Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   PIX 7.2 VPN with kerberos / ldap authentication and authorization (http://www.velocityreviews.com/forums/t366123-pix-7-2-vpn-with-kerberos-ldap-authentication-and-authorization.html)

XaBi 08-23-2006 12:09 PM

PIX 7.2 VPN with kerberos / ldap authentication and authorization
 
anyone ever did this configuration with a ver 7.2 ?; i can make it work
:?

what i am trying to do is:

vpn users from windows xp; connecting to pix through L2TP and
authenticating to the active directory servers in the inside interface.


john smith 08-24-2006 02:42 AM

Re: PIX 7.2 VPN with kerberos / ldap authentication and authorization
 
On Wed, 23 Aug 2006 05:09:32 -0700, XaBi wrote:

> anyone ever did this configuration with a ver 7.2 ?; i can make it work
> :?
>
> what i am trying to do is:
>
> vpn users from windows xp; connecting to pix through L2TP and
> authenticating to the active directory servers in the inside interface.



First, look here -
http://www.cisco.com/univercd/cc/td/...n/vpnrmote.htm

i've never set up l2tp , but what i've done is set up a vpngroup on the
pix (using the vpngroup and crypto commands) and then using xauth to
authenticate against microsoft's radius server (IAS), which in turn can
use AD.

(its easier than it sounds)

here is an excerpt from my pix 515e (7.2(1)) config:
group-policy VPNGROUPNAME internal
group-policy VPNGROUPNAME attributes
wins-server value 192.168.x.y
dns-server value 192.168.a.b 192.168.a.c
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 10 (split tunnel access-list 10)
default-domain value domain.com


crypto ipsec transform-set 3desSHA esp-3des esp-sha-hmac
crypto dynamic-map VPNGROUP 10 set transform-set 3desSHA
crypto map CRYPTOMAP_NAME 1 ipsec-isakmp dynamic VPNGROUP
crypto map CRYPTOMAP_NAME interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) RADIUS


tunnel-group VPNGROUPNAME type ipsec-ra
tunnel-group VPNGROUPNAME general-attributes
address-pool vpn-pool
default-group-policy vpn-group
tunnel-group VPNGROUPNAME ipsec-attributes
pre-shared-key secretKey


you still have to configure a radius server and split tunnel acl. the
radius server should point to your M$ IAS server. also must configure a
dhcp pool for the vpns (referenced as 'vpn-pool' above)

HOPE THIS HELPS. (see MS KB for configuring IAS - its not so bad)

XaBi 09-05-2006 03:00 PM

Re: PIX 7.2 VPN with kerberos / ldap authentication and authorization
 
Thanks for your help.

I've checked the conf and also used this guide (revised 3 days ago from
cisco):

http://www.cisco.com/en/US/products/...807213a7.shtml

but its imposible to make it work. I can see the phase 1 and phase 2
from the ipsec negotiation but it hangs in the authentication phase.
The funny thing is that I cannot see anything while debugging ppp or
l2tp. dont know where else I can look.

any ideas?

thanks!


XaBi 09-05-2006 03:06 PM

Re: PIX 7.2 VPN with kerberos / ldap authentication and authorization
 
By the way, now im just trying to authenticate to LOCAL user database;
so its just an L2TP tunneling from windows xp to a PIX 515E and auth to
LOCAL.

I've also tried changing the conf and using cisco vpn client; works ok
with this type of remote access conf.

regards


XaBi 09-06-2006 03:15 PM

Re: PIX 7.2 VPN with kerberos / ldap authentication and authorization
 
I've just found the solution! :)

The xauth option in ASDM wasnt working ok; I need to put it by hand:

isakmp ikev1-user-authentication (outside) xauth


after typing this command the authentication went perfect! :)


hope this helps someone in the future


xabi.



All times are GMT. The time now is 04:29 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.