asa ra vpn with ad authentication

Configuring an ASA for remote access VPN with

Windows 2003 Active Directory Authentication

December 21, 2010

Install Internet Authentication Services on a domain controller

Information for installing this service can be found on Microsoft’s Technet site at: http://technet.microsoft.com/en-us/library/cc781690%28WS.10%29.aspx

Launch the IAS MMC

Register the server in Active Directory

O Click on register and go through the wizard.

Install a new RADIUS client

Add name and addressO The name should be something

easily recognizable like Cisco ASAO The address is the IP address of the

inside interface

Name and address

Enter Shared SecretO Click next, and enter the RADIUS

shared secret.

Added RADIUS clientO Click finish, and review the newly

added client.

Add remote access policy

Click Next

Add a policy name

Select VPN radio button

Add AD Group NameO Users with VPN access will need to

be added into this active directory group

Add authentication methodsO Select MS-CHAPv2, and MS-CHAP

Select Encryption Levels

O All encryption levels selected by default

Finish the wizard

Verify RADIUS Ports

RADIUS Ports

Confirm authentication methods

O Edit the properties of the RADIUS client

Select unencrypted authentication

IAS Configuration CompleteO Now, time to add the AAA

configuration in the Cisco ASA

Configure ASA AAAO The host is the address of the server

where IAS was installed and registered

O The key is the shared secret

Verify AD authentication in ASA

O The IP address in the ‘test aaa’ command is the IAS server.

O The test account must be in the AD group added in the IAS policy.

All DoneO Hopefully, it is working for you.O If not, check the event logs on the

IAS server.O Verify the shared secret password

matches on the IAS server and the ASA.

O Verify the IAS service is running.

Courtesy of DirFlash