Guest

Cisco Secure Access Control Server for Windows

Using Cisco Secure ACS for Windows with the VPN 3000 Concentrator - IPSec

Document ID: 13874

Updated: Jan 18, 2007

   Print

Introduction

This document recommends the easiest configuration for Cisco Secure Access Control Server (ACS) for Windows to authenticate users that connect to a VPN 3000 Concentrator. A group on a VPN 3000 Concentrator is a collection of users treated as a single entity. The configuration of groups, as opposed to individual users, can simplify system management and streamline configuration tasks. In previous releases, only identity, security, access, performance, DNS, WINS, and tunneling protocols were configured for groups.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco Secure ACS for Windows RADIUS is installed and operates properly with other devices.

  • Cisco VPN 3000 Concentrator is configured and can be managed with the HTML interface.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Secure ACS for Windows RADIUS version 4.0 or later.

  • Cisco VPN 3000 Concentrator version 4.7 or later.

With Microsoft Windows release 3.0 and later, you can configure and perform these functions on a per-group basis.

  • Authentication (RADIUS, NT Domain, SDI, or Internal Server.)*

  • Accounting (RADIUS user accounting collects data on user connect time and packets transmitted.)

  • Address pools (Allows you to assign IP addresses from an internally configured pool.)

Note: * Group-based authentication does not support multiple SDI servers as of Cisco bug ID CSCdu57258 (registered customers only)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Use Groups on the VPN 3000 Concentrator

Groups can be defined for both Cisco Secure ACS for Windows and the VPN 3000 Concentrator, but they use groups somewhat differently. Perform these tasks in order to simplify things:

  • Configure a single group on the VPN 3000 Concentrator for establishing the initial tunnel. This is often called the Tunnel Group and it is used to establish an encrypted Internet Key Exchange (IKE) session to the VPN 3000 Concentrator using a pre-shared key (the group password). This is the same group name and password that should be configured on all VPN 3000 Clients that want to connect to the VPN Concentrator.

  • Configure groups on the Cisco Secure ACS for Windows Server that use standard RADIUS Attributes and Vendor Specific Attributes (VSAs) for policy management. The VSAs that should be used with the VPN 3000 Concentrator are the RADIUS (VPN 3000) attributes.

  • Configure users on the Cisco Secure ACS for Windows RADIUS server and assign them to one of the groups configured on the same server. The users inherit attributes defined for their group and Cisco Secure ACS for Windows sends those attributes to VPN Concentrator when the user is authenticated.

How the VPN 3000 Concentrator Uses Group and User Attributes

After the VPN 3000 Concentrator authenticates the Tunnel Group with the VPN Concentrator and the user with RADIUS, it must organize the attributes it has received. The concentrator uses the attributes in this order of preference, whether the authentication is done in the VPN Concentrator or with RADIUS:

  1. User attributes—These attributes always take precedence over any others.

  2. Tunnel Group attributes—Any attributes not returned when the user was authenticated are filled in by the Tunnel Group attributes.

  3. Base Group attributes—Any attributes missing from the user or Tunnel Group attributes are filled in by the VPN Concentrator Base Group attributes.

Configure the RADIUS Server and the VPN 3000 Concentrator

Complete these steps to configure the RADIUS server and the VPN 3000 Concentrator.

  1. Add the Cisco Secure ACS for Windows RADIUS server to the VPN 3000 Concentrator configuration.

    1. Use a web browser to connect to the VPN 3000 Concentrator by typing the IP address of the private interface in the Location or Address bar of your browser.

    2. Log on to the VPN Concentrator (Default: Login = admin, password = admin).

    3. Select Configuration > System > Servers > Authentication, and click Add (from the left menu).

      CiscoSecure-11.gif

    4. Select the server type RADIUS and add these parameters for your Cisco Secure ACS for Windows RADIUS server. Leave all other parameters in their default state.

      • Authentication Server—Enter the IP address of your Cisco Secure ACS for Windows RADIUS server.

      • Server Secret—Enter the RADIUS server secret. This must be the same secret you use when you configure the VPN 3000 Concentrator in the Cisco Secure ACS for Windows configuration.

      • Verify—Re-enter the password for verification.

        This adds the authentication server in the global configuration of the VPN 3000 Concentrator. This server is used by all groups except for when an authentication server has been specifically defined. If an authentication server is not configured for a group, it reverts to the global authentication server.

      CiscoSecure-1.gif

  2. Configure the Tunnel Group on the VPN 3000 Concentrator.

    1. Select Configuration > User Management > Groups (from the left menu) and click Add.

    2. Change or add these parameters in the Configuration tabs. Do not click Apply until you change all of these parameters:

      Note: These parameters are the minimum needed for remote access VPN connections. These parameters also assume the default settings in the Base Group on the VPN 3000 Concentrator have not been changed.

      Identity

      • Group Name—Type a group name. For example, IPsecUsers.

      • Password—Enter a password for the group. This is the pre-shared key for the IKE session.

      • Verify—Re-enter the password for verification.

      • Type—Leave this as the default: Internal.

        CiscoSecure-2.gif

      IPsec

      • Tunnel Type—Select Remote-Access.

      • Authentication—RADIUS. This tells the VPN Concentrator what method to use to authenticate users.

      • Mode Config—Select the Mode Config checkbox.

      CiscoSecure-3.gif

    3. Click Apply.

  3. Configure multiple authentication servers on the VPN 3000 Concentrator.

    1. Once the group is defined, highlight that group, and click Modify Auth. Servers. Individual authentication servers can be defined for each group even if these servers do not exist in the global servers.

    2. Select the server type RADIUS, and add these parameters for your Cisco Secure ACS for Windows RADIUS server. Leave all other parameters in their default state.

      • Authentication Server—Enter the IP address of your Cisco Secure ACS for Windows RADIUS server.

      • Server Secret—Enter the RADIUS server secret. This must be the same secret you use when you configure the VPN 3000 Concentrator in the Cisco Secure ACS for Windows configuration.

      • Verify—Re-enter the password for verification.

      CiscoSecure-4.gif

  4. Add the VPN 3000 Concentrator to the Cisco Secure ACS for Windows server configuration.

    1. Double-click the ACS Admin icon to start the admin session on the PC that runs the Cisco Secure ACS for Windows RADIUS server. Log in with the proper username and password, if required.

    2. Select Network Configuration, and click Add Entry under the Network Device group.

      1. Create the new group name.

      2. Click Submit. The new group name appears in the Network Device Groups list.

        Instead of creating a new group, you can click the Not Assigned group and add the VPN Concentrator as the AAA client. But Cisco does not recommend that you create a new group.

      3. Click the New group and click Add Entry under the AAA clients.

        Note: In the context of Cisco Secure ACS, an AAA client is any network device that provides AAA client functionality and supports an AAA security protocol that is also supported by Cisco Secure ACS. This includes Cisco access servers, Cisco PIX firewalls, Cisco VPN 3000 Series Concentrators, Cisco VPN 5000 Series Concentrators, Cisco IOS® routers, Cisco Aironet Access Point 340 and 350 devices, and some Cisco Catalyst switches.

      4. Add these parameters for your VPN 3000 Concentrator:

      • AAA Client Hostname—Enter the hostname of your VPN 3000 Concentrator (for DNS resolution).

      • AAA Client IP Address—Enter the IP address of your VPN 3000 Concentrator.

      • Key—Enter the RADIUS server secret. This must be the same secret you configured when you added the Authentication Server on the VPN Concentrator in step 1.

      • Network Device Group—From the list, select the network device group in which the VPN Concentrator belongs.

      • Authenticate Using—Select RADIUS (Cisco VPN 3000/ASA/PIX 7.x and later). This allows the VPN 3000 VSAs to display in the Group configuration window.

      CiscoSecure-6.gif

    3. Click Submit.

    4. Select Interface Configuration, click RADIUS Cisco VPN 3000/ASA/PIX 7.x and later, and check Group [26] Vendor-Specific.

      Note: 'RADIUS attribute 26' refers to all vendor specific attributes. For example, select Interface Configuration > RADIUS (Cisco VPN 3000/ASA/PIX 7.x and later) and see that all of the available attributes start with 026. This shows that all of these vendor specific attributes fall under the IETF RADIUS 26 standard. These attributes do not show up in User or Group setup by default. In order to show up in the Group setup, create an AAA client (in this case VPN 3000 Concentrator) that authenticates with RADIUS in the network configuration. Then check the attributes that need to appear in User Setup, Group Setup, or both from the Interface configuration.

      The document describes the available attributes and its usage RADIUS Attributes.

    5. Click Submit.

  5. Add groups to the Cisco Secure ACS for Windows configuration.

    1. Select Group Setup, then select one of the template groups (for example, Group 0), and click Rename Group.

      CiscoSecure-13.gif

      Change the name to something appropriate for your organization. For example, Engineering, Sales, or Marketing. Since users are added to these groups, make the group name reflect the actual purpose of that group. If all users are put into the same group, you can call it VPN Users Group.

    2. Click Edit Settings to edit the parameters in your newly renamed group.

    3. Click Cisco VPN 3000 RADIUS/ASA/PIX 7.x and later and configure these recommended attributes. This allows users assigned to this group to inherit the Cisco VPN 3000 RADIUS attributes, which allows you to centralize policies for all users in Cisco Secure ACS for Windows.

      Note: Technically, Cisco VPN 3000/ASA/PIX 7.x and later RADIUS attributes are not required to be configured as long as the Tunnel Group is set up as step 2 recommends and the Base Group in the VPN Concentrator does not change from the original default settings.

      Recommended VPN 3000 Attributes:

      • Primary-DNS—Enter the IP address of your Primary DNS server.

      • Secondary-DNS—Enter the IP address of your Secondary DNS server.

      • Primary-WINS—Enter the IP address of your Primary WINS server.

      • Secondary-WINS—Enter the IP address of your Secondary WINS server.

      • Tunneling-Protocols—Select IPsec. This allows only IPsec Client connections. PPTP or L2TP are not allowed.

      • IPsec-Sec-Association—Enter ESP-3DES-MD5. This ensures all your IPsec clients connect with the highest encryption available.

      • IPsec-Allow-Password-Store—Select Disallow so users are not allowed to save their password in the VPN Client.

      • IPsec-Banner—Enter a welcome message banner to be presented to the user upon connection. For example, "Welcome to MyCompany employee VPN access!"

      • IPSec-Default Domain—Enter the domain name of your company. For example, "mycompany.com".

      CiscoSecure-7.gif

      This set of attributes is not necessary. But if you are unsure if the Base Group attributes of the VPN 3000 Concentrator have changed, then Cisco recommends that you configure these attributes:

      • Simultaneous-Logins—Enter the number of times you allow a user to simultaneously log in with the same username. The recommendation is 1 or 2.

      • SEP-Card-Assignment—Select Any-SEP.

      • IPsec-Mode-Config—Select ON.

      • IPsec-Through-NAT—Select OFF, unless you want users in this group to connect using IPsec over the UDP protocol. If you select ON, the VPN Client still has the ability to locally disable IPsec through NAT and connect normally.

      • IPsec-Through-NAT-Port—Select a UDP port number in the range of 4001 through 49151. This is used only if IPsec-through-NAT is ON.

      The next set of attributes requires that you set something up on the VPN Concentrator first before you can use them. This is only recommended for advanced users.

      • Access-Hours—This requires you to set up a range of Access Hours on the VPN 3000 Concentrator under Configuration > Policy Management. Instead, use Access Hours available in Cisco Secure ACS for Windows to manage this attribute.

      • IPsec-Split-Tunnel-List—This requires you to set up a Network List on the VPN Concentrator under Configuration > Policy Management > Traffic Management. This is a list of networks sent down to the client that tell the client to encrypt data to only those networks in the list.

    4. Select Submit > Restart to save the configuration and activate the new group.

    5. Repeat these steps to add more groups.

  6. Configure Users on Cisco Secure ACS for Windows.

    1. Select User Setup, enter a username, and click Add/Edit.

      CiscoSecure-12.gif

    2. Configure these parameters under the user setup section:

      • Password Authentication—Select Cisco Secure Database.

      • Cisco Secure PAP - Password—Enter a password for the user.

      • Cisco Secure PAP - Confirm Password—Re-enter the password for the new user.

      • Group to which the user is assigned—Select the name of the group you created in the previous step.

      CiscoSecure-8.gif

    3. Click Submit to save and activate the user settings.

    4. Repeat these steps to add additional users.

  7. Test Authentication.

    Select Configuration > System > Servers > Authentication > Test on the VPN 3000 Concentrator.

    CiscoSecure-5.gif

    Test authentication from the VPN Concentrator to the Cisco Secure ACS for Windows server by entering the username and password you configured in the Cisco Secure ACS for Windows.

    CiscoSecure-9.gif

    On a good authentication, the VPN Concentrator shows an "Authentication Successful" message.

    CiscoSecure-10.gif

    If there are failures in Cisco Secure ACS for Windows, the Cisco Secure ACS for Windows Reports and Activity > Failed Attempts menu shows the failures. In a default installation, these failure reports are on disk in c:\Program Files\CiscoSecure ACS v2.5\Logs\Failed Attempts.

    Note: The Cisco VPN 3000 Concentrator only uses Password Authentication Protocol (PAP) when TEST authentication is used.

  8. Connect to the VPN 3000 Concentrator.

    Now you can connect to the VPN 3000 Concentrator using the client. Be sure the VPN Client is configured to use the same group name and password configured in step 2.

Add Accounting

After authentication works, you can add accounting.

On the VPN 3000, select Configuration > System > Servers > Accounting.

CiscoSecure-15.gif

Click Add in order to add the Cisco Secure ACS for Windows server.

CiscoSecure-14.gif

You can add individual accounting servers to each group when you select Configuration > User Management > Groups. Highlight a group and click Modify Acct. Servers.

CiscoSecure-16.gif

Enter the IP address of the Accounting Server with the Server Secret.

CiscoSecure-17.gif

In Cisco Secure ACS for Windows, the accounting records appear as this output shows:

Date,Time,User-Name,Group-Name,Calling-Station-Id,Acct-Status-Type,
  Acct-Session-Id, Acct-Session-Time,Service-Type,Framed-Protocol,
  Acct-Input-Octets, Acct-Output-Octets, Acct-Input-Packets,
  Acct-Output-Packets,Framed-IP-Address,NAS-Port, 
  NAS-IP-Address03/23/2000,14:04:10, csntuser,3000,,Start,7ED00001,,Framed, 
  PPP,,,,,10.99.99.1,1009,172.18.124.133 03/23/2000,14:07:01,csntuser,3000,,
  Stop,7ED00001,171,Framed,PPP,5256,0,34,0,10.99.99.1, 1009,172.18.124.133

Specify Individual IP Pools for Each Group

You can specify individual IP pools to each group. The user is assigned an IP address from the pool configured for the group. If a pool is not defined for a particular group, the user is assigned an IP address from the global pool. Select Configuration > User Management > Groups to configure individual pools for each group.

CiscoSecure-16.gif

Highlight a group and click Modify Address Pool. Click Add to add the IP pool. The pool of IP addresses defined here can be a subset of the global pool.

CiscoSecure-18.gif

Debugging

If connections do not work, you can add AUTH, IKE, and IPsec event classes to the VPN Concentrator when you select Configuration > System > Events > Classes > Modify (Severity to Log=1-9, Severity to Console=1-3). AUTHDBG, AUTHDECODE, IKEDBG, IKEDECODE, IPSECDBG, and IPSECDECODE are also available, but may provide too much information. If detailed information is needed on the attributes that are passed down from the RADIUS server, AUTHDECODE, IKEDECODE, and IPSECDECODE provide this at the Severity to Log=1-13 level.

CiscoSecure-19.gif

Retrieve the event log from Monitoring > Filterable Event Log.

CiscoSecure-20.gif

Cisco Secure ACS for Windows failures are found in Reports and Activity > Failed attempts > active.csv.

Related Information

Updated: Jan 18, 2007
Document ID: 13874