Solved

WebVPN logon Assistance

Posted on 2007-12-06
4
2,940 Views
Last Modified: 2013-11-16
I am attempting to set this up to allow remote access to an SBS 2003 server.  I am trying to use WebVPN with  SVC.  I have got it to the point where i can hit the outside interface from the Web but when i enter the login info  I get "login failed" and nothing happens.  I would like to use the SBS to authenticate and have radius set up.  When i test authentication from the ASA it works but i can't login.  I would be happy with local authentication if i could get that to work but no matter which method i chose i get the same results.  

I have some limited (mostly lab environment) experience with CISCO devices and this is my first experience with the ASA.  I have reconfigured it a number of times following the  guides from cisco.com.

Any help would be great. I am pulling my hair out!

Thanks
: Saved
:
ASA Version 7.2(2) 
!
hostname ASASherwood
domain-name xxxxxx.local
enable password FoveiR9xhgXB3gY1 encrypted
names
name 192.168.xxx.xxx xxxxx-server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.xxx.xxx.xxx 255.255.xxx.xxx 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx 
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.xxx.xxx 255.255.xxx.xxx 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server xxxxxx-server
 name-server 4.2.2.2
 name-server 4.3.3.3
 domain-name xxxxxxxxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network xxxxxxxx
 description Internal Lan
 network-object 192.168.xxx.xxx 255.xxx.xxx.xxx
access-list inside_nat0_outbound extended permit ip any 192.168.xxx.xxx 255.255.xxx.xxx 
access-list inside_nat0_outbound extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.xxx.xxx 255.255.xxx.xxx 
access-list inside_nat0_outbound extended permit ip host xxxxxx-server 192.168.xxx.xxx 255.255.xxx.xxx
access-list dmz_access_in extended permit tcp interface outside interface dmz 
access-list dmz_access_out extended permit tcp interface dmz interface outside 
access-list outside_access_in extended permit tcp any eq https host scs-server eq https 
access-list outside_nat0_outbound extended permit ip host scs-server 192.168.xxx.xxx 255.255.xxx.xxx 
access-list dmz_nat0_outbound extended permit ip host scs-server 192.168.1.0 255.255.xxx.xxx 
access-list outside_authentication extended permit tcp interface outside host xxxxx-server 
access-list outside_authentication extended permit udp interface outside host xxxxx-server 
access-list outside_authentication_1 extended permit tcp interface outside host xxxxx-server 
access-list outside_authentication_1 extended permit udp interface outside host xxxxx-server 
access-list SCS_VPN webtype permit tcp host 192.168.xxx.xxx eq cifs log default
access-list SCS_VPN webtype permit tcp host 192.168.xxx.xxx eq https log default
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SCS_VPN 192.168.xxx.xxx-192.168.xxx.xxx mask 255.xxx.xxx.xxx
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
nat (dmz) 0 access-list dmz_nat0_outbound
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
!
router ospf 10
 log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server SCSRadius protocol radius
aaa-server SCSRadius host xxxxxx-server
 timeout 5
 key xxxxxx
group-policy SCS_VPN internal
group-policy SCS_VPN attributes
 dns-server value 192.168.xxx.xxx
 vpn-tunnel-protocol IPSec 
 default-domain value xxxxxxxx.local
group-policy SCS_WebVPN internal
group-policy SCS_WebVPN attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
  svc enable
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc dpd-interval client 500
  svc dpd-interval gateway 500
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name none
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc enable
  svc keep-installer installed
  svc keepalive none
  svc rekey time 15
  svc rekey method ssl
  svc dpd-interval client none
  svc dpd-interval gateway 300
  svc compression deflate
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
  svc enable
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
username xxxxxx password I0ymMcGlAxUuCsOT encrypted
username xxxxxx attributes
 vpn-group-policy SCS_WebVPN
aaa authentication match outside_authentication outside SCSRadius
aaa authentication match outside_authentication_1 outside LOCAL
aaa authorization command LOCAL 
http server enable
http 192.168.xxx.xxx 255.xxx.xxx.xxx inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set Trans_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set Trans_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs 
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs 
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 100 set pfs 
crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 120 set pfs 
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs 
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs 
crypto dynamic-map outside_dyn_map 160 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 180 set pfs 
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map dmz_dyn_map 20 set pfs 
crypto dynamic-map dmz_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic dmz_dyn_map
crypto map dmz_map interface dmz
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group SCSRadius
 accounting-server-group SCSRadius
 dhcp-server scs-server
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool SCS_VPN
 authentication-server-group SCSRadius
tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group SCS_VPN type ipsec-ra
tunnel-group SCS_VPN general-attributes
 address-pool SCS_VPN
 authentication-server-group SCSRadius
 default-group-policy SCS_VPN
tunnel-group SCS_VPN ipsec-attributes
 pre-shared-key *
tunnel-group SCS_WebVPN type webvpn
tunnel-group SCS_WebVPN general-attributes
 address-pool SCS_VPN
 default-group-policy SCS_WebVPN
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 15
dhcpd auto_config outside
!
dhcpd address 192.168.xxx.xxx-192.xxx.xxx.xxx inside
!
 
!
!
!
policy-map global-policy
 description Allow VPN
 class class-default
  inspect pptp 
!
service-policy global-policy global
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc enable
pop3s
 port 25
 outstanding 30
 default-group-policy DfltGrpPolicy
smtps
 port 110
 outstanding 30
 default-group-policy DfltGrpPolicy
prompt hostname context 
Cryptochecksum:9805cb23f10e9417b98784c64e86578f
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

Open in new window

0
Comment
Question by:bconkencmit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20424625
 Hi bconkencmit
     Try following
webvpn
auto-signon allow ip radiusip 255.255.255.255 auth-type all
quit

    If doesnt work try following

aaa-server DC protocol nt
aaa-server DC (inside) host SBSserverIP
  nt-auth-domain-controller SBSHostname
webvpn
auto-signon allow ip SBSserverIP 255.255.255.255 auth-type ntlm
quit
tunnel-group SCS_WebVPN general-attributes
    authentication-server-group  DC LOCAL
quit

Regards
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20425988
 Also keep in mind that, If the web VPN max peers in license is reached, authentication fails.
0
 

Author Comment

by:bconkencmit
ID: 20427770
Thanks I'll gives those a shot and let you know how it goes.  Right now i am the only one attempting to login this way so i don't think it is a license issue (yet).
0
 

Author Closing Comment

by:bconkencmit
ID: 31413222
Thanks MrHusy,
Sorry for the delay, i haven't had much time to work on it.  I believe it was the second half of the solution that worked.  I was still having issues until i realized that it was still authenticating through the defaultWebVpnGroup intead of the group that i created (not entirely sure why) which was not using the DC settings for authentication.  Once i changed the authentication method of the defaultWebVPNGroup to DC it worked.  

Thanks again
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question