Cisco ASA VPN Client with Windows RADIUS Authentication

• July 23rd, 2012
• By Noynim IT Solutions in ASA-PIX
• Comments (0)

NOYNIM is Denver’s premier IT services organization.  Below is a helpful guide in setting up the Cisco ASA to work with Radius.

Create a Cisco VPN client connection using Cisco ASA and Windows 2003 RADIUS authentication with split tunneling enabled

Assumption:

Internal Cisco ASA network is: 192.168.0.0/24

VPN Pool is: 192.168.50.0/24

Internal Radius server/DNS Server: 192.168.0.1

Internal domain: test.local

Internal Radius password: NOYNIM

VPN Group name: noynim (group name is case sensitive)

VPN Group password: NOYNIM

Windows security group created (users of this group will have VPN access: VPN_Users

Define a nonat ACL

1. access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

Define split tunneling acl

1. access-list split_tunnel standard permit 192.168.0.0 255.255.255.0
2. ip local pool vpn_pool 192.168.50.10-192.168.50.50
3. nat (inside) 0 access-list nonat
4. aaa-server RADIUS protocol radius
5. aaa-server partnerauth protocol radius
6. aaa-server partnerauth (inside) host 192.168.0.125
7. timeout 5
8. key NOYNIM

Install Internet Authentication Service on your 2003 server

1. open Internet Authentication Service
   1. right click and click New RADIUS Client
   2. 
   3. click on Remote Access Policies
      1. right click on Connections to other access servers and click properties
      2. edit the day and time restrictions and make sure there are no restrictions and everything says permit (assuming you want 24/7 access)
      3. click add and select windows-groups

1. then add your VPN_Users group
2. make sure you click Grant remote access permissions at the bottom

i.     

1. click edit profile and check the following

i.     

1. Leave all the other settings to the default value

Go back to the ASA

1. crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
2. crypto dynamic-map dynmap 10 set transform-set AES256-SHA
3. crypto map AES256-SHA 10 ipsec-isakmp dynamic dynmap
4. crypto map AES256-SHA interface outside
5. crypto isakmp identity address
6. crypto isakmp enable outside
7. crypto isakmp policy 10

• authentication pre-share
• encryption aes-256
• hash sha
• group 2
• lifetime 86400

1. crypto isakmp nat-traversal 33
2. group-policy vpn_info internal
3. group-policy vpn_info attributes

• dns-server value 192.168.0.1
• vpn-tunnel-protocol IPSec
• split-tunnel-policy tunnelspecified
• split-tunnel-network-list value split_tunnel
• default-domain value test.local

1. tunnel-group noynim type remote-access
2. tunnel-group noynim general-attributes

• address-pool vpn_pool
• authentication-server-group partnerauth LOCAL
• default-group-policy vpn_info

1. tunnel-group noynim ipsec-attributes

• pre-shared-key test

1. make sure your username in AD has allow access in the Remote Access Permission in the dial-up tab

Share

Comment on Cisco ASA VPN Client with Windows RADIUS Authentication