ASA RA VPN with AD AuthenticationPresentation Transcript
Configuring an ASA for remote access VPN with Windows 2003 Active Directory Authentication December 21, 2010
Install Internet Authentication Services on a domain controller Information for installing this service can be found on Microsoft’s Technet site at: http://technet.microsoft.com/en-us/library/cc781690%28WS.10%29.aspx
Launch the IAS MMC
Register the server in Active Directory Click on register and go through the wizard.
Install a new RADIUS client
Add name and address The name should be something easily recognizable like Cisco ASA The address is the IP address of the inside interface
Name and address
Enter Shared Secret Click next, and enter the RADIUS shared secret.
Added RADIUS client Click finish, and review the newly added client.
Add remote access policy
Add a policy name
Select VPN radio button
Add AD Group Name Users with VPN access will need to be added into this active directory group
Add authentication methods Select MS-CHAPv2, and MS-CHAP
Select Encryption Levels All encryption levels selected by default
Finish the wizard
Verify RADIUS Ports
Confirm authentication methods Edit the properties of the RADIUS client
Select unencrypted authentication
IAS Configuration Complete Now, time to add the AAA configuration in the Cisco ASA
Configure ASA AAA The host is the address of the server where IAS was installed and registered The key is the shared secret
Verify AD authentication in ASA The IP address in the ‘test aaa’ command is the IAS server. The test account must be in the AD group added in the IAS policy.
All Done Hopefully, it is working for you. If not, check the event logs on the IAS server. Verify the shared secret password matches on the IAS server and the ASA. Verify the IAS service is running.