| KB | 0000071 | |
| Dated | 09/11/09 | |
| Revision | 0.02 | |
Cisco ASA5500 Client VPN Access Via RADIUS |
||
| Problem | ||
Below is a walkthrough for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This is done via the ASDM console. Though if (Like me) you prefer using the Command Line Interface I've put the commands at the end. You will need a RADIUS server, WIndows Server (2000 and 2003) Has its own RADIUS bolt on called Windows IAS Step 1 Below is a walkthrough on how to set this up. It also uses the Cisco VPN client - the version used is v5 which is still in beta at the time of writing. |
||
| Solution | ||
Step 1 Install RADIUS (Windows IAS) |
|
 |
1. Assuming you don't already have IAS installed, Click Start > Control Panel > Add Remove Programs. |
 |
2. Add/Remove Windows Components. |
 |
3. Double Click "Networking Services". |
 |
4. Tick Internet Authentication Service. |
 |
5. Next |
 |
6. The Service will install, NOTE it may ask you for the Windows CD, if you have already copied the i386 directory to a hard drive on the server, point it there instead. |
 |
7. When its done click Finish. |
 |
8. Click Start > Run. |
 |
9. Type mmc > OK. |
 |
10. An Empty MMC Console will open. |
 |
11. Click File > Add\Remove Snap-in. |
 |
12. Click Add |
 |
13 Scroll down to Internet Authentication Service (IAS), Select it > Add. |
 |
14. Finish |
 |
15. Close. |
 |
16 OK. |
 |
17 Right Click "RADIUS Clients" > New RADIUS Client. |
 |
18 Give it a sensible name like "CiscoASA" > Enter its IP address > Next. |
 |
19 Client vendor set to "RADIUS Standard" > Enter a shared secret to use in this example I'll use 123456 I suggest you use something more secure :) > Finish. |
 |
20 Back at the main console > Select "Remote Access Policies" > Right Click "Connections to other Access Servers" > Properties. |
 |
21 Tick "Grant remote access permissions". > Press the Edit Profile button. |
 |
22. On the Authentication tab, tick Unencrypted authentication (PAP SPAP) |
 |
23. On the Encryption tab ensure "No Encryption" is ticked. |
 |
24. Pah! Reading help files is for the weak > No. |
 |
25. Apply > OK. |
 |
26. We will now create a new user to use the RADIUS. Click Start > dsa.msc > OK. Active Directory Users and COmputers will open. |
 |
27 Right click the OU you want your user created inside > New > User. |
 |
28. Give the user a name and logon name, e.g. user2 > Next > Enter and confirm a password and tick Password Never Expires > Next. |
 |
29. If you have Microsoft Exchange you will see this next if you don't see it don't panic > Next |
 |
30. Finish |
 |
31. Locate the user > Right Click > Properties. |
 |
32. On the Dial in Tab select "Allow Access" > Apply > OK. Then close all the open windows. |
Step 2 Add the RADIUS server to the ASA5500 as an AAA Server. |
|
 |
1. Open the ASDM > Configuration > Properties >AAA Setup > AAA Server Groups > Add. |
 |
2. Give the Server group a name e,g "WindowsIAS" > Select RADIUS > OK. |
 |
3. In the bottom section titled "Servers in the selected group" Click Add. |
 |
4. Set interface name to "Inside" > Enter the IP Address of the Windows server > Enter the "Server Secret Key" (you specified above in Step1 Number 19) > Re-enter the same one next to "Common Password." > OK. |
 |
5. Click Apply > Test. |
 |
6. Select Authentication > Enter the username and password you created earlier (Step 1 Numbers 28,29 and 30) > OK. |
 |
7. If it fails recheck all your previous settings. > OK. |
 |
8. Back at the ASDM > File > Save Running Configuration to Flash". |
Step 2 Configure the ASA for Client VPN Access. |
|
 |
1. Open up the ADSM console. > Click Wizards > VPN Wizard. |
 |
2. Select "Remote Access". > Next. |
 |
3. Select Cisco VPN Client. > Next. |
 |
4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. "RemoteVPN". > Next. |
 |
5. Select "Authenticate using an AAA Server Group ". > Select The Server Group you created in Step 2 > Next. |
 |
6. Now we need to create some IP addresses that the remote clients will use when connected. > Click New |
 |
7. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP's - In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK. |
 |
8. Click Next. |
 |
9. Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next. |
 |
10. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next |
 |
11. Again leave it on the default of 3DES and SHA. > Next. |
 |
12. You can choose what IP addresses you want the remote VPN clients to have access to, first change the drop down to "Inside", here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next. NOTE If you do not tick the box to enable "Split Tunneling" then the client cannot browse the internet etc while connected via VPN. |
 |
13 Review the information at the end of the wizard. > Finish |
 |
14 Now you need to save the changes you have just made, From the ASDM Select File > "Save running configuration to flash" |
Step 2 Configure the Client VPN Software on the remote client. |
|
Also See THIS VIDEO |
|
 |
1. I'll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New. |
 |
2. Under connection entry give the connection a name e.g. "Remote VPN to Office" > Under "Host" enter the Public IP of the ASA (NOTE I've blurred this one out to protect my IP address). > Under "Name" enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab. |
 |
3 Accept the defaults but tick "Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA" > Save. |
 |
4. Select the Connection you have just created. > Connect. |
 |
5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK. |
 |
6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say "VPN Client - Connected". |
Do the same thing from command line |
|
access-list remotevpn_splitTunnelAcl standard permit 10.254.254.0 255.255.255.0 |
|
