Cisco Easy VPN Server and Active Directory

Posted on 2009-04-28
Last Modified: 2012-05-06
Hi folks.

I have a Cisco Easy VPN Server set up on a Cisco 1721 and it seems to work quite nicely with the Cisco VPN client software... however, there is some talk about integrating the authentication process with Active Directory so that as users are created and destroyed, no changes need to be made to the VPN server...

So, my questions are:

1. Is it possible?
2. If so, is it even desirable or is it a bad idea?
3. If desirable, how the heck do I do it?

Question by:kommgroup
    LVL 9

    Accepted Solution

    Yes it can be done. What you need is just to setup the authentication towards the windows built-in IAS radius server instead of local authentication.

    I think its a good idea to authenticate in some central point. You have a better view of EZvpn users and you have a authentication log also. Is it safer....some would say yes I would say the security you reach this way is minimal but you do get an easy way of removing a user if a device is it a bad idea? not from a management point of view.

    This is the configuration I use. You can delete the VRF statement if you dont use VRFs.

    aaa group server radius CUSTOMER-RADIUS
     server-private auth-port 1812 acct-port 1813 key whateveryouthinkissafe
     server-private auth-port 1812 acct-port 1813 key whateveryouthinkissafe
     ip vrf forwarding CUSTOMER

    aaa authentication login CUSTOMER-EZVPN group CUSTOMER-RADIUS
    aaa authentication login CUSTOMER-EZVPN local

    crypto ipsec transform-set CUSTOMER-EZVPN esp-aes 256 esp-md5-hmac

    crypto isakmp client configuration group CUSTOMER-EZVPN
     key whateveryouthinkissafe

    crypto isakmp profile CUSTOMER-EZVPN
       vrf CUSTOMER
       match identity group CUSTOMER-EZVPN
       client authentication list CUSTOMER-EZVPN
       isakmp authorization list CUSTOMER-EZVPN
       client configuration address respond
       keepalive 10 retry 2
       initiate mode aggressive

    crypto dynamic-map DYN-VPN 26
     set transform-set CUSTOMER-EZVPN
     set isakmp-profile CUSTOMER-EZVPN

    Author Closing Comment

    thanks very much... i will try this as soon as i can. this looks good.

    Author Comment

    this looks very good. i will try it.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now