Cisco ASA VPN Client with Windows RADIUS Authentication
NOYNIM is Denver’s premier IT services organization. Below is a helpful guide in setting up the Cisco ASA to work with Radius.
Create a Cisco VPN client connection using Cisco ASA and Windows 2003 RADIUS authentication with split tunneling enabled
Assumption:
Internal Cisco ASA network is: 192.168.0.0/24
VPN Pool is: 192.168.50.0/24
Internal Radius server/DNS Server: 192.168.0.1
Internal domain: test.local
Internal Radius password: NOYNIM
VPN Group name: noynim (group name is case sensitive)
VPN Group password: NOYNIM
Windows security group created (users of this group will have VPN access: VPN_Users
Define a nonat ACL
- access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
Define split tunneling acl
- access-list split_tunnel standard permit 192.168.0.0 255.255.255.0
- ip local pool vpn_pool 192.168.50.10-192.168.50.50
- nat (inside) 0 access-list nonat
- aaa-server RADIUS protocol radius
- aaa-server partnerauth protocol radius
- aaa-server partnerauth (inside) host 192.168.0.125
- timeout 5
- key NOYNIM
Install Internet Authentication Service on your 2003 server
- open Internet Authentication Service
- right click and click New RADIUS Client
- click on Remote Access Policies
- right click on Connections to other access servers and click properties
- edit the day and time restrictions and make sure there are no restrictions and everything says permit (assuming you want 24/7 access)
- click add and select windows-groups
- then add your VPN_Users group
- make sure you click Grant remote access permissions at the bottom
i.
- click edit profile and check the following
i.
- Leave all the other settings to the default value
Go back to the ASA
- crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
- crypto dynamic-map dynmap 10 set transform-set AES256-SHA
- crypto map AES256-SHA 10 ipsec-isakmp dynamic dynmap
- crypto map AES256-SHA interface outside
- crypto isakmp identity address
- crypto isakmp enable outside
- crypto isakmp policy 10
- authentication pre-share
- encryption aes-256
- hash sha
- group 2
- lifetime 86400
- crypto isakmp nat-traversal 33
- group-policy vpn_info internal
- group-policy vpn_info attributes
- dns-server value 192.168.0.1
- vpn-tunnel-protocol IPSec
- split-tunnel-policy tunnelspecified
- split-tunnel-network-list value split_tunnel
- default-domain value test.local
- tunnel-group noynim type remote-access
- tunnel-group noynim general-attributes
- address-pool vpn_pool
- authentication-server-group partnerauth LOCAL
- default-group-policy vpn_info
- tunnel-group noynim ipsec-attributes
- pre-shared-key test
- make sure your username in AD has allow access in the Remote Access Permission in the dial-up tab
Share
Comment on Cisco ASA VPN Client with Windows RADIUS Authentication
Leave a Reply