Avatar of Merlin_Raja
Flag for United States of America

asked on 

Cisco ASA & MS-Radius Authentication


This is regarding a issue I have with Cisco ASA 5550 and MS-Radius Server.

I want to setup the ASA device for WebVPN access with the user database from the Active Directory. I have a MS Radius server configured in the network.

Now this is what I am facing....

On the ASA, I have created a server group "Radius" ad under the group I have entered my Radius SErver. When I test the server by entering a domain user name and [assword. I get a test successfull message.

Then I run the SSL VPN Wizard and I create a tunnel group ":New", I create a group policy for the group "NewGrpPolicy" and I choose the Radius server for user authentication.

I go into the group policy "NewGrpPolicy" and I lock in the group "New" . I then go into the group name "New" and I use "NewGrpPolicy" as the default group policy for this group. I entered a Banner also just to differenticate the group policy.

On the Connection Proiles of the group I created, the authentication server as the "Radius" Server and I changed the authentication server for the "DefaultWebVPNGrp" and the "DefaultRAGrp" to Radius Server also. [DOnt know if this step is right or wrong]

And on the Radius Server, a policy has been created and a Class attribute of 25 has been entered with the syntax  "OU=GroupPolicyName;" - Dont know if this syntax is right or wong cuz some sites say "OU=GrpName;" and in some sites ";" is entered and some sites ";" has not been entered. The authentication protocol on the Radius server is openened to everything for nowand also including PAP.

Now this is the issue......
when a active-directory user tries to log in to the webpage, the user cannot login. I checked the event log of the radius server and it says" the user has been authenticated and has been assigned the group policy based on Class 25 attribute".

And this is what I get on the asa log ..

AAA user authentication Successful : server = : user = vpn
AAA group policy for user vpn is being set to NewGrpPolicy
AAA retrieved user specific group policy (NewGrpPolicy) for user = vpn
AAA retrieved default group policy (DfltGrpPolicy) for user = vpn
AAA transaction status ACCEPT : user = vpn
DAP: User vpn, Addr, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy

The ASA log files shows that it retreives the NewGRpPoliy and then it jumps back to the DefaultGrpPolicy. I dont know why it happens and I think because of this, the user even though he is authenticated by the radius server and even rhough the policy is been assigned by the radius server, the user cannot log in because the policy automatically changes to the default one.

Can someone guide me thru. I have around 10 groups on the active directory having around 20 users in each group and I want to assign each user of the active directory group to be assigned their own group policy from the ASA when they vpn into it. The main policy will be the assignment of diferent ip pools for different groups.

And this is part of my config file..

ASA Version 8.0(4)

dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
<--- More --->
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400

 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc webvpn
  svc ask none default webvpn
group-policy NewGrpPolicy internal
group-policy NewGrpPolicy attributes
 vpn-tunnel-protocol webvpn
 group-lock value New
  url-list value BkMark

tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (inside) RADIUS
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group RADIUS
tunnel-group New type remote-access
tunnel-group New general-attributes
 authentication-server-group RADIUS
 authorization-server-group RADIUS
 default-group-policy NewGrpPolicy

Can someone help me out in this or guide me to make a fresh setup for the vpn access? This is a new box and is still not on production and I guess the company needs it as early as possible.

Thanks in advance.
Hardware FirewallsVPNNetwork Operations

Avatar of undefined
Last Comment

8/22/2022 - Mon