Guest

Cisco VPN 3000 Series Concentrators

Configuring the Cisco VPN 3000 Concentrator with Microsoft RADIUS

Document ID: 20585

Updated: Mar 24, 2008

   Print

Introduction

Microsoft Internet Authentication Server (IAS) and Microsoft Commercial Internet System (MCIS 2.0) are currently available. The Microsoft RADIUS server is convenient because it uses the Active Directory on the Primary Domain Controller for its user database. You no longer need to maintain a separate database. It also supports 40-bit and 128-bit encryption for Point-to-Point Tunneling Protocol (PPTP) VPN connections. Refer to the Microsoft Checklist: Configuring IAS for dial-up and VPN access leavingcisco.com documentation for more information.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Install and Configure the RADIUS Server on Windows 2000 and Windows 2003

Install the RADIUS Server

If you do not have the RADIUS server (IAS) already installed, perform these steps in order to install. If you already have the RADIUS server installed, continue to the configuration steps.

  1. Insert the Windows Server compact disc and start the setup program.

  2. Click Install Add-On Components, and then click Add/Remove Windows Components.

  3. In Components, click Networking Services (but do not select or clear the check box), and then click Details.

  4. Check Internet Authentication Service and click OK.

  5. Click Next.

Configure the Microsoft Windows 2000 Server with IAS

Complete these steps in order to configure the RADIUS server (IAS) and to start the service in order to make it available to authenticate users on the VPN Concentrator.

  1. Choose Start > Programs > Administrative Tools > Internet Authentication Service.

  2. Right-click Internet Authentication Service, and click Properties from the submenu that appears.

  3. Go to the RADIUS tab in order to examine the settings for ports.

    If your RADIUS authentication and RADIUS accounting User Datagram Protocol (UDP) ports differ from the default values provided (1812 and 1645 for authentication, 1813 and 1646 for accounting) in Authentication and Accounting, type your port settings. Click OK when you are finished.

    Note: Do not change the default ports. Separate the ports by using commas to use multiple port settings for authentication or accounting requests.

  4. Right-click Clients and choose New Client in order to add the VPN Concentrator as an authentication, authorization, and accounting (AAA) client to the RADIUS server (IAS).

    Note: If redundancy is configured between two Cisco VPN 3000 Concentrators, the backup Cisco VPN 3000 Concentrator must also be added to the RADIUS server as a RADIUS client.

  5. Enter a friendly name and select as Protocol Radius.

  6. Define the VPN Concentrator with an IP address or DNS name on the next window.

  7. Choose Cisco from the Client-Vendor scrollbar.

  8. Enter a shared secret.

    Note: You must remember the exact secret that you use. You need this information in order to configure the VPN Concentrator.

  9. Click Finish.

  10. Double-click Remote Access Policies and double-click the policy that appears in the right side of the window.

    Note: After you install IAS, a remote access policy should already exist.

    In Windows 2000, authorization is granted based on the dial-in properties of a user account and remote access policies. Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in authorizing connection attempts. The Windows 2000 Routing and Remote Access service and the Windows 2000 IAS both use remote access policies to determine whether to accept or reject connection attempts. In both cases, the remote access policies are stored locally. Refer to the Windows 2000 IAS documentation for more information about how connection attempts are processed.

    cisco_vpn_msradius.gif

  11. Choose Grant remote access permission and click Edit Profile in order to configure dial-in properties.

  12. Select the protocol to use for authentication on the Authentication tab. Check Microsoft Encrypted Authentication version 2 and uncheck all other authentication protocols.

    Note: Settings in this Dial-In Profile must match the settings in the VPN 3000 Concentrator configuration and Dial-In client. In this example MS-CHAPv2 authentication without PPTP encryption is used.

  13. On the Encryption tab check No Encryption only.

  14. Click OK in order to close the Dial-In profile, then click OK in order to close the remote access policy window.

  15. Right-click Internet Authentication Service and click Start Service in the console tree.

    Note: You can also use this function to stop the service.

  16. Complete these steps in order to modify the users to allow the connection.

    1. Choose Console > Add/Remove Snap-in.

    2. Click Add and choose Local Users and Groups snap-in.

    3. Click Add.

    4. Make sure to select Local Computer

    5. Click Finish and OK.

  17. Expand Local User and Groups and click the Users folder in the left pane. In the right pane, double-click the user (VPN User) you want to allow access.

  18. Go to the Dial-in tab and choose Allow Access under Remote Access Permission (Dial-in or VPN).

    cvpn3k_pix_ias-k.gif

  19. Click Apply and OK in order to complete the action. You can close the Console Management window and save the session, if desired.

    The users that you modified are now able to access the VPN Concentrator with the VPN Client. Keep in mind that the IAS server only authenticates the user information. The VPN Concentrator still does the group authentication.

Configure the Microsoft Windows 2003 Server with IAS

Complete these steps in order to configure the Microsoft Windows 2003 server with IAS.

Note: These steps assume that IAS is already installed on the local machine. If not, add this through Control Panel > Add/Remove Programs.

  1. Choose Administrative Tools > Internet Authentication Service and right-click on RADIUS Client in order to add a new RADIUS client. After you type the client information, click OK.

  2. Enter a friendly name.

  3. Define the VPN Concentrator with an IP address or DNS name on the next window.

  4. Choose Cisco from the Client-Vendor scrollbar.

  5. Enter a shared secret.

    Note: You must remember the exact secret that you use. You need this information in order to configure the VPN Concentrator.

  6. Click OK to complete.

  7. Go to Remote Access Policies, right-click on Connections to Other Access Servers, and choose Properties.

  8. Choose Grant remote access permission and click Edit Profile in order to configure Dial-In properties.

  9. Select the protocol to use for authentication on the Authentication tab. Check Microsoft Encrypted Authentication version 2 and uncheck all other authentication protocols.

    Note: Settings in this Dial-In Profile must match the settings in the VPN 3000 Concentrator configuration and Dial-In client. In this example MS-CHAPv2 authentication without PPTP encryption is used.

  10. On the Encryption tab check No Encryption only.

  11. Click OK when you are finished.

    cvpn3k_pix_ias-m.jpg

  12. Right-click Internet Authentication Service and click Start Service in the console tree.

    Note: You can also use this function in order to stop the service.

  13. Choose Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and choose New Users in order to add a user into the local computer account.

  14. Add user with Cisco password "vpnpassword" and check this profile information.

    • On the General tab, ensure that the option for Password Never Expired is selected instead of the option for User Must Change Password.

    • On the Dial-in tab, choose the option for Allow access (or leave default setting of Control access through Remote Access Policy).

    Click OK when you are finished.

    cvpn3k_pix_ias-n.jpg

Configure the Cisco VPN 3000 Concentrator for RADIUS Authentication

Complete these steps in order to configure the Cisco VPN 3000 Concentrator for RADIUS authentication.

  1. Connect to the VPN Concentrator with your Web Browser, and choose Configuration > System > Servers > Authentication from the left frame menu.

    cisco_vpn_msradius_1.gif

  2. Click Add and configure these settings.

    • Server Type = RADIUS

    • Authentication Server = IP Address or Hostname of your RADIUS server (IAS)

    • Server Port = 0 (0=default=1645)

    • Server Secret = same as in step 8 in the section on Configure the RADIUS Server

    cisco_vpn_msradius_2.gif

  3. Click Add in order to add the changes to the running configuration.

  4. Click Add, choose Internal Server for Server Type, and click Apply.

    You need this later in order to configure an IPsec Group (You need only Server Type = Internal Server).

    cisco_vpn_msradius_3.gif

  5. Configure the VPN Concentrator for PPTP users or for VPN Client users.

      PPTP

      Complete these steps in order to configure for PPTP users.

    1. Choose Configuration > User Management > Base Group, and click the PPTP/L2TP tab.

    2. Choose MSCHAPv2 and uncheck other authentication protocols in the PPTP Authentication Protocols section.

      cisco_vpn_msradius_4.gif

    3. Click Apply at the bottom of the page in order to add the changes to the running configuration.

      Now when PPTP users connect, they are authenticated by the RADIUS server (IAS).

      VPN Client

      Complete these steps in order to configure for VPN Client users.

    1. Choose Configuration > User Management > Groups and click Add in order to add a new group.cisco_vpn_msradius_5.gif

    2. Type a group name (for example, IPsecUsers) and a password.

      cisco_vpn_msradius_6.gif

      This password is used as the pre-shared key for the tunnel negotiation.

    3. Go to the IPSec tab and set Authentication to RADIUS.

      cisco_vpn_msradius_7.gif

      This allows IPsec clients to be authenticated via the RADIUS Authentication server.

    4. Click Add at the bottom of the page in order to add the changes to the running configuration.

      Now when IPsec clients connect and use the group you configured, they are authenticated by the RADIUS server.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

WebVPN Authentication Fails

These sections provide information you can use to troubleshoot your configuration.

  • Problem: The WebVPN users are not able to authenticate against the RADIUS server but can authenticate successfully with the local database of the VPN Concentrator. They receive errors such as "Login failed" and this message.

    cisco_vpn_msradius_8.gif

    Cause: These kinds of problems often happen when any database other than the internal database of the Concentrator is used. WebVPN users hit the Base Group when they first connect to the Concentrator and must use the default authentication method. Often this method is set to the internal database of the Concentrator and is not a configured RADIUS or other server.

    Solution: When a WebVPN user authenticates, the Concentrator checks the list of servers defined at Configuration > System > Servers > Authentication and uses the top one. Make sure to move the server that you want WebVPN users to authenticate with to the top of this list. For example, if RADIUS should be the authentication method, you need to move the RADIUS server to the top of the list to push the authentication to it.

    Note: Just because WebVPN users initially hit the Base Group does not mean that they are confined to the Base Group. Additional WebVPN groups can be configured on the Concentrator, and users can be assigned to them by the RADIUS server with the population of attribute 25 with OU=groupname . Refer to Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server for a more detailed explanation.

User Authentication Fails Against the Active Directory

In the Active Directory server, on the Account tab of the User Properties of the failing user, you can see this check box:

[x] Do not require pre-authentication

If this check box is unchecked, check it, and try to authenticate again with this user.

Related Information

Updated: Mar 24, 2008
Document ID: 20585