Announcement

Collapse
No announcement yet.

ASA5510 - webVPN authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5510 - webVPN authentication

    Hi all,

    I've got the site up and running and RADIUS is configured to connect to my Server 2008 DC. This tests OK from the SDM so it appears to be authenticating OK.

    I've set the connection profile to use the authentication group i configured for RADIUS but it won't authenticate when i try and logon to the portal itself.

    I've probably missed a step here somewhere. hope someone can help!

    Here is my current config:

    ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++
    !
    hostname CISCO-ASA
    domain-name domain.org.uk
    enable password m7TYfUPUfR/2yAtc encrypted
    passwd m7TYfUPUfR/2yAtc encrypted
    names
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 10.0.0.254 255.255.255.0
    !
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address 81.188.23.114 255.255.255.240
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.1.0.254 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns domain-lookup management
    dns server-group DefaultDNS
    name-server 10.0.0.4
    domain-name domain.org.uk
    same-security-traffic permit intra-interface
    object-group service RDP tcp
    description MS RDP
    port-object eq 3389
    object-group service RDP_PORTAL-DB tcp
    description RDP to PORTAL-DB
    port-object eq 3391
    access-list INTERNET_access_in extended permit tcp 10.0.0.0 255.255.255.0 80.177
    .230.112 255.255.255.240
    access-list outside_access_in extended permit tcp any host 81.188.23.114 eq 338
    9
    access-list outside_access_in extended permit tcp any host 81.188.23.114 eq smt
    p
    access-list outside_access_in extended permit tcp any host 81.188.23.114 eq 339
    0
    access-list outside_access_in extended permit tcp host 82.133.69.170 host 80.177
    .230.114 eq 3391
    access-list outside_access_in extended permit tcp any host 81.188.23.114 eq 339
    2
    access-list outside_access_in extended permit tcp any host 81.188.23.114 eq 339
    3
    access-list outside_access_in extended permit tcp any host 81.188.23.114 eq www

    access-list outside_access_in extended permit tcp any host 81.188.23.115 eq htt
    ps
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.
    0.48 255.255.255.240
    access-list SSLVPN webtype permit tcp host 81.188.23.114 eq https log default
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu management 1500
    ip local pool VPN_POOL 10.0.0.50-10.0.0.59 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (inside) 101 interface
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    nat (outside) 101 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 10.0.0.4 3389 netmask 255.255.255.255

    static (inside,outside) tcp interface smtp 10.0.0.15 smtp netmask 255.255.255.25
    5
    static (inside,outside) tcp interface 3390 10.0.0.3 3389 netmask 255.255.255.255

    static (inside,outside) tcp interface 3391 10.0.0.5 3389 netmask 255.255.255.255

    static (inside,outside) tcp interface 3392 10.0.0.10 3389 netmask 255.255.255.25
    5
    static (inside,outside) tcp interface 3393 10.0.0.11 3389 netmask 255.255.255.25
    5
    static (inside,outside) tcp interface www 10.0.0.4 www netmask 255.255.255.255
    static (inside,outside) tcp 81.188.23.115 https 10.0.0.15 https netmask 255.255
    .255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 81.188.23.113 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    network-acl outside_access_in
    aaa-server RADIUS_GRP protocol radius
    aaa-server RADIUS_GRP (inside) host 10.0.0.14
    key radius
    http server enable
    http 10.0.0.0 255.255.255.0 management
    http 10.1.0.0 255.255.255.0 management
    http redirect management 80
    snmp-server host management 10.1.0.1 community public udp-port 161
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
    -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
    -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 10.1.0.0 255.255.255.0 management
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 158.43.128.33 source outside prefer
    webvpn
    enable inside
    enable outside
    internal-password enable
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 10.0.0.4 208.67.222.222
    vpn-tunnel-protocol l2tp-ipsec webvpn
    default-domain value domain.org.uk
    group-policy DfltGrpPolicy attributes
    group-lock value TunnelGroup1
    webvpn
    url-list value PORTAL
    username test password P4ttSyrm33SV8TYp encrypted
    username Administrator password WNSOS/HaYElCltM. encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN_POOL
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group TunnelGroup1 type remote-access
    tunnel-group TunnelGroup1 general-attributes
    authentication-server-group RADIUS_GRP
    authentication-server-group (inside) RADIUS_GRP
    authorization-server-group RADIUS_GRP
    authorization-server-group (inside) RADIUS_GRP
    tunnel-group TunnelGroup1 webvpn-attributes
    radius-reject-message
    proxy-auth sdi
    group-alias PORTAL enable
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:56b6bbd29c73014423241132c80ef54f
    : end
    CISCO-ASA#
    ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++
Working...
X