Solved

Cisco ASA 5520 and Server 2003 IAS Frustruation 500pt

Posted on 2007-03-27
9
1,198 Views
Last Modified: 2012-05-05
I have a group in my Active Directory specifically for those users I want to Grant VPN access.  I have checked all of their rights to insure that their dial-in access is granted and defined by Remote Access Policy.  I have installed IAS on a Server 2003 Domain Controller/Global Catalog and defined the policy to only allow members of this group access.  I have changed the profiles in the policies to allow for PAP and Unencrypted Access, to facilitate the hand off from my Cisco ASA 5520.  I have the server authorized in Active Directory and the ASA listed as a Radius client.  I have setup the AAA Server group and defined this server as my Radius server using standard protocol, and assigned this group to my VPNTunnel Group and default web VPN group policy on my ASA.  HOWEVER, I am still not able to get my Server 2003 RADIUS Server to control the access to the VPN.  The only users that are allowed are users I put in the ASA's local database or whatever username corresponds to the "common password" in the AAA Server setup.  Please tell me I'm overlooking something minute.  To my knowledge, I've tried everything.  Thanks so much- JK
0
Comment
Question by:cantonee
  • 3
  • 3
  • 3
9 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18804934
for your tunnel-group what is the authentication server setup as.  to me it seems like its set to local.

honestly what I'd try first though is allow anyone in AD to vpn in.  that will allow us to see if the authentication against the AD at least works.  from there we can work on the AD group specification
0
 

Author Comment

by:cantonee
ID: 18805035
The authentication server is set to my AAA Server Group, the only member being the IAS Server, the same for the authorization server.  Ican test the Authentication from the ASA and it is always successful.  I agree with what you said.  I have tried the same exact setup, minus the additional entry in the Remote Access Policy on my IAS to restrict access to the VPN Group, still no success.  Thanks for the reply- JK
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18805135
can you post the relevant parts of your config (aaa-server, group-policy, and tunnel-group I believe)
I have the same setup at work (minus the vpn group limitation, haven't implemented that part yet) so I know I can help you get this working.  you post what you have, then tomorrow when I get to work, I'll post what I have working for my sites
0
 
LVL 2

Accepted Solution

by:
bdh113s earned 500 total points
ID: 18805177
I thought I would give you some example config so you can see where yours might be whacked.  Here is everything on the ASA you need minus the dhcp config and crypto.  Obviously there are a ton of assumptions in this config like the use of an internal address pool on the ASA rather than proxying addresses from an internal dhcp server.  So please modify as you see fit.

aaa-server RADIUS protocol radius
aaa-server RADIUS host <your radius IP>
 key <your radius shared key>
group-policy <your policy name> internal
group-policy <your policy name> attributes
 wins-server value <your wins server(s)>
 dns-server value <your dns server(s)>
 vpn-idle-timeout 20
 vpn-session-timeout 480
 default-domain value <your internal domain>
tunnel-group <your tunnel name> type ipsec-ra
tunnel-group <your tunnel name> general-attributes
 address-pool <your dhcp pool>
 authentication-server-group RADIUS
 default-group-policy <your policy name>
tunnel-group <your tunnel name> ipsec-attributes
 pre-shared-key <your group auth password>

Now for the windows 2003 IAS server

1.  Verify the clients are handshaking by using the verify button in windows 2003
2.  Create a policy for the ipsec clients in the IAS admin console.  The policy should be:

NAS-Port-Type = Virtual VPN AND Windows-Groups matches "domain\group name".  
if connection attempt matches this condition, GRANT access.

3.  Edit the profile of this remote access policy and under the authentication tab, verify that you have PAP selected as this is the method the ASA will use.

4.  Under connection request processing in the IAS admin console, verify you have not removed the default entry which should read: Use Windows authentication for all users.  This entry should match all connections made every day, all the time.  (If you check the constraints it should have everything highlighted)

Now for the Active Directory part

1.  In active directory, make sure the user is a member of the security group you specified above in the remote access policy.  

2.  Make sure they have "allow access" or "control access through remote access policy" under the dialin tab when viewing their AD user object details.

Now try to connect using one of the IDs you gave permissions to.  Watch the IAS logs as they will almost always tell you what is going on.  

A few side notes to keep in mind... That radius handshake will not pass for any of the following reasons:
1.  The windows account is locked out
2.  The account requires a password reset at next logon
3.  The account is disabled
4.  The account does not have dialin permission
5.  The account is not in the windows group specified in the policy

This also becomes more complex if you add sites and services in to the mix because the IAS server "should" be asking your local DC.  If this hicups at all, it might ask a DC at a different location where the group membership, account lockout, dialin permission, etc. may not yet be replicated... which makes your life a little more difficult.  (this is not a common problem but i have seen it)

Let me know if you need anything else or if this doesnt solve your issue.  I can also post some good syslog filters you can run for VPN auth troubleshooting.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Expert Comment

by:bdh113s
ID: 18805197
And since I cant edit my previous post... That verify button on the IAS server is not for validating the handshake.. I havent looked at that in quite a while but I just remembered that its for verifying the hostname so you can skip that part about clicking the verify button in step 1 of the IAS config
0
 

Author Comment

by:cantonee
ID: 18807366
Hi bdh113-
Thank you for the very much for the comprehensive response.  You may find this hard to believe, but I have done each and every one of the things that you have mentioned.  The one thing that really sticks out to me, is the "pre-shared key/ group authorization password.  I think this is where things are going wrong for me.  In the setup, where it asks for the "common password" if I supply the password for a user that is in the Active Directory Group "VPNAccess" (the one I have defined in the IAS Policy) this user will authorize and authenticate, flawlessly.  However, I need all the members of the Group to have this same authorization....can you assign a common password to a Group?  I obviously do not want them to all have the same password......Thanks again.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18807397
what bdh113s is virtually identical to what I had

???
so it is working then

you can't assign passwords to AD groups.  you can assign pre-shared-keys to the tunnel-groups (like you already have).  authentication beyond that is per user.  this is by design so if you have one user that you want to disable, you don't have to change the password on the group and get it to everyone, easier mgmt basically
0
 
LVL 2

Expert Comment

by:bdh113s
ID: 18807545
I'm actually confused by your use of "common password" .  Are you talking about the tunnel group pre shared key?  Here are the line items that reference this password on the ASA:

tunnel-group <your tunnel name> ipsec-attributes
 pre-shared-key <your group auth password>

If you are indeed talking about this password, then you are correct that this password must be the SAME on every client.  Keep in mind that this is NOT the password they use to log in, but rather the password you configure inthe ipsec VPNClient for group authentication.  When you create a new connection on the vpn client, one of the tabs below says authentication.  This tab says name and password.  The name listed here is the tunnel-group name you configured on the ASA.  The password is the password I mentioned above. This is the same for all users.

When the users connect they send this group name and password to the ASA which defines which settings and security they receive from the ASA.  The ASA then responds by prompting them for their personal username and password which will be their Active directory username and password if they were configured as per my previous post.

If this is not the password you are referring to, then please explain a little further what you are looking for.

This may sound like a silly question, but are you seeing RADIUS info in the event logs on the IAS box?  You should be seeing information about the users authenticating and whether or not it passes.  Specifically, you will see the username, PAP, IP address, group membership, etc about the connection attempt and whether or not it passed the RADIUS checks.

If this doesn't help, let me know and I will post the syslog filters you can put in for VPN authentication troubleshooting.
0
 

Author Comment

by:cantonee
ID: 18898324
I put the IAS server on another box, only difference being that this one is Server 2003 Ent. Ed. and it took right off and worked.  I didn't change a thing.  One thing I have noticed is that when you uninstall and reinstall IAS on Server 2003 it doesn't reinstall all the factory defaults.  I must have screwed up one of my Remote Access policies while I was tinkering.  Once I applied only what I needed on the new IAS, it worked perfectly.  bdh113 this post will undoubtedly help people trying to accomplish the same thing I am.  Your post will help them immensely.  Thanks-
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now