cantonee
asked on
Cisco ASA 5520 and Server 2003 IAS Frustruation 500pt
I have a group in my Active Directory specifically for those users I want to Grant VPN access. I have checked all of their rights to insure that their dial-in access is granted and defined by Remote Access Policy. I have installed IAS on a Server 2003 Domain Controller/Global Catalog and defined the policy to only allow members of this group access. I have changed the profiles in the policies to allow for PAP and Unencrypted Access, to facilitate the hand off from my Cisco ASA 5520. I have the server authorized in Active Directory and the ASA listed as a Radius client. I have setup the AAA Server group and defined this server as my Radius server using standard protocol, and assigned this group to my VPNTunnel Group and default web VPN group policy on my ASA. HOWEVER, I am still not able to get my Server 2003 RADIUS Server to control the access to the VPN. The only users that are allowed are users I put in the ASA's local database or whatever username corresponds to the "common password" in the AAA Server setup. Please tell me I'm overlooking something minute. To my knowledge, I've tried everything. Thanks so much- JK
ASKER
The authentication server is set to my AAA Server Group, the only member being the IAS Server, the same for the authorization server. Ican test the Authentication from the ASA and it is always successful. I agree with what you said. I have tried the same exact setup, minus the additional entry in the Remote Access Policy on my IAS to restrict access to the VPN Group, still no success. Thanks for the reply- JK
can you post the relevant parts of your config (aaa-server, group-policy, and tunnel-group I believe)
I have the same setup at work (minus the vpn group limitation, haven't implemented that part yet) so I know I can help you get this working. you post what you have, then tomorrow when I get to work, I'll post what I have working for my sites
I have the same setup at work (minus the vpn group limitation, haven't implemented that part yet) so I know I can help you get this working. you post what you have, then tomorrow when I get to work, I'll post what I have working for my sites
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And since I cant edit my previous post... That verify button on the IAS server is not for validating the handshake.. I havent looked at that in quite a while but I just remembered that its for verifying the hostname so you can skip that part about clicking the verify button in step 1 of the IAS config
ASKER
Hi bdh113-
Thank you for the very much for the comprehensive response. You may find this hard to believe, but I have done each and every one of the things that you have mentioned. The one thing that really sticks out to me, is the "pre-shared key/ group authorization password. I think this is where things are going wrong for me. In the setup, where it asks for the "common password" if I supply the password for a user that is in the Active Directory Group "VPNAccess" (the one I have defined in the IAS Policy) this user will authorize and authenticate, flawlessly. However, I need all the members of the Group to have this same authorization....can you assign a common password to a Group? I obviously do not want them to all have the same password......Thanks again.
Thank you for the very much for the comprehensive response. You may find this hard to believe, but I have done each and every one of the things that you have mentioned. The one thing that really sticks out to me, is the "pre-shared key/ group authorization password. I think this is where things are going wrong for me. In the setup, where it asks for the "common password" if I supply the password for a user that is in the Active Directory Group "VPNAccess" (the one I have defined in the IAS Policy) this user will authorize and authenticate, flawlessly. However, I need all the members of the Group to have this same authorization....can you assign a common password to a Group? I obviously do not want them to all have the same password......Thanks again.
what bdh113s is virtually identical to what I had
???
so it is working then
you can't assign passwords to AD groups. you can assign pre-shared-keys to the tunnel-groups (like you already have). authentication beyond that is per user. this is by design so if you have one user that you want to disable, you don't have to change the password on the group and get it to everyone, easier mgmt basically
???
so it is working then
you can't assign passwords to AD groups. you can assign pre-shared-keys to the tunnel-groups (like you already have). authentication beyond that is per user. this is by design so if you have one user that you want to disable, you don't have to change the password on the group and get it to everyone, easier mgmt basically
I'm actually confused by your use of "common password" . Are you talking about the tunnel group pre shared key? Here are the line items that reference this password on the ASA:
tunnel-group <your tunnel name> ipsec-attributes
pre-shared-key <your group auth password>
If you are indeed talking about this password, then you are correct that this password must be the SAME on every client. Keep in mind that this is NOT the password they use to log in, but rather the password you configure inthe ipsec VPNClient for group authentication. When you create a new connection on the vpn client, one of the tabs below says authentication. This tab says name and password. The name listed here is the tunnel-group name you configured on the ASA. The password is the password I mentioned above. This is the same for all users.
When the users connect they send this group name and password to the ASA which defines which settings and security they receive from the ASA. The ASA then responds by prompting them for their personal username and password which will be their Active directory username and password if they were configured as per my previous post.
If this is not the password you are referring to, then please explain a little further what you are looking for.
This may sound like a silly question, but are you seeing RADIUS info in the event logs on the IAS box? You should be seeing information about the users authenticating and whether or not it passes. Specifically, you will see the username, PAP, IP address, group membership, etc about the connection attempt and whether or not it passed the RADIUS checks.
If this doesn't help, let me know and I will post the syslog filters you can put in for VPN authentication troubleshooting.
tunnel-group <your tunnel name> ipsec-attributes
pre-shared-key <your group auth password>
If you are indeed talking about this password, then you are correct that this password must be the SAME on every client. Keep in mind that this is NOT the password they use to log in, but rather the password you configure inthe ipsec VPNClient for group authentication. When you create a new connection on the vpn client, one of the tabs below says authentication. This tab says name and password. The name listed here is the tunnel-group name you configured on the ASA. The password is the password I mentioned above. This is the same for all users.
When the users connect they send this group name and password to the ASA which defines which settings and security they receive from the ASA. The ASA then responds by prompting them for their personal username and password which will be their Active directory username and password if they were configured as per my previous post.
If this is not the password you are referring to, then please explain a little further what you are looking for.
This may sound like a silly question, but are you seeing RADIUS info in the event logs on the IAS box? You should be seeing information about the users authenticating and whether or not it passes. Specifically, you will see the username, PAP, IP address, group membership, etc about the connection attempt and whether or not it passed the RADIUS checks.
If this doesn't help, let me know and I will post the syslog filters you can put in for VPN authentication troubleshooting.
ASKER
I put the IAS server on another box, only difference being that this one is Server 2003 Ent. Ed. and it took right off and worked. I didn't change a thing. One thing I have noticed is that when you uninstall and reinstall IAS on Server 2003 it doesn't reinstall all the factory defaults. I must have screwed up one of my Remote Access policies while I was tinkering. Once I applied only what I needed on the new IAS, it worked perfectly. bdh113 this post will undoubtedly help people trying to accomplish the same thing I am. Your post will help them immensely. Thanks-
honestly what I'd try first though is allow anyone in AD to vpn in. that will allow us to see if the authentication against the AD at least works. from there we can work on the AD group specification