cisco asa vpn windows 7 64-bit l2tp/ipsec ldap server

Posted on 2011-10-27
Last Modified: 2012-05-12
Is there any guide that has a sample configuration that ACTUALLY FRICKEN WORKS?!?!?!?!?!

Trying to use the built-in Windows VPN client for l2tp/ipsec tunnel to an ASA 5510 running 8.25 with LDAP authentication to the internal Windows AD server based on group-membership (i.e., if users are in a group "vpn-allowed", they get access).

I can't find a definitive source that even says whether it's possible - some say it is, others don't even mention it.  Some say the Windows clients use the DefaultRAGroup, others don't mention that.

Question by:snowdog_2112
    LVL 14

    Accepted Solution


    Author Comment

    Unfortunately, I'd seen both of those, and neither addresses a Windows built-in vpn client - it fails.

    I managed to get it working by using "debug crypto isakmp 30" and noticed the tunnel-group a Windows client hits is the built-in DefaultRAGroup.  You cannot change this (from what I've discovered).  The cisco vpn client can be configured to hit a tunnel-group you specify using the Name: field on the client.  There is no "group" or "name" option in the Windows VPN client setup.

    So, in addition to either of the links, you MUST configure the DefaultRAGroup (it shows up in the ASDM, but not via CLI unless you maually change a default setting).

    Here is a revised partial listing based on the expat technocrat link you provided.

    Configure IPSec
    Create your transform set, dynamic map and crypto map
    Apply the crypto map to the relevant interface

    crypto ipsec transform-set esp3des esp-3des esp-md5-hmac
    crypto ipsec transform-set esp3des_sha esp-3des esp-sha-hmac
    rypto ipsec transform-set rescoset_sha mode transport
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map DYNMAP 1 set transform-set esp3des_sha esp3des
    crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
    crypto map VPNMAP interface outside

    Create tunnel-group to deny access by default
    group-policy DenyAccess internal
    group-policy DenyAccess attributes
    vpn-simultaneous-logins 0
    vpn-tunnel-protocol IPSec webvpn

    Create your split tunnel ACL if required and no NAT statements and IP address pool for the VPN Clients

    access-list vpnra-acl standard permit
    access-list nonat extended permit ip
    nat (inside) 0 access-list nonat
    ip local pool vpnrapool

    Configure ASA to perform user authentication against Active Directory using LDAP
    Create the LDAP Attribute Map
    This is where you specify which AD group a user has to be in before they are authorized to connect. In my case I created an AD group called "VPN" and ensured my VPN users were members of that group in AD.
    I'm using ASA 8.2 which has "Group-Policy" available as an argument for map-name . For versions prior to 8.2 consult the ASA Command Reference for map-name as there is a RADIUS IETF argument you should use.
    To get the DN you use a command line tool such as "dsquery" or google for other tools that are available for free from Microsoft such as "AD Explorer"
    My tunnel-group will be called "vpnragroup" and I map that to "memberOf"

    ldap attribute-map ASAMAP
    map-name memberOf Group-Policy
    map-value memberOf "CN=VPN,OU=Groups,OU=MyBusiness,DC=bob,DC=local" vpnragroup

    Create your AAA server for LDAP
    Note that you need to create a regular user account for the ASA to search your Directory for users and groups. This does NOT have to be an admin user. IT should be a regular user for the sake of security.
    Specify LDAP as the protocol
    Specify the IP of the AD server
    Add your base DN. I used the domain and enabled it to search the entire subtree.
    Map the naming attribute to sAMAccountName
    Provide the user account login DN and password to search AD.
    Specify your server type as Microsoft
    Finally, map the attribute map to the server

    aaa-server LDAPAuth2AD protocol ldap
    aaa-server LDAPAuth2AD (inside) host
    ldap-base-dn DC=bob,DC=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password password
    ldap-login-dn CN=VPN Name Lookup,OU=Users,OU=MyBusiness,DC=bob,DC=local
    server-type microsoft
    ldap-attribute-map ASAMAP

    Create your tunnel-group for user access
    I added 3 simultaneous logins here but you can add more.
    Also applied a split tunnel ACL
    Added the IP Pool
    Add an external group policy to reference AD auth

    group-policy vpnragroup internal
    group-policy vpnragroup attributes
    vpn-simultaneous-logins 3
    vpn-tunnel-protocol IPSec webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnra-acl
    address-pools value vpnrapool
    group-policy vpnragroup-external external server-group LDAPAuth2AD

    Configure ASA to only authorize users for VPN access if they belong to a specific AD group
    Create the tunnel-group to allow access
    Add an authentication server group
    Add an authorization server group
    Add the default policy to deny access
    Specify that authorization is required

    tunnel-group vpnragroup type remote-access
    tunnel-group vpnragroup general-attributes
    authentication-server-group LDAPAuth2AD
    authorization-server-group LDAPAuth2AD
    default-group-policy DenyAccess

    For Windows VPN clients, you need to modify the built-in DefaulRAGroup tunnel-group.  This does not appear in the "show run" unless you change a default setting.  It will show up in the ASDM on a clean install.  Since it's a remote-access group, you cannot specify the "type" (i.e., "tunnel-group DefaultRAGroup type remote-access" is assumed and cannot be changed).

    tunnel-group DefautlRAGroup
    default-group-policy vpnragroup
    authentication-server-group LDAPAuth2AD
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key password

    Finally, add your IPSec pre-shared key for the group.

    tunnel-group vpnragroup ipsec-attributes
    pre-shared-key password

    Author Closing Comment

    Note that some mods were required to perform the function I had requested.  Based on the link provided, and some debugging and additional searching, I think I've got the needed bits in my last post.

    Giving you credit in the hopes it helps someone else out there.  Thanks!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
    The viewer will learn how to install the Spideroak software to backup files. Start your default browser: In the URL location bar type and press enter: When you see the spideroak site, click the “Try for free” button in the upper ri…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now