Step 1 Install RADIUS (Windows IAS)
|
| |
 |
1. Assuming you don't already have IAS installed, Click Start > Control Panel > Add Remove Programs. |
 |
2. Add/Remove Windows Components. |
 |
3. Double Click "Networking Services". |
 |
4. Tick Internet Authentication Service. |
 |
5. Next |
 |
6. The Service will install, NOTE it may ask you for the Windows CD, if you have already copied the i386 directory to a hard drive on the server, point it there instead. |
 |
7. When its done click Finish. |
 |
8. Click Start > Run. |
 |
9. Type mmc > OK. |
 |
10. An Empty MMC Console will open. |
 |
11. Click File > Add\Remove Snap-in. |
 |
12. Click Add |
 |
13 Scroll down to Internet Authentication Service (IAS), Select it > Add. |
 |
14. Finish |
 |
15. Close. |
 |
16 OK. |
 |
17 Right Click "RADIUS Clients" > New RADIUS Client. |
 |
18 Give it a sensible name like "CiscoASA" > Enter its IP address > Next. |
 |
19 Client vendor set to "RADIUS Standard" > Enter a shared secret to use in this example I'll use 123456 I suggest you use something more secure :) > Finish. |
 |
20 Back at the main console > Select "Remote Access Policies" > Right Click "Connections to other Access Servers" > Properties. |
 |
21 Tick "Grant remote access permissions". > Press the Edit Profile button. |
 |
22. On the Authentication tab, tick Unencrypted authentication (PAP SPAP) |
 |
23. On the Encryption tab ensure "No Encryption" is ticked. |
 |
24. Pah! Reading help files is for the weak > No. |
 |
25. Apply > OK. |
 |
26. We will now create a new user to use the RADIUS. Click Start > dsa.msc > OK. Active Directory Users and COmputers will open. |
 |
27 Right click the OU you want your user created inside > New > User. |
 |
28. Give the user a name and logon name, e.g. user2 > Next > Enter and confirm a password and tick Password Never Expires > Next. |
 |
29. If you have Microsoft Exchange you will see this next if you don't see it don't panic > Next |
 |
30. Finish |
 |
31. Locate the user > Right Click > Properties. |
 |
32. On the Dial in Tab select "Allow Access" > Apply > OK. Then close all the open windows. |
| |
Step 2 Add the RADIUS server to the ASA5500 as an AAA Server.
|
| |
 |
1. Open the ASDM > Configuration > Properties >AAA Setup > AAA Server Groups > Add. |
 |
2. Give the Server group a name e,g "WindowsIAS" > Select RADIUS > OK. |
 |
3. In the bottom section titled "Servers in the selected group" Click Add. |
 |
4. Set interface name to "Inside" > Enter the IP Address of the Windows server > Enter the "Server Secret Key" (you specified above in Step1 Number 19) > Re-enter the same one next to "Common Password." > OK. |
 |
5. Click Apply > Test. |
 |
6. Select Authentication > Enter the username and password you created earlier (Step 1 Numbers 28,29 and 30) > OK. |
 |
7. If it fails recheck all your previous settings. > OK. |
 |
8. Back at the ASDM > File > Save Running Configuration to Flash". |
| |
Step 2 Configure the ASA for Client VPN Access.
|
| |
 |
1. Open up the ADSM console. > Click Wizards > VPN Wizard. |
 |
2. Select "Remote Access". > Next. |
 |
3. Select Cisco VPN Client. > Next. |
 |
4. Enter a Pre Shared Key e.g. thisisthepresharedkey > And then give the Tunnel group a name e.g. "RemoteVPN". > Next. |
 |
5. Select "Authenticate using an AAA Server Group ". > Select The Server Group you created in Step 2 > Next. |
 |
6. Now we need to create some IP addresses that the remote clients will use when connected. > Click New |
 |
7. Give the Pool a name e.g. RemotePool and set the start and end IP addresses you want to lease (note these DONT have to be on the same network as your internal IP's - In fact, for auditing its good practice to make them different). > Enter a Subnet Mask. > OK. |
 |
8. Click Next. |
 |
9. Enter the details you want the remote clients to use while connected, DNS servers, WINS Servers and domain name. > Next. |
 |
10. Leave it on the defaults of 3DES, SHA and DH Group 2 (Note some Cisco VPN clients will not support AES). > Next |
 |
11. Again leave it on the default of 3DES and SHA. > Next. |
 |
12. You can choose what IP addresses you want the remote VPN clients to have access to, first change the drop down to "Inside", here I want them to have access to the entire network behind the ASA so I will choose 10.254.254.0 with a mask of 255.255.255.0 > Click Add. > Next.
NOTE If you do not tick the box to enable "Split Tunneling" then the client cannot browse the internet etc while connected via VPN. |
 |
13 Review the information at the end of the wizard. > Finish |
 |
14 Now you need to save the changes you have just made, From the ASDM Select File > "Save running configuration to flash" |
| |
Step 2 Configure the Client VPN Software on the remote client.
|
|
| |
|
 |
1. I'll assume you have the software installed you can get it from two places, On the CD that came with the ASA, or download it direct from Cisco (NOTE this needs a valid Cisco CCO account and a service contract). > Click New. |
 |
2. Under connection entry give the connection a name e.g. "Remote VPN to Office" > Under "Host" enter the Public IP of the ASA (NOTE I've blurred this one out to protect my IP address). > Under "Name" enter the name you created earlier (Step 1 number 4) > Under Password use the password you created earlier (Step 1 number 4) and enter it a second time to confirm. NOTE these are NOT the usernames and passwords you created in Step 1 number 6. > Click Transport Tab. |
 |
3 Accept the defaults but tick "Allow LAN access if you want to be able to access YOUR drives etc from the network behind the ASA" > Save. |
 |
4. Select the Connection you have just created. > Connect. |
 |
5. Enter the username and password you created earlier (Step 1 Number 6) of user1 and password1. > OK. |
 |
6 After a few seconds (provided the details were all right) it will connect, hover over the padlock in your task tray and it should say "VPN Client - Connected". |
| |
Do the same thing from command line |
| |
access-list remotevpn_splitTunnelAcl standard permit 10.254.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.254.250.0 255.255.255.0
ip local pool vpnpool 10.254.250.1-10.254.250.254 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
aaa-server windowsias protocol radius
aaa-server windowsias host 10.254.254.10
key 123456
radius-common-pw 123456
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.254.254.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn_splitTunnelAcl
default-domain value petenetlive.com
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
authentication-server-group windowsias
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key thisisthepresharedkey |
