Windows 2003 IAS server ( is sitting Inside

Here we go

interface Ethernet0
nameif outside
security-level 0
ip address
interface Ethernet1
nameif inside
security-level 100
ip address



#Create pool of Addresses for assignment of ip addresses
dynamically to remote VPN clients

ip local pool vpnclient

Nat (inside) 1

Global (ouside) x.y.z.a (

This depends upon your scenario)

# Appropriate Route inside and Route outside statements depending
upon the network Layout.

# Now create AAA server group named "VPN" and mention RADIUS and
add MS 20003 IAS server as a member of this "VPN" group and mention
Security Key as well which is "Cisco" in our case

aaa-server vpn protocol radius
aaa-server vpn host
key cisco

#Now create VPN user policy and specify DNS IP address and domain

group-policy VPNPOLICY internal
group-policy VPNPOLICY attributes
dns-server vlaue
default-domain value

# As specif VPN config PHASE 2 Configuration mentioning Encryption
type , Hash Algorithm

crypto ipsec transform-set myset esp-des esp-md5-hmac

# Dynamic Crypto map

crypto dynamic-map mydmap 10 set transform-set myset

# Enable RRI (reverse routre injection)

crypto dynamic-map mydmap 10 set reverse-route

# Binding map to ISAKMP

crypto map maymap 10 ipsec-isakmp dynamic mydmap

# Now specifying Interface to whihc cryptomap is attached to

Crypto map mymap interface outside

# ISAKMP PHASE 1 config is as under

isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

#Create a new tunnel Group as Security appliance provides default
tunnel group for remote access whihc is (defaultRAGroup) but here
we will use our own group

tunnel-group mygroup general-attributes
address-pool vpnclient
authentication-server-group vpn (remember be case sensitive)
default-group-policy VPNPOLICY

# Enter Preshare key to configure authetication poilyc

tunnel-group mygroup ipsec-attributes
preshare key xyz


Now Go on VPN client appliaction

start > Program> Cisco VPN client

click New to create new Connection

Under host give outside interface ip address whihc is
in our case

Under authentication tab , Select group authentication radio button

Name = mygroup
password =xyz

Thats It and now you need to connect and it will ask for One more
Username and password whihc would be your IAS MS windows 2003
Server has in it

Microsoft Windows 2003 Server with IAS Configuration

Complete these steps to configure the Microsoft Windows 2003 server
with IAS.

first you need to install IAS server from Control panel and ADD/
Remove Program

Select Administrative Tools > Internet Authentication Service now
right click on RADIUS Client to add a new RADIUS client.

Give name and IP address of and select Client-Vendor to RADIUS
Standard, and shared secret is Cisco.

Go to Remote Access Policies, R.C (right click) on Connections to
Other Access Servers, and select Properties.Endure Grant Remote
Access Permissions is selected.

Click Edit Profile and check

under Authentication tab, check Unencrypted authentication (PAP,

under Encryption tab, ensure that the option for No Encryption is

Go in Administrative Tools > Computer Management > System Tools >
Local Users and Groups, R.C on Users and select New Users to add a
user into the local computer account.

I hope I don’t need to mention how to create a user .... If you feel
that you need this type of help ...... then go to Learn windows for
extreme Dumps’.com .. thanks For visiting ...

One thing i would suggest to check On Users screen under General
tab, ensure that the option for Password Never Expired is selected

Under Dial-in tab, select the option for Allow access

Here is one way to test either ASA is communicating with IAS Server
or not

test aaa authentication radius host

It will ask for username and password ..... give username and password that you just created on IAS server

And one last thing
dont forget

Debug Crypto ISAKMP
For troubleshooting

No comments:

Post a Comment