Authenticate VPN clients with W2k3

[NetworkDOC]

I want to authenticate users via w2k3 AD vs using a single username and password for the whole company. Using 7.1.2 on the pix.

Not sure what all I need to make it all work. Looks like I need to configure AAA on the pix and then IAS on the server. That it? Suggestions are welcome...

 

[boymarty24]

Yes you need to configure a radius connection to your IAS from you pix.
The pix does the group authentication and ias the user authentication.

I have never used this in version 7 though. But it should be the same as for version 6.3. Gonna check it out on my lab asa

 

[NetworkDOC]

I have been playing around with this to try and get it to work. I implemented IAS and that went easy enough. I put the commands into the pix looks easy enough. Yet it doesn;t seem to work. I say seem because I had a vpn client terminating to the pix anyway. I used a different password than the vpnclients password as well as trying it with the same password to no avail.

It looks the same either way. I try to connect with the client and it goes right through both ways. The reason I want the radius is to authenticate to the server so I can govern who logs in and when.

Here is my cleaned config. Any ideas? I did set the IAS exactly like the doc says>

http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

This is a pretty good example of what I am trying to do anyway. There main differences are I already have one tunnel in place and of course the vpn clients.
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name mydomain.com
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 1 permit tcp host 10.0.0.0 host 0.0.0.255
access-list 101 permit ip 10.0.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list outside permit tcp any host X.X.X.196 eq smtp
access-list outside permit tcp any host X.X.X.198 eq https
access-list outside permit udp any host X.X.X.198 eq isakmp
access-list outside permit udp any host X.X.X.198 eq 62514
access-list outside permit udp any host X.X.X.198 eq 62515
access-list outside permit icmp any any
no pager
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.194 255.255.255.240
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.100.1-172.16.100.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) X.X.X.195 10.0.0.3 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.196 10.0.0.4 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.197 10.0.0.2 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server Radius protocol radius
aaa-server Radius max-failed-attempts 3
aaa-server Radius deadtime 10
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.0.2 $606 timeout 10
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public-not
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto map mymap client authentication partnerauth
isakmp enable outside
isakmp key 501dynamicclientpw address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup vpnClients address-pool ippool
vpngroup vpnClients dns-server 10.0.0.4 149.168.11.11
vpngroup vpnClients wins-server 10.0.0.4
vpngroup vpnClients default-domain mydomain.com
vpngroup vpnClients split-tunnel 101
vpngroup vpnClients idle-time 1800
vpngroup vpnClients password vpnuserpw
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 60
ssh 72.242.20.162 255.255.255.255 outside
ssh timeout 25
console timeout 0

Any ideas?

 

[Supergrrover]

Can you give some debugs?




Brent
Systems Engineer / Consultant
CCNP

 

[NetworkDOC]

I got this to work.

When defining the policy the ias had a vendor specific statement. Removed that and bam.

I actually got this to work on both a 6.3.X pix and a 7.1.x.