Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

[LEFT][CODE]http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml[/CODE]


[B]Document ID: 20585[/B]


[B]Contents[/B]

[INDENT] [B] Introduction
[/B] [B] Prerequisites
Requirements
Components Used
Conventions
[/B] [B] Install and Configure the Microsoft RADIUS Server on Windows 2000 and Windows 2003
Install the MS RADIUS Server
Configure the Microsoft Windows 2000 Server with IAS
Configure the Microsoft Windows 2003 Server with IAS
[/B] [B] Configure the Cisco VPN 3000 Concentrator for RADIUS Authentication
[/B] [B] Verify
[/B] [B] Troubleshoot
WebVPN Authentication Fails
User Authentication Fails Against the Active Directory
[/B] [B] Cisco Support Community - Featured Conversations
[/B] [B] Related Information [/B] [/INDENT][B] Introduction [/B]

Microsoft Internet Authentication Server (IAS) and Microsoft Commercial Internet System (MCIS 2.0) are currently available. The Microsoft (MS) RADIUS server is convenient because it uses the Active Directory on the Primary Domain Controller for its user database. You no longer need to maintain a separate database. It also supports 40-bit and 128-bit encryption for Point-to-Point Tunneling Protocol (PPTP) VPN connections. Refer to the [URL="http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_ias_checklist_corp.htm"]Microsoft Checklist: Configuring IAS for dial-up and VPN access[/URL] [IMG]http://www.cisco.com/images/exit.gif[/IMG] documentation for more information.
[B] Prerequisites [/B]

[B] Requirements [/B]

There are no specific requirements for this document.
[B] Components Used [/B]

This document is not restricted to specific software and hardware versions.
[B] Conventions [/B]

Refer to the [URL="http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml"]Cisco Technical Tips Conventions[/URL] for more information on document conventions.
[B] Install and Configure the Microsoft RADIUS Server on Windows 2000 and Windows 2003 [/B]

[B] Install the MS RADIUS Server [/B]

If you do not have the MS RADIUS server (IAS) already installed, perform these steps in order to install. If you already have the RADIUS server installed, continue to the [URL="http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml#config"]configuration steps[/URL].

[LIST=1][*] Insert the Windows Server compact disc and start the setup program.[*] Click [B]Install Add-On Components[/B], and then click [B]Add/Remove Windows Components[/B].[*] In Components, click [B]Networking Services[/B] (but do not select or clear the check box), and then click [B]Details[/B].[*] Check [B]Internet Authentication Service[/B] and click [B]OK[/B].[*] Click [B]Next[/B].[/LIST]
[B] Configure the Microsoft Windows 2000 Server with IAS [/B]

Complete these steps in order to configure the MS RADIUS server (IAS) and to start the service in order to make it available to authenticate users on the VPN Concentrator.

[LIST=1][*] Choose [B]Start > Programs > Administrative Tools > Internet Authentication Service[/B].[*] Right-click [B]Internet Authentication Service[/B], and click [B]Properties[/B] from the submenu that appears.[*] Go to the RADIUS tab in order to examine the settings for ports.
If your RADIUS authentication and RADIUS accounting User Datagram Protocol (UDP) ports differ from the default values provided (1812 and 1645 for authentication, 1813 and 1646 for accounting) in Authentication and Accounting, type your port settings. Click [B]OK[/B] when you are finished.
[B]Note: [/B]Do not change the default ports. Separate the ports by using commas to use multiple port settings for authentication or accounting requests.[*] Right-click [B]Clients[/B] and choose [B]New Client[/B] in order to add the VPN Concentrator as an authentication, authorization, and accounting (AAA) client to the MS RADIUS server (IAS).
[B]Note: [/B]If redundancy is configured between two Cisco VPN 3000 Concentrators, the backup Cisco VPN 3000 Concentrator must also be added to the RADIUS server as a RADIUS client.[*] Enter a friendly name and select as [B]Protocol Radius[/B].[*] Define the VPN Concentrator with an IP address or DNS name on the next window.[*] Choose [B]Cisco[/B] from the Client-Vendor scrollbar.[*] Enter a shared secret.
[B]Note: [/B]You must remember the [I]exact[/I] secret that you use. You need this information in order to configure the VPN Concentrator.[*] Click [B]Finish[/B].[*] Double-click [B]Remote Access Policies[/B] and double-click the policy that appears in the right side of the window.
[B]Note: [/B]After you install IAS, a remote access policy should already exist.
In Windows 2000, authorization is granted based on the dial-in properties of a user account and remote access policies. Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in authorizing connection attempts. The Windows 2000 Routing and Remote Access service and the Windows 2000 IAS both use remote access policies to determine whether to accept or reject connection attempts. In both cases, the remote access policies are stored locally. Refer to the Windows 2000 IAS documentation for more information about how connection attempts are processed.
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius.gif[/IMG] [*] Choose [B]Grant remote access permission[/B] and click [B]Edit Profile[/B] in order to configure dial-in properties.[*] Select the protocol to use for authentication on the Authentication tab. Check [B]Microsoft Encrypted Authentication version 2[/B] and uncheck all other authentication protocols.
[B]Note: [/B]Settings in this Dial-In Profile must match the settings in the VPN 3000 Concentrator configuration and Dial-In client. In this example MS-CHAPv2 authentication without PPTP encryption is used.[*] On the Encryption tab check [B]No Encryption[/B] only.[*] Click [B]OK[/B] in order to close the Dial-In profile, then click [B]OK[/B] in order to close the remote access policy window.[*] Right-click [B]Internet Authentication Service[/B] and click [B]Start Service[/B] in the console tree.
[B]Note: [/B]You can also use this function to stop the service.[*] Complete these steps in order to modify the users to allow the connection.

[LIST=1][*] Choose [B]Console > Add/Remove Snap-in[/B].[*] Click [B]Add[/B] and choose [B]Local Users and Groups snap-in[/B]. [*] Click [B]Add[/B]. [*] Make sure to select [B]Local Computer[/B] [*] Click [B]Finish[/B] and [B]OK[/B].[/LIST]
[*] Expand [B]Local User and Groups[/B] and click the [B]Users[/B] folder in the left pane. In the right pane, double-click the user (VPN User) you want to allow access. [*] Go to the Dial-in tab and choose [B]Allow Access[/B] under Remote Access Permission (Dial-in or VPN).
[IMG]http://www.cisco.com/image/gif/paws/20585/cvpn3k_pix_ias-k.gif[/IMG] [*] Click [B]Apply[/B] and [B]OK[/B] in order to complete the action. You can close the Console Management window and save the session, if desired.
The users that you modified are now able to access the VPN Concentrator with the VPN Client. Keep in mind that the IAS server only authenticates the user information. The VPN Concentrator still does the group authentication.[/LIST]
[B] Configure the Microsoft Windows 2003 Server with IAS [/B]

Complete these steps in order to configure the Microsoft Windows 2003 server with IAS.
[B]Note: [/B]These steps assume that IAS is already installed on the local machine. If not, add this through [B]Control Panel > Add/Remove Programs[/B].

[LIST=1][*] Choose [B]Administrative Tools > Internet Authentication Service[/B] and right-click on [B]RADIUS Client[/B] in order to add a new RADIUS client. After you type the client information, click [B]OK[/B].[*] Enter a friendly name.[*] Define the VPN Concentrator with an IP address or DNS name on the next window.[*] Choose [B]Cisco[/B] from the Client-Vendor scrollbar.[*] Enter a shared secret.
[B]Note: [/B]You must remember the [I]exact[/I] secret that you use. You need this information in order to configure the VPN Concentrator.[*] Click [B]OK[/B] to complete.[*] Go to [B]Remote Access Policies[/B], right-click on [B]Connections to Other Access Servers[/B], and choose [B]Properties[/B].[*] Choose [B]Grant remote access permission[/B] and click [B]Edit Profile[/B] in order to configure Dial-In properties.[*] Select the protocol to use for authentication on the Authentication tab. Check [B]Microsoft Encrypted Authentication version 2[/B] and uncheck all other authentication protocols.
[B]Note: [/B]Settings in this Dial-In Profile must match the settings in the VPN 3000 Concentrator configuration and Dial-In client. In this example MS-CHAPv2 authentication without PPTP encryption is used.[*] On the Encryption tab check [B]No Encryption[/B] only.[*] Click [B]OK[/B] when you are finished.
[IMG]http://www.cisco.com/image/gif/paws/20585/cvpn3k_pix_ias-m.jpg[/IMG] [*] Right-click [B]Internet Authentication Service[/B] and click [B]Start Service[/B] in the console tree.
[B]Note: [/B]You can also use this function in order to stop the service.[*] Choose [B]Administrative Tools > Computer Management > System Tools > Local Users and Groups[/B], right-click on [B]Users[/B] and choose [B]New Users[/B] in order to add a user into the local computer account.[*] Add user with Cisco password "vpnpassword" and check this profile information.

[LIST][*] On the General tab, ensure that the option for [B]Password Never Expired[/B] is selected instead of the option for User Must Change Password.[*] On the Dial-in tab, choose the option for [B]Allow access[/B] (or leave default setting of Control access through Remote Access Policy).[/LIST]
Click [B]OK[/B] when you are finished.
[IMG]http://www.cisco.com/image/gif/paws/20585/cvpn3k_pix_ias-n.jpg[/IMG]
[/LIST]
[B] Configure the Cisco VPN 3000 Concentrator for RADIUS Authentication [/B]

Complete these steps in order to configure the Cisco VPN 3000 Concentrator for RADIUS authentication.

[LIST=1][*] Connect to the VPN Concentrator with your Web Browser, and choose [B]Configuration > System > Servers > Authentication[/B] from the left frame menu.
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_1.gif[/IMG] [*] Click [B]Add[/B] and configure these settings.

[LIST][*] Server Type = RADIUS [*] Authentication Server = IP Address or Hostname of your MS RADIUS server (IAS)[*] Server Port = 0 (0=default=1645) [*] Server Secret = same as in step 8 in the section on [URL="http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml#config"]Configure the MS RADIUS Server[/URL] [/LIST]
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_2.gif[/IMG]
[*] Click [B]Add[/B] in order to add the changes to the running configuration.[*] Click [B]Add[/B], choose [B]Internal Server[/B] for Server Type, and click [B]Apply[/B].
You need this later in order to configure an IPsec Group (You need only Server Type = Internal Server).
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_3.gif[/IMG] [*] Configure the VPN Concentrator for PPTP users or for VPN Client users.

[LIST=1] [B]PPTP[/B]
Complete these steps in order to configure for PPTP users.[*] Choose [B]Configuration > User Management > Base Group[/B], and click the [B]PPTP/L2TP[/B] tab.[*] Choose [B]MSCHAPv2[/B] and uncheck other authentication protocols in the PPTP Authentication Protocols section.
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_4.gif[/IMG] [*] Click [B]Apply[/B] at the bottom of the page in order to add the changes to the running configuration.
Now when PPTP users connect, they are authenticated by the MS RADIUS server (IAS). [/LIST]

[LIST=1] [B]VPN Client[/B]
Complete these steps in order to configure for VPN Client users.[*] Choose [B]Configuration > User Management > Groups[/B] and click [B]Add[/B] in order to add a new group.[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_5.gif[/IMG] [*] Type a group name (for example, IPsecUsers) and a password.
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_6.gif[/IMG]
This password is used as the pre-shared key for the tunnel negotiation.[*] Go to the IPSec tab and set Authentication to [B]RADIUS[/B].
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_7.gif[/IMG]
This allows IPsec clients to be authenticated via the RADIUS Authentication server.[*] Click [B]Add[/B] at the bottom of the page in order to add the changes to the running configuration.
Now when IPsec clients connect and use the group you configured, they are authenticated by the MS RADIUS server.[/LIST]
[/LIST]
[B] Verify [/B]

There is currently no verification procedure available for this configuration.
[B] Troubleshoot [/B]

[B] WebVPN Authentication Fails [/B]

These sections provide information you can use to troubleshoot your configuration.

[LIST][*] [B]Problem[/B]: The WebVPN users are not able to authenticate against the RADIUS server but can authenticate successfully with the local database of the VPN Concentrator. They receive errors such as "Login failed" and this message.
[IMG]http://www.cisco.com/image/gif/paws/20585/cisco_vpn_msradius_8.gif[/IMG]
[B]Cause[/B]: These kinds of problems often happen when any database other than the internal database of the Concentrator is used. WebVPN users hit the Base Group when they first connect to the Concentrator and must use the default authentication method. Often this method is set to the internal database of the Concentrator and is not a configured RADIUS or other server.
[B]Solution[/B]: When a WebVPN user authenticates, the Concentrator checks the list of servers defined at [B]Configuration > System > Servers > Authentication[/B] and uses the top one. Make sure to move the server that you want WebVPN users to authenticate with to the top of this list. For example, if RADIUS should be the authentication method, you need to move the RADIUS server to the top of the list to push the authentication to it.
[B]Note: [/B]Just because WebVPN users initially hit the Base Group does not mean that they are confined to the Base Group. Additional WebVPN groups can be configured on the Concentrator, and users can be assigned to them by the RADIUS server with the population of attribute 25 with [B]OU=[I]groupname[/I] [/B]. Refer to [URL="http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml"]Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server[/URL] for a more detailed explanation.[/LIST]
[B] User Authentication Fails Against the Active Directory [/B]

In the Active Directory server, on the Account tab of the User Properties of the failing user, you can see this check box:
[B][x] Do not require pre-authentication [/B]
If this check box is unchecked, [B]check it[/B], and try to authenticate again with this user

[/LEFT]