PIX 7.2 VPN with kerberos / ldap authentication and authorization

Discussion in 'Cisco' started by XaBi, Aug 23, 2006.

  1. XaBi

    XaBi Guest

    anyone ever did this configuration with a ver 7.2 ?; i can make it work
    :?

    what i am trying to do is:

    vpn users from windows xp; connecting to pix through L2TP and
    authenticating to the active directory servers in the inside interface.
    XaBi, Aug 23, 2006
    #1
    1. Advertising

  2. XaBi

    john smith Guest

    On Wed, 23 Aug 2006 05:09:32 -0700, XaBi wrote:

    > anyone ever did this configuration with a ver 7.2 ?; i can make it work
    > :?
    >
    > what i am trying to do is:
    >
    > vpn users from windows xp; connecting to pix through L2TP and
    > authenticating to the active directory servers in the inside interface.



    First, look here -
    http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/vpn/vpnrmote.htm

    i've never set up l2tp , but what i've done is set up a vpngroup on the
    pix (using the vpngroup and crypto commands) and then using xauth to
    authenticate against microsoft's radius server (IAS), which in turn can
    use AD.

    (its easier than it sounds)

    here is an excerpt from my pix 515e (7.2(1)) config:
    group-policy VPNGROUPNAME internal
    group-policy VPNGROUPNAME attributes
    wins-server value 192.168.x.y
    dns-server value 192.168.a.b 192.168.a.c
    vpn-idle-timeout 1440
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value 10 (split tunnel access-list 10)
    default-domain value domain.com


    crypto ipsec transform-set 3desSHA esp-3des esp-sha-hmac
    crypto dynamic-map VPNGROUP 10 set transform-set 3desSHA
    crypto map CRYPTOMAP_NAME 1 ipsec-isakmp dynamic VPNGROUP
    crypto map CRYPTOMAP_NAME interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 60
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group (outside) RADIUS


    tunnel-group VPNGROUPNAME type ipsec-ra
    tunnel-group VPNGROUPNAME general-attributes
    address-pool vpn-pool
    default-group-policy vpn-group
    tunnel-group VPNGROUPNAME ipsec-attributes
    pre-shared-key secretKey


    you still have to configure a radius server and split tunnel acl. the
    radius server should point to your M$ IAS server. also must configure a
    dhcp pool for the vpns (referenced as 'vpn-pool' above)

    HOPE THIS HELPS. (see MS KB for configuring IAS - its not so bad)
    john smith, Aug 24, 2006
    #2
    1. Advertising

  3. XaBi

    XaBi Guest

    Thanks for your help.

    I've checked the conf and also used this guide (revised 3 days ago from
    cisco):

    http://www.cisco.com/en/US/products...s_configuration_example09186a00807213a7.shtml

    but its imposible to make it work. I can see the phase 1 and phase 2
    from the ipsec negotiation but it hangs in the authentication phase.
    The funny thing is that I cannot see anything while debugging ppp or
    l2tp. dont know where else I can look.

    any ideas?

    thanks!
    XaBi, Sep 5, 2006
    #3
  4. XaBi

    XaBi Guest

    By the way, now im just trying to authenticate to LOCAL user database;
    so its just an L2TP tunneling from windows xp to a PIX 515E and auth to
    LOCAL.

    I've also tried changing the conf and using cisco vpn client; works ok
    with this type of remote access conf.

    regards
    XaBi, Sep 5, 2006
    #4
  5. XaBi

    XaBi Guest

    I've just found the solution! :)

    The xauth option in ASDM wasnt working ok; I need to put it by hand:

    isakmp ikev1-user-authentication (outside) xauth


    after typing this command the authentication went perfect! :)


    hope this helps someone in the future


    xabi.
    XaBi, Sep 6, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David
    Replies:
    3
    Views:
    1,847
    David
    Jan 9, 2004
  2. mmainer
    Replies:
    1
    Views:
    777
    Tony Clifton
    Apr 22, 2005
  3. B Squared

    VPN using Kerberos authentication

    B Squared, Jun 23, 2006, in forum: Cisco
    Replies:
    0
    Views:
    4,293
    B Squared
    Jun 23, 2006
  4. Replies:
    0
    Views:
    544
  5. Sean B

    LDAP Authentication Schema

    Sean B, Jan 29, 2007, in forum: Cisco
    Replies:
    0
    Views:
    343
    Sean B
    Jan 29, 2007
Loading...

Share This Page