[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco PIX 506E / Cisco VPN / Active Directory All Working Together

Posted on 2006-05-11
24
Medium Priority
?
1,832 Views
Last Modified: 2013-11-16
I just implemented a Cisco PIX 506E.  I want to start using the Cisco VPN Client and integrate authentication with Active Directory.  I've read http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#config-2003 and have some questions.

How does this method tie into Active Directory?  The directions say nothing about AD but only local users/groups.  Will split tunneling work using RADIUS authentication?

Thanks,

myfootsmells
0
Comment
Question by:myfootsmells
  • 13
  • 5
  • 4
22 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16661944
Split tunneling should work just fine even when using Radius authentication. PIX does not support direct authentication
to AD. You need to setup a radius server and have that server authenticate against AD. In a Windows environment, you will need to setup Microsoft IAS and configure the PIX as a radius client. You then have to create a Remote Access Policy on the IAS that will bind existing group/users on the microsoft active directory that is allowed access to the VPN. The
user account on the AD must have "Remote Access Permission " set to "Allow access". That link you referenced did not show the process of creating remote access policy so it is a bit confusing. It's the IAS that ties into the AD, not the PIX itself. Hope it helps.
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16661962
Do you have a link that shows how to creating a remote access policy?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 5

Author Comment

by:myfootsmells
ID: 16662517
um lrmoore isn't that what i linked to in my first post?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16662687
D'OH! Must need more coffee....

>How does this method tie into Active Directory?
IAS is completely integrated with AD already. You choose the users/groups that have permissions.. stressedout explained that pretty well.

>Will split tunneling work using RADIUS authentication?
Of course! The authentication is only to establish the tunnel. The tunnel policies determine what traffic is encrypted, or not, through the tunnel..


0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16662726
Strange, I'm looking at a user and I'm not seeing where to give them permissions =(
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16662769
mm nevermind i have to use the AD User & Computer snap in from the actual DC, can't use the admin tools on my computer.  Let me give it another shot.
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16662820
Now following those directions.  Check out the Section about configuring IAS w/ Win2k3.  Step 6 it says create a user with password cisco123 .  Is there some significance as to why he choose the same password as the shared secret password?

Also, Step 1 of that same section asks for IP: 10.66.79.44, this is the IP of my Cisco PIX right?

Thanks.
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16664355
>>>>Step 1 of that same section asks for IP: 10.66.79.44, this is the IP of my Cisco PIX right?

Yup, that's correct. But this will pretty much depend on where the IAS is in your network, if it is on the inside network, then this would be the PIX inside IP address, if IAS is on the outside network, then this would be the PIX outside interface IP.

>>>>Now following those directions.  Check out the Section about configuring IAS w/ Win2k3.  Step 6 it says create a user with password cisco123 .  Is there some significance as to why he choose the same password as the shared secret password?

Nope, not at all. Shared secret key is what the IAS and the PIX use to authenticate each other, while the password on that link refers to the password that the VPN client uses. They are not connected in any way.




0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16686835
sorry for the delay guys.  i have everything setup and when i connect via Cisco VPN and type in my username/password it says:

Secure VPN Connection terminated locally by the Client.
Reason 413:  User authentication failed.

Now I check the Event Log > Security and it shows:

5:23:39 Successful Network Logon
5:23:39 Special previleges assigned to new logon:
User Name:      michael
       Domain:            ACME
       Logon ID:            (0x0,0x219A71FF)
       Privileges:      SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege
                  SeEnableDelegationPrivilege
5:23:39  User Logoff: Username:  michael

Suggestions?
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16686849
i dont need any special entries in the access-list do i ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16687375
Double-check the IAS server setup, items 7 and 10 in the reference link..
Make sure it is set for Radius standard, and PAP,SPAP only
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16694753
Also, go into your active directory and check the properties of the user you are using, make sure that ""Remote Access Permission" is set to "Allow access"
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16695519
lrmoore & stressedout2004 -- checked and all are accurate.

Michael
myfootsmells
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16695523
Oh I checked in the Event Viewer > Application Log and there is an IAS error stating:

The description for Event ID ( 2 ) in Source ( IAS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: michael, domain.local/MyBusiness/Users/Michael, 10.10.10.250, %%2147483686, %%2147483686, 99.99.102.140, Pix, 10.10.10.250, %%2147483686, 8, Use Windows authentication for all users, %%2147483688, %%2147483685, Small Business Remote Access Policy, PAP, %%2147483685, 66, %%4162.
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16702954
Can you post the relevant config of your PIX such as the aaa configurations and the crypto part?
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16702980
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password p4LFSZBbEUfgFt4b encrypted
passwd p4LFSZBbEUfgFt4b encrypted
hostname pixfirewall
domain-name acme.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound remark SquirrelMail
access-list outbound permit tcp any any eq 2095
access-list outbound remark mySQL for Cranium
access-list outbound permit tcp any any eq 25000
access-list outbound remark Skype
access-list outbound permit udp any any eq 43866
access-list outbound permit udp any any eq ntp
access-list outbound remark MS RAS Machine
access-list outbound permit tcp any any eq 1733
access-list outbound remark MS RAS Machine
access-list outbound permit udp any any eq netbios-ns
access-list outbound remark Remote Web Workplace
access-list outbound permit tcp any any eq 4125
access-list outbound remark Red5
access-list outbound permit tcp any any eq 1935
access-list outbound remark HTTP
access-list outbound permit tcp any any eq 8080
access-list outbound remark HTTP
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq imap4
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq smtp
access-list outbound remark RDP
access-list outbound permit tcp any any eq 3389
access-list outbound permit tcp any any eq pptp
access-list outbound remark SSL POP
access-list outbound permit tcp any any eq 995
access-list outbound remark MSN Messenger
access-list outbound permit tcp any any eq 1863
access-list outbound permit tcp any any eq aol
access-list outbound remark Jabber/GTalk
access-list outbound permit tcp any any eq 5222
access-list outbound remark MySQL
access-list outbound permit tcp any any eq 3306
access-list outbound remark Windows SharePoint
access-list outbound permit tcp any any eq 444
access-list outbound remark Plesk Admin for acmeagency.com
access-list outbound permit tcp any any eq 8443
access-list outbound permit tcp any any eq ssh
access-list outbound remark Allow outbound ping
access-list outbound permit icmp any any echo
access-list outbound remark Allow incoming PPTP VPN from outside.
access-list outbound permit gre any any
access-list outbound remark DNS
access-list outbound permit udp any any eq domain
access-list outbound remark Block all outgoing traffic
access-list outbound deny ip any any
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq imap4
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq smtp
access-list inbound remark RDP
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq pptp
access-list inbound remark Windows SharePoint
access-list inbound permit tcp any interface outside eq 444
access-list inbound permit icmp any any echo-reply
access-list inbound remark Remote Web Workplace
access-list inbound permit tcp any interface outside eq 4125
access-list inside_outbound_nat0_acl permit ip any 10.0.1.128 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.128 255.255.255.128
pager lines 24
logging on
logging trap errors
logging host inside 10.0.1.6 format emblem
logging host inside 10.0.1.41 format emblem
mtu outside 1500
mtu inside 1500
ip address outside 99.99.102.140 255.255.255.224
ip address inside 10.0.1.250 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.1.150-10.0.1.199
pdm location 10.0.1.1 255.255.255.255 inside
pdm location 10.0.1.210 255.255.255.255 inside
pdm location 10.0.1.6 255.255.255.255 inside
pdm location 10.0.1.41 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.0.1.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 10.0.1.1 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.0.1.1 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.1.210 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.0.1.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 10.0.1.1 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 10.0.1.1 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 10.0.1.1 4125 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 64.171.65.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 10.0.1.1 superpassword timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup acmeremote address-pool ippool
vpngroup acmeremote dns-server 10.0.1.1 10.0.1.6
vpngroup acmeremote wins-server 10.0.1.1 10.0.1.6
vpngroup acmeremote default-domain acme.local
vpngroup acmeremote idle-time 1800
vpngroup acmeremote password ********
telnet timeout 5
ssh 10.0.1.41 255.255.255.255 inside
ssh 10.0.1.1 255.255.255.255 inside
ssh 10.0.1.6 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.251-10.0.1.254 inside
dhcpd dns 206.13.29.12 206.13.30.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:54e8abb6be1b80faeb8dd80d5d0579b7
: end
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1000 total points
ID: 16718352
The configuration looks good on the PIX. Now back to IAS, is IAS and AD on the same computer? If not, make sure that the computer where the IAS is a member of the domain. On the AD side, what security group is the IAS computer a member of?

To simulate your issue, I installed IAS on a Win2K3 machine and joined it in the domain. After that I did the following:

1) Created a new radius client with the following setting:

a) Friendly name: PIX
b) IP address: 10.1.1.1
c) Client-Vendor: Radius Standard
d) Shared secret: xxxxx

2) Modified "connection to other access servers" under the Remote Access Policies with the following setting:

a) Enabled "Grant Remote Access Permission"
b) Clicked on Edit profile and made the following changes:
- Under authentication tab I enabled all authentication protocol and left "Unauthenticated Access" uncheck.
- Under encryption tab everything is enabled including the "no encryption"
c) The rest of the setting is left as default.

3) Accessed my AD which on a different computer and made the following changes:

a) Created a user called vpntest and under "dial in" Tab when you click on properties for that user, enabled "allow access" under Remote Access Permission.

b) Created a new group called ipsec-client and made "vpntest" a member.

c)  On the AD, under "computer" I made my IAS server a member of the RAS and IAS group

4) On the PIX, added the necessary configuration. Same as what you have.

I was able to authenticate without any problem.






0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16719949
i will give it a shot.  question though, step 1b, the IP address 10.1.1.1, is that the IP address of PIX or the IAS server?
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16720044
my IAS server is the domain controller, therefore, i didn't think steps 3b,3c were necessary.  also, the DC is part of the RAS and IAS security group.
0
 
LVL 5

Author Comment

by:myfootsmells
ID: 16720097
another question, why did you make vpntest a member of ipsec-client?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 16720999
1b  is the IP address of the PIX

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 17 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question