[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1044
  • Last Modified:

Cisco Easy VPN Server and Active Directory

Hi folks.

I have a Cisco Easy VPN Server set up on a Cisco 1721 and it seems to work quite nicely with the Cisco VPN client software... however, there is some talk about integrating the authentication process with Active Directory so that as users are created and destroyed, no changes need to be made to the VPN server...

So, my questions are:

1. Is it possible?
2. If so, is it even desirable or is it a bad idea?
3. If desirable, how the heck do I do it?

Thanks!
0
kommgroup
Asked:
kommgroup
  • 2
1 Solution
 
DonbooCommented:
Yes it can be done. What you need is just to setup the authentication towards the windows built-in IAS radius server instead of local authentication.

I think its a good idea to authenticate in some central point. You have a better view of EZvpn users and you have a authentication log also. Is it safer....some would say yes I would say the security you reach this way is minimal but you do get an easy way of removing a user if a device is stolen....is it a bad idea? not from a management point of view.


This is the configuration I use. You can delete the VRF statement if you dont use VRFs.

aaa group server radius CUSTOMER-RADIUS
 server-private 10.0.0.1 auth-port 1812 acct-port 1813 key whateveryouthinkissafe
 server-private 10.0.0.2 auth-port 1812 acct-port 1813 key whateveryouthinkissafe
 ip vrf forwarding CUSTOMER

aaa authentication login CUSTOMER-EZVPN group CUSTOMER-RADIUS
aaa authentication login CUSTOMER-EZVPN local

crypto ipsec transform-set CUSTOMER-EZVPN esp-aes 256 esp-md5-hmac

crypto isakmp client configuration group CUSTOMER-EZVPN
 key whateveryouthinkissafe
 save-password
 include-local-lan

crypto isakmp profile CUSTOMER-EZVPN
   vrf CUSTOMER
   match identity group CUSTOMER-EZVPN
   client authentication list CUSTOMER-EZVPN
   isakmp authorization list CUSTOMER-EZVPN
   client configuration address respond
   keepalive 10 retry 2
   initiate mode aggressive

crypto dynamic-map DYN-VPN 26
 set transform-set CUSTOMER-EZVPN
 set isakmp-profile CUSTOMER-EZVPN
 reverse-route
0
 
kommgroupAuthor Commented:
thanks very much... i will try this as soon as i can. this looks good.
0
 
kommgroupAuthor Commented:
this looks very good. i will try it.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now