Link to home
Create AccountLog in
Avatar of denverjaye
denverjaye

asked on

Can you configure Microsoft's RADIUS server to authenticate both VPN users and basic switch/router logins on the same Windows 2003 server?

I already have our Cisco VPN users connecting through an ASA 5520 and authenticating using Active Directory with a Windows 2003 Domain Controller running IAS (RADIUS).  Is it possible to configure that same IAS (RADIUS) server to authenticate logins to the Cisco switches/routers/firewalls without the two setups affecting each other?  I have tried this but it seems like I can only do one or the other.  WIth my VPN authentication set up and working based on the Dial-In settings in AD, I tried setting up authentication for a switch based on user groups in AD.  When I did this, I was able to successfully log in to the switch as a user in the AD group but the VPN login was now only alowing users in the groups that I set up for the switch authentication as well.  It was not basing the VPN login on the Dial-In tab.
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

you should be able to.  you just need to add each device as a RADIUS client and then configure a separate RAS policy depending upon exactly what its trying to authentication.  For example, wireless tries to look if its a 802.11 connection.  Once the policy is correct, then its making sure the order is correct.  If a user authentication matches all of the parameters for one of the higher priority policies that denies access, then the user will be denied.  Each policy should be specific to the type of connection its authenticating in other words so you don't deny when you should permit or permit when you should deny.
Avatar of denverjaye
denverjaye

ASKER

I do have three policies set up at this point, the first one is for switch access for privledge level 1, the second is for privledge level 15, and the last one is for VPN logins.  I have two accounts for myself set up, one normal user account and one domain admin account.  I have the domain admin group set up in the privledge level 15 policy.  My normal user account should be permissioned for the VPN plicy based on the dial-in tabe in AD.  When I try connecting via VPN, I can successfully log in using my domain admin account but not the normal user account.  I'm thinking that maybe the VPN policy is set up incorrectly.  I used the wizard to set that up for VPN but I'm not sure if that setup is compatible with Cisco VPN.
how is your radius portion and tunnel-group/vpngroup entries setup
also, can you tell me the specifics of the VPN RAS policy you setup as well as the radius client setup for the pix/asa
I figured it out.  I had set up the VPN policy with the wizard and selected the VPN option.  That apparently did not work as designed with Cisco.  What I did to fix it was set it up the same as the priv 1 and 15 policies by configuring a AD group that was granted access.  Then I made a VPNAccess group in AD, added users, and entered that group in the policy instead of controllnig access for VPN using the dial-in tab in AD.  I tested this a bunch of different ways to make sure that it was allow the correct users to be able to access switches and VPN and it appears to be working.  Thank you for pointing me in the right direction on this.
ASKER CERTIFIED SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thank you for your help.  You got me pointed in the right direction and I was able to resolve the issue that I was having.