Cisco ASA VPN Client with Windows RADIUS Authentication

July 23rd, 2012
By Noynim IT Solutions in ASA-PIX
Comments (0)

NOYNIM is Denver’s premier IT services organization. Below is a helpful guide in setting up the Cisco ASA to work with Radius.

Create a Cisco VPN client connection using Cisco ASA and Windows 2003 RADIUS authentication with split tunneling enabled

Assumption:

Internal Cisco ASA network is: 192.168.0.0/24

VPN Pool is: 192.168.50.0/24

Internal Radius server/DNS Server: 192.168.0.1

Internal domain: test.local

Internal Radius password: NOYNIM

VPN Group name: noynim (group name is case sensitive)

VPN Group password: NOYNIM

Windows security group created (users of this group will have VPN access: VPN_Users

Define a nonat ACL

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

Define split tunneling acl

access-list split_tunnel standard permit 192.168.0.0 255.255.255.0
ip local pool vpn_pool 192.168.50.10-192.168.50.50
nat (inside) 0 access-list nonat
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.0.125
timeout 5
key NOYNIM

Install Internet Authentication Service on your 2003 server

open Internet Authentication Service
1. right click and click New RADIUS Client
3. click on Remote Access Policies
  1. right click on Connections to other access servers and click properties
  2. edit the day and time restrictions and make sure there are no restrictions and everything says permit (assuming you want 24/7 access)
  3. click add and select windows-groups

then add your VPN_Users group
make sure you click Grant remote access permissions at the bottom

click edit profile and check the following

Leave all the other settings to the default value

Go back to the ASA

crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set AES256-SHA
crypto map AES256-SHA 10 ipsec-isakmp dynamic dynmap
crypto map AES256-SHA interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10

authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 33
group-policy vpn_info internal
group-policy vpn_info attributes

dns-server value 192.168.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value test.local

tunnel-group noynim type remote-access
tunnel-group noynim general-attributes

address-pool vpn_pool
authentication-server-group partnerauth LOCAL
default-group-policy vpn_info

tunnel-group noynim ipsec-attributes

pre-shared-key test

make sure your username in AD has allow access in the Remote Access Permission in the dial-up tab

Comment on Cisco ASA VPN Client with Windows RADIUS Authentication

Leave a Reply

Nicholas Pool

14:38 27 Dec 18

Outstanding corporate IT services company. NOYNIM has a well experienced crew and an extremely responsive process in place to help their customers. Most of my company's help desk tickets are responded to within 30 minutes of request, and troubleshooting usually takes less than 15 minutes. I would recommend NOYNIM as a provider to anyone.

David Smith

18:28 28 Aug 18

Excellent IT services provider company in Denver.

Chad Lieberman

18:45 02 Aug 17

NOYNIM is a fantastic and client-focused IT company. Daniel and his team find creative and cost-effective solutions to a variety of IT issues. They are responsive, professional and efficient. I highly recommend NOYNIM.

Rita Lawrence

15:00 17 Oct 17

This company is fast, super responsive, and very professional!

Robert B. Wareham

16:51 30 Aug 17

Update: August 30, 2017 If I could give these guys more than 5 stars I would. They did a complete Windows Server upgrade this year and it went flawlessly. No one in the firm even knew it was going on. We now have the latest version of Windows Server and everything is working great. Dan and his crew are responsive and prompt. They are knowledgeable and competent. I look forward to years more of our partnership. Prior Review- 2015 After being promised the moon by so many IT companies I was skeptical when Daniel Noy told me that he could assure me a stable and secure IT environment. We were on the verge of a Windows Server SBS upgrade. Our prior IT company had set us up with a virtual server environment that never did work. Without billing me for hours of unproductive and expensive "planning and assessment" meetings Daniel and his team quickly determined our needs and implemented the server migration flawlessly. That was three or four years ago. Since that time Daniel and his staff have proved to be capable and responsive. The SBS server had some upgrade bugs that took hours, if not days, to troubleshoot with Microsoft's top level support people finally confirming it was a software bug. Daniel never gave up on the problem and pushed Microsoft on our behalf. As a trial lawyer I appreciate the need to advocate on behalf of a client. Daniel really went to bat for us. I don't toss endorsements around lightly as I live by my reputation of credibility and integrity. Daniel Noy shares those values. I know he has personally spent many late nights with his staff working to resolve issues as they arose. Noynim is responsive and capable. I don't worry about our network anymore. I give Daniel and Noynim my unqualified endorsement. Robert B. Wareham CEO and Attorney at Law The Law Center P.C. Highlands Ranch, Colorado

Cisco ASA VPN Client with Windows RADIUS Authentication

Share

Comment on Cisco ASA VPN Client with Windows RADIUS Authentication