lotusboy
asked on
CISCO VPN setup
currently I am in process of restructuring out VPN access policy.
We have cisco 515e having firewall version 6.3 and PDM version 3.0(1)
At present our uers are using VPN client version 4.8 and 5.
They all are accessing VPN using only one group setup on pix. So all
are using single username and password.
I want to replace this with where I can assign username and password
to each users for their VPN connention or it would be greate if they can use
their active directory username and password.
Please help
We have cisco 515e having firewall version 6.3 and PDM version 3.0(1)
At present our uers are using VPN client version 4.8 and 5.
They all are accessing VPN using only one group setup on pix. So all
are using single username and password.
I want to replace this with where I can assign username and password
to each users for their VPN connention or it would be greate if they can use
their active directory username and password.
Please help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also you need to configure Internet Authentication Server in your DC.
ASKER
Thanks. Two questions.
1. what is (inside) ..which IP address this will be ??
2. what is community key ?
1. what is (inside) ..which IP address this will be ??
2. what is community key ?
1. inside (interface name) - It is interface which radius server is working
2. Radius password for authentication.
2. Radius password for authentication.
ASKER
Thanks
1. Will this be the IP address of the radius server ?
2. Radius password - Do I have to give this to users ?
1. Will this be the IP address of the radius server ?
2. Radius password - Do I have to give this to users ?
1. Yes Radius server IP address.
2. No, it is for authentication between PIX and Radius Server.
2. No, it is for authentication between PIX and Radius Server.
ASKER
Thanks everythign is going fine. one Question..
How the users will connect to vpn ? Before this I have supplied them Group authentication name and password. Now what will be values in VPN client softwares ?
How the users will connect to vpn ? Before this I have supplied them Group authentication name and password. Now what will be values in VPN client softwares ?
They dont need any vpn client software. They will use standard micosoft VPN configuration.
ASKER
Thanks. Two questions.
1. Is there any special setting at Radius server in my case ? I have create new client and under remote acces polices I have select 'Grant remote access permission.
2. If I test everything now what happened to existing user who are using Cisco VPN client ? Will they still be able to access the VPN via old system ?
1. Is there any special setting at Radius server in my case ? I have create new client and under remote acces polices I have select 'Grant remote access permission.
2. If I test everything now what happened to existing user who are using Cisco VPN client ? Will they still be able to access the VPN via old system ?
1.
http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml#config-2003
2. What does it mean old system? You are changing all configuration on PIX. if they are connecting through other device, nothing will change. if Old system was on PIX, configuration changes. They ned to use AD user pass. Or you can add local users to AD.
http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml#config-2003
2. What does it mean old system? You are changing all configuration on PIX. if they are connecting through other device, nothing will change. if Old system was on PIX, configuration changes. They ned to use AD user pass. Or you can add local users to AD.
ASKER
Old system means at present they are using group authentication username and password in Cisco client If I replace this with RADIOUS will they still able to access VPN using the Cisco client ?
if you will create new VPDN group and apply radius in new group both of them will work together.
ASKER
Please help me how can I setup VPDN group ?
Below link will explain step by step.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml
ASKER
Big problem after running following command on pix. I can not login back to the pix.
Before that pix never asked me username now is asking me the username .....
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.24.0.1 private timeout 5
aaa-server RADIUS (inside) host [Radius Server IP] [community key] timeout 5
aaa-server LOCAL protocol local
aaa authentication telnet console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
Before that pix never asked me username now is asking me the username .....
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.24.0.1 private timeout 5
aaa-server RADIUS (inside) host [Radius Server IP] [community key] timeout 5
aaa-server LOCAL protocol local
aaa authentication telnet console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
it is try to get authentication from radius. if your radius is ready try to use DC user and password
ASKER
I tried my active directory username and password but its not working.
Is you radius working or not? did you see reject message in event viewer ?
my MSN is farukyerli@hotmail.com. please come to there. We should fix quickly.
ASKER
I have installed Radius and setup according to your article. I have registered it with active directory.
How do I check its working ? do have I have check server event viewer of radius server.? .under which section it will appear ?
How do I check its working ? do have I have check server event viewer of radius server.? .under which section it will appear ?
under system you can see IAS messages.
About radius?
> did you assign radius client IP in radius?
> did you create remote access policy in Radius?
About radius?
> did you assign radius client IP in radius?
> did you create remote access policy in Radius?