How to use Microsoft IAS with Cisco VPN concentrator/ASA/PIX
VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every vpn user connects with the same PCF file and enters into a group. When their user name gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX and the pix puts them in that group.
VPN Concentrator(s) setup
Example:
- Login to concentrator/ASA
- Duplicate the steps below on BOTH ASA/concentrtors
- go to: configuration > policy mgmt > traffic mgmt > network lists
- add
- name: "g_Radius_VPN"
- enter hosts/networks "10.224.3.3/0.0.0.0"
- add
- go to: configuration > user managment > groups
- add group
- group name: "g_Radius_VPN"
- password: [password]
- verify: [password]
- Type: internal
- go to: Client Config TAB
- Split Tunneling Policy
- check: only tunnel networks in the list
- Split Tunneling List
- choose: g_Radius_VPN
- add
- SAVE CONFIGURATION SETTINGS
AD user / Group setup
- Login to Domain Controller
- go to: Active Director user s and Computers
- OU: austin.mgam > Radius
- add group
- "g_Radius_VPN
- OU: austin.mgam > Vendor
- add user
- user name:
- next
- password: [user password]
- uncheck: user must change password at next login
- check: user cannot change password
- check: password never expires
- finish
- open properties for user: [Temporary]
- Member Of TAB
- add
- "g_Radius_VPN_[Temporary]"
- OK
- choose "g_Radius_VPN_[Temporary]"
- click Set Primary Group
- Remove "Domain Users" group
- OK
Radius / IAS setup example
- Login to Radius Server
- go to: Internet Authentication Service
- open Remote Access Policy
- create New Remote Access Policy
- next
- Set up a custom policy
- name: "g_Radius_VPN_[Temporary]"
- next
- add policy conditions
- Windows-Group = "g_Radius_VPN_[Temporary]"
- Client-Friendly-Name = "AusVPN"
- next
- Grant remote access permission
- next
- Edit Profile
- Advanced TAB
- remove Service-Type
- remove Framed-Protocol
- Add
- Class
- "OU=g_Radius_VPN_[Temporary];"
- next
- finish
- Move policy down to be within the group of other "g_Radiuis_VPN_XXXXX" policys
DONE, Test account on both vpn's before deploying to user
- Issue VPN Client and also Standard PCF file
Also see ...
H3Knowing the commands to display configuration information about Virtual LANs (VLANs) is as important as knowing the commands to configure them. The commands here display information about all VLANs or a single VLAN by number or name./H3PAll of these commands must be run from privileged mode
H3The commands for creating a VLAN vary from one switch model to another. VLANs in a 2950 switch are configured in a manner similar to configuring an interface. This configuration is substantially different than a 2900 switch./H3PTo create two VLANs on a 2950 switch, one with id 5 and name '
H3A VLAN (Virtual Local Area Network) makes a single physical switch behave like several separate switches. A host connected to one VLAN cannot communicate through the switch to a host connected to another (although a router can permit communication between VLANs if desired). Here's how to confi
H3Cisco Discover Protocol or CDP is a Cisco proprietary protocol that runs on all Cisco products. CDP allows devices to learn about neighboring devices (the ones attached directly to the switch) including information about their platform, IP address, the version of IOS or other OS, VLAN membershi
H3How to configure aliases for frequently used commands./H3PIf you're like you me you hate typing in long commands over and over... and over... and over. br / br /Instead of typing span style="font style: italic"sh ip int br/span all the time wouldn't it be nice to just type span styl