cisco asa vpn windows 7 64-bit l2tp/ipsec ldap server

Posted on 2011-10-27
Medium Priority
Last Modified: 2012-05-12
Is there any guide that has a sample configuration that ACTUALLY FRICKEN WORKS?!?!?!?!?!

Trying to use the built-in Windows VPN client for l2tp/ipsec tunnel to an ASA 5510 running 8.25 with LDAP authentication to the internal Windows AD server based on group-membership (i.e., if users are in a group "vpn-allowed", they get access).

I can't find a definitive source that even says whether it's possible - some say it is, others don't even mention it.  Some say the Windows clients use the DefaultRAGroup, others don't mention that.

Question by:snowdog_2112
  • 2
LVL 14

Accepted Solution

anoopkmr earned 2000 total points
ID: 37043326

Author Comment

ID: 37045974
Unfortunately, I'd seen both of those, and neither addresses a Windows built-in vpn client - it fails.

I managed to get it working by using "debug crypto isakmp 30" and noticed the tunnel-group a Windows client hits is the built-in DefaultRAGroup.  You cannot change this (from what I've discovered).  The cisco vpn client can be configured to hit a tunnel-group you specify using the Name: field on the client.  There is no "group" or "name" option in the Windows VPN client setup.

So, in addition to either of the links, you MUST configure the DefaultRAGroup (it shows up in the ASDM, but not via CLI unless you maually change a default setting).

Here is a revised partial listing based on the expat technocrat link you provided.

Configure IPSec
Create your transform set, dynamic map and crypto map
Apply the crypto map to the relevant interface

crypto ipsec transform-set esp3des esp-3des esp-md5-hmac
crypto ipsec transform-set esp3des_sha esp-3des esp-sha-hmac
rypto ipsec transform-set rescoset_sha mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 1 set transform-set esp3des_sha esp3des
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside

Create tunnel-group to deny access by default
group-policy DenyAccess internal
group-policy DenyAccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn

Create your split tunnel ACL if required and no NAT statements and IP address pool for the VPN Clients

access-list vpnra-acl standard permit
access-list nonat extended permit ip
nat (inside) 0 access-list nonat
ip local pool vpnrapool

Configure ASA to perform user authentication against Active Directory using LDAP
Create the LDAP Attribute Map
This is where you specify which AD group a user has to be in before they are authorized to connect. In my case I created an AD group called "VPN" and ensured my VPN users were members of that group in AD.
I'm using ASA 8.2 which has "Group-Policy" available as an argument for map-name . For versions prior to 8.2 consult the ASA Command Reference for map-name as there is a RADIUS IETF argument you should use.
To get the DN you use a command line tool such as "dsquery" or google for other tools that are available for free from Microsoft such as "AD Explorer"
My tunnel-group will be called "vpnragroup" and I map that to "memberOf"

ldap attribute-map ASAMAP
map-name memberOf Group-Policy
map-value memberOf "CN=VPN,OU=Groups,OU=MyBusiness,DC=bob,DC=local" vpnragroup

Create your AAA server for LDAP
Note that you need to create a regular user account for the ASA to search your Directory for users and groups. This does NOT have to be an admin user. IT should be a regular user for the sake of security.
Specify LDAP as the protocol
Specify the IP of the AD server
Add your base DN. I used the domain and enabled it to search the entire subtree.
Map the naming attribute to sAMAccountName
Provide the user account login DN and password to search AD.
Specify your server type as Microsoft
Finally, map the attribute map to the server

aaa-server LDAPAuth2AD protocol ldap
aaa-server LDAPAuth2AD (inside) host
ldap-base-dn DC=bob,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password password
ldap-login-dn CN=VPN Name Lookup,OU=Users,OU=MyBusiness,DC=bob,DC=local
server-type microsoft
ldap-attribute-map ASAMAP

Create your tunnel-group for user access
I added 3 simultaneous logins here but you can add more.
Also applied a split tunnel ACL
Added the IP Pool
Add an external group policy to reference AD auth

group-policy vpnragroup internal
group-policy vpnragroup attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnra-acl
address-pools value vpnrapool
group-policy vpnragroup-external external server-group LDAPAuth2AD

Configure ASA to only authorize users for VPN access if they belong to a specific AD group
Create the tunnel-group to allow access
Add an authentication server group
Add an authorization server group
Add the default policy to deny access
Specify that authorization is required

tunnel-group vpnragroup type remote-access
tunnel-group vpnragroup general-attributes
authentication-server-group LDAPAuth2AD
authorization-server-group LDAPAuth2AD
default-group-policy DenyAccess

For Windows VPN clients, you need to modify the built-in DefaulRAGroup tunnel-group.  This does not appear in the "show run" unless you change a default setting.  It will show up in the ASDM on a clean install.  Since it's a remote-access group, you cannot specify the "type" (i.e., "tunnel-group DefaultRAGroup type remote-access" is assumed and cannot be changed).

tunnel-group DefautlRAGroup
default-group-policy vpnragroup
authentication-server-group LDAPAuth2AD
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key password

Finally, add your IPSec pre-shared key for the group.

tunnel-group vpnragroup ipsec-attributes
pre-shared-key password

Author Closing Comment

ID: 37045990
Note that some mods were required to perform the function I had requested.  Based on the link provided, and some debugging and additional searching, I think I've got the needed bits in my last post.

Giving you credit in the hopes it helps someone else out there.  Thanks!

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses
Course of the Month14 days, left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question