The Cisco Meraki MX Security Appliance supports Active Directory authentication with Client VPN, so a client will be required to provide domain credentials in order to connect via VPN.
Published on 22 Nov 2005 · Filed in Tutorial · 744 words (estimated 4 minutes to read)Rather than publishing this information in PDF form on my business website, I’ve decided to try something new and post it here as a blog entry. So, here goes.
This information assumes that you have some experience with the Cisco PIX firewall (i.e., you know how to enter configuration commands and have a basic idea of what the configuration commands actually do) as well as some experience with Windows and Active Directory.
Cisco Vpn Authentication Active Directory Client
With that information in hand, let’s get started.
Configuring the Cisco PIX
First, we’ll need to setup the PIX firewall. Use the commands below to configure the PIX for PPTP-based VPN connections that will authenticate against an Active Directory back-end.
- Access the Active Directory Users and Computers management interface on the Windows 2016. Select the Users container folder, right-click the mouse, and open Properties. Take note of the DistinguishedName value that will be used later in the RV34x router User Container Path field. Create a User Group for Active Directory.
- Cisco Meraki Client VPN can be configured to use a RADIUS server to authenticate remote users against an existing userbase. This article outlines the configuration requirements for RADIUS-authenticated Client VPN, as well an example RADIUS configuration steps using Microsoft NPS on Windows Server 2008.
- Cisco ASA – AnyConnect VPN with Active Directory Authentication Complete Setup Guide. This article will discuss setting up Cisco Anyconnect with LDAP/Domain Authentication. I will be showing both the ASDM/GUI and CLI commands. I recommend the GUI method once, then use the CLI once you understand it. Replace the following below with your own: '10.0.1.10' with your AD/DNS Server 'DC=SDC,DC=LOCAL' with the base DN of your Domain, my domain was SDC.LOCAL 'CN=administrator,CN=Users,DC=SDC,DC.
- Authenticate Anyconnect VPN against Active Directory Hi, I have a Cisco ASA5520 and have configured it to authenticate against AD using a win2008 box running Network policy server.
(Note that I have placed a backslash to indicate text that is wrapped onto two lines here but should be entered all on a single line in the PIX configuration.)
In this configuration, replace the IP addresses on lines 2 and 3 (the
aaa-server vpn-auth
commands) with the IP addresses of the servers running Internet Authentication Service (IAS) on Windows. See the next section for more information on configuring IAS.On those same lines, replace the text
secretkey
with the RADIUS shared secret that will be used when configuring the RADIUS/IAS server in the next section.Likewise, replace the IP addresses on lines 9 and 10 (the
vdpn group vpn-pptp-group client configuration
lines that pass out the DNS and WINS servers to VPN clients) with the IP addresses of your DNS and WINS servers, respectively.That should do it. Save the configuration to the PIX and then move on to configuring IAS.
Configuring Internet Authentication Service
Before doing anything else, create a new global security group in Active Directory. Call it something like “VPN Users” or similar. We’ll use this group later as an additional security check in validating VPN connections.
Next, install IAS using the Add/Remove Programs icon in Control Panel. Once it has been installed, launch it from the Administrative Tools folder on the Start Menu and we’ll proceed with configuring it for authenticating VPN connections to the PIX firewall.
First, we need to grant IAS permission to read dial-in properties from user accounts in Active Directory. To do this, right-click on the “Internet Authentication Service (Local)” and select “Register Server in Active Directory”. Select Yes (or OK) if prompted to confirm.
With that done, we can now configure the PIX firewall as a RADIUS client. Right-click on RADIUS Clients and select New RADIUS Client. In the wizard, specify the IP address (or DNS name) of the PIX firewall’s internal IP address and the shared secret. Note that this shared secret is the same secret key specified in the PIX configuration above. RADIUS clients use this to authenticate to RADIUS servers, so make it a reasonably strong password.
![Cisco router vpn active directory authentication Cisco router vpn active directory authentication](/uploads/1/1/4/0/114014027/331621721.png)
Now create a remote access policy. Right-click on Remote Access Policies and select New Remote Access Policy. In the wizard, specify a name, select to create a custom policy, and then add the following conditions to the policy:
- NAS-IP-Address: This will be the IP address of the PIX firewall’s internal interface. This helps to ensure that this policy only applies to VPN requests from this firewall and not from any other RADIUS client.
- Windows-Groups: This should be the security group created earlier. Any user that should be allowed to authenticate on a VPN connection will need to be a member of this group.
The rest of the policy should be very straightforward. Make this policy the first policy (using the Move Up/Move Down commands in the IAS console), add a user to the group created earlier, and then test your connection. Remote systems attempting to connect via PPTP should now be able to authenticate the VPN connection using their Active Directory usernames and passwords.
Although this was written from the perspective of authenticating PPTP connections, the process should be very similar for IPSec VPN clients as well.
Metadata and Navigation
Cisco Vpn Client Active Directory Authentication
Be social and share this post!
Related Posts
- IPSec, Mac OS X, and Windows Server 20035 Aug 2005
- Funky Active Directory Issue16 Aug 2005
- Linux-AD Integration Wrap-Up22 Jul 2005
The Request:#
Now that Cisco has included SSL VPN licensing as part of the 15.3(3)M IOS I have had multiple clients ask about turning on the capability and reaching back into Active Directory for authentication.
The Solution:#
The equipment I used to lab this solution:
- Cisco 881 w/ IOS 15.3(3)M3 (10.0.1.238)
- Windows Server 2008 R2 (10.0.1.231)
First we will go through the steps to configure the RADIUS server on Windows so we have access to Active Directory for authentication. You must first ensure the “Network Policy and Access Services” role is installed on the server. Once this role is installed we will go into NPS (Local) > RADIUS Clients and Servers > RADIUS Clients. Here will will configure our router as a RADIUS Client. Be sure to make note of the key you specify here as you will need it when configuring the RADIUS server on the router.
Once our RADIUS client is configured we will move on to configuring the Network Policies in NPS (Local) > Policies > Network Policies and clicking NEW under Actions.
Under the Conditions Tab you will want to add a Windows Group that contains your users that are allowed VPN access and a NAS IPv4 Address to specify the requesting router.
Under the Constraints tab you will only select Unencrypted Authentication (PAP, SPAP).
The Settings tab can be left at default. Make sure that you move your new policy to the top of the list!
Now that we have the Windows Server piece configured we can move on to the configuration of the router. I have included the main configuration blocks below. Be sure to bind radius requests to the interface with the IP you specified in the Windows Server configuration or else requests may fail. Depending on the environment some people choose to use a loopback address for this.
Note: The only interface I have configured on this router is the Fa4 interface with the IP 10.0.1.238 which is plugged into my lab environment. Also, when you first issue the webvpn gateway NAME command and self-signed cert and trustpoint will be configured. I have included a reference doc at the bottom that goes through the SSL VPN config in more detail.
Once you have your RADIUS server and additional aaa config in place you can test RADIUS authentication using the following command:
Next you can navigate to your SSL VPN site and attempt to log in. Everthing should be good to go if you have followed the steps above.
Conclusion:#
The ability to implement the Cisco IOS SSL VPN and tie it back into AD without any additional cost or licensing is a big thing to many of my clients. This will give many existing organizations a new capability to lock down their edge and really enhance remote access capabilities with the investment of a little time and possibly some consulting dollars. While I mainly focused on authenticating through AD/RADIUS in this article there are many other capabilities of the SSL VPN that I did not cover. Maybe in a future write up…
THANKS!#
I would like to say a quick thank you to the following references while I was working through this: