How to Use Active Directory and RADIUS to Authenticate Cisco ASA VPN Users: Cisco ASA Training 101

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to Cisco aasa training 101 my name is dawn Crawley I'm from sound training dotnet where the Seattle washington-based publisher of learning resources and provider of accelerated training for IT professionals this time I'm going to show you how to use Active Directory to authenticate Cisco AAS a VPN users with radius this is a companion to chapter 8 in my book The Accidental administrator Cisco AAS a security appliance the book is not required but if you'd like to get a copy it's available through the usual online resellers or through sound training net slash bookstore Ras a software version is 9.11 although the procedures I'm going to show you fundamentally unchanged for several versions back so it should work with even earlier versions may have to make a few minor adjustments in syntax but nothing you can't figure out here's our network diagram for the exercise you'll need a an active directory server and actually you could use any radius server with what I'm going to show you but we're going to do this with Active Directory and you'll need a management workstation connected to the aasa' using a console cable because everything I'm going to show you is going to be done in the command-line interface as I've mentioned in other videos I'm not hung up on doing things in the command line interface or in the GUI I'm just interested in doing things the easiest way possible and I find it easier to do these particular procedures in the command line others may be in the GUI so again I just choose things based on what's easiest for me and presumably for you as well you'll also need a VPN client connected to the outside of the a SA and optionally you may want to have internet access but it's certainly not required to follow along on the video more specific equipment software requirements at Cisco a sa security appliance with a base license and a remote access VPN already configured we're simply going to add the radius authentication to the existing remote access VPN you'll need a computer serving as a management workstation and a computer serving as a VPN client the one I'm using runs Windows 8 and the anyconnect client that we're using supported on Windows Vista 7 or 8 although cisco has other clients for other operating systems so if you're using Linux or an earlier version of Windows or Mac or UNIX so there's clients available for you you'll also need a computer running Microsoft Active Directory and radius and on Windows Server 2012 that's the network policy and access server I'm not going to show you how to configure it in this video but we do have another video that shows you how to set that up so this video assumes that you already have that configured you'll need a console cable connected to the serial port on the management workstation and to the console port on the a SA and then some terminal emulation software such as putty or whatever you prefer to use here are prerequisites in order to do this exercise you'll need unrestricted privilege mode access to a Cisco AAS a security appliance and an Active Directory administrator user account and password a summary of the steps pretty much the same as setting it up for say LDAP or Kerberos you'll create a triple A's server group configure the group for radius authentication and add the authentication server group to the appropriate VPN users tunnel group so not a lot of steps pretty straightforward really the the most challenging part of this is configuring the Windows Server 2012 box and as I mentioned that's in a different video here's your disclaimer this videos provided solely as a courtesy to you our viewer there are no guarantees whatsoever do not attempt these procedures on a production firewall without first testing them for security and suitability in a lab environment performing these procedures may open your firewall to the public Internet and subject your network to attack so make sure you have current backups and take precautions including data encryption and additional access controls to protect sensitive data so let's do the demo now you can see we're logged on to the aasa' in its console in privilege mode and we need to get to global configuration mode so we'll use the configure terminal command abbreviating it conflicts pasty and now we're in global configuration mode we need to configure our Triple A server group so we're going to use the command AAA server then we need to create a name for the server group and as you know from watching other videos if you have I like to use names that are descriptive that I can see in a configuration immediately and know what they're all about so I like to put them in all caps and use a descriptive name we're going to make this one radius servers so again in all caps oops and now we need to specify the protocol and we're going to specify radius but I thought I'd show you the others that are available so here's a question mark just so you can see there's several others that are available and we have videos for many of them actually most of them but we're going to use radius on this so radius now we need to tell the aasa' where the radius server is located so we're again we're going to use a triple a server command AAA - server radius servers and we need to tell the aasa' which interface the radius server is connected to so we'll say inside and then host and put its IP address which in our case is 192.168.1 oh 1.2 years probably be different but that's the one we're using now I need to also configure the pre-shared key on the radius server it's configured as a shared secret here it's called a key this is just the machine-to-machine authentication and it has to match so key and the pre shared key that I'm using is P at SS five six seven eight now we're ready to give it a test so let's come out of this and use the test command to test our authentication so we'll do test a a a - server authentication radius servers host and put in the IP address of the server that we want to test which is 192.168.1 o 1.1 o 1.2 username we're going to use is user 0 1 this is a user account in Active Directory that I've already configured and password we have to specify user 0 once password which is P at SS 1 2 3 4 we'll hit enter and see what happens so it's testing it and success so we know that we've got the radius server configured correctly and we know that the aasa' is talking to the radius server but we still haven't configured VPN authentication so we've got to do that with a tunnel group now as I mentioned at the beginning of the video this video assumes that you already have a VPN setup and anyconnect VPN setup on the a s so there's going to be ton of groups already in existence and we can see that with a command show run tunnel it will show us our existing tunnel groups so we just need to go in and modify the general attributes of the tunnel group that I've got the one that I'm using is called account reps na I'll show you a little trick with putty let's go back into configuration mode config T and now I'm going to take my mouse and I'm just going to grab this line with my mouse like that and I'm going to right click and it will automatically paste whatever I've selected in at the prompt saves me from doing a lot of typing and the way I type saves me a lot of fat fingering and retyping now all I need to do is configure the authentication server groups so I'm going to use the command authentication - server - group this is the same group that I can figure it up above so it's going to be radius servers and then as a fallback oops I need to put an S there as a fallback I'm going to put it in local and what this means is that if the a si can't reach the radius server for whatever reason networks down the server's down then it will fall back to local authentication and most of the time you're going to want to do this I'd say all the time but there's probably some really high security situations where maybe you don't want to do that but most of the time this will allow you to authenticate if you can't reach the radius server now it's important to note that this doesn't mean that if your authentication is denied on the radius server that it falls back to local that's not what it means it means that if there is no connectivity to the radius server then it will use local authentication so at least you can get in if you need to so we'll go ahead and hit enter and we should be ready to give it a try so let's open up our anyconnect client which I have pre-configured with the fully qualified domain name of the a SA so that will match the certificate on the a SA we'll go ahead and click connect and it's asking us for user name and password the user name is already in theirs because we've been testing this obviously before recording the video but let's put in the password P at SS one two three four and hit okay it's establishing the VPN activating the adapter and as you can see down in the lower right hand corner we are now connected so pretty simple once you get it set up on the radius server the radius server is really the more difficult part of this and we have a separate video for how to do that if you'd like to check out other resources we have them on our website at www.logfurnitureplace.com units videos and if you'd like the companion book I'd love for you to have a copy it's available at sound training dotnet slash bookstore well I hope it's been helpful for sound training dotnet I'm dawn Crawley I'll see you next time you

Info

Channel: soundtraining.net

Views: 31,992

Rating: undefined out of 5

Keywords: Technology, Active Directory (Software), RADIUS, What Is Cisco Vpn, Remote Access, Firewall, VPN, AnyConnect, Vpn For Cisco, Virtual Private Network, Cisco Vpn, Vpns, Windows Server 2012, What Is Vpn, Authentication, What Is A Vpn, Cisco ASA, Network Security, Vpn Cisco

Id: RT5vwTsO98s

Channel Id: undefined

Length: 10min 14sec (614 seconds)

Published: Tue Apr 16 2013