RADIUS Authentication Using Windows 2003 IAS for Cisco Router Remote Access IPsec VPN
In a previous post I discussed configuring an IPsec VPN between a Cisco router and a Windows PC with the Cisco VPN client installed. Today I’ll expand on this by configuring the VPN to utilize the RADIUS protocol to authenticate VPN users. This will ease administration and will allow users access to their VPN sessions using their directory services user accounts. For the RADIUS server I will use a Windows Server 2003 R2 that is part of an Active Directory domain with the IAS service installed. The IAS service can be just as easily configured with local user accounts on the Windows workgroup server if desired. When I first started implementing this I had great difficultly getting the IPsec VPN to work with RADIUS, I guess the IOS configuration commands can be a bit tricky. But now it just keeps on working!
Configure the Cisco Router IOS
In this example my router is configured as in the example Configure Cisco Router for Remote Access IPsec VPN Connections. Run through that article and come back here once you’ve completed it.
Next we need to modify AAA to allow user authentication using the RADIUS server.
R1# conf t R1(config)# aaa authentication login VPN_CLIENT_LOGIN group radius local
Now we need to add the RADIUS server. Specify the IP address and a key to use.
R1(config)# radius-server host 192.168.2.4 auth-port 1645 acct-port 1646 key RadiusKey
That’s it for the configuration in the Cisco IOS. Now let’s move over to the Windows 2003 IAS configuration.
Configure Windows Server 2003 IAS RADIUS Service
If you have previously read my article Set Up Windows 2003 IAS Server with RADIUS Authentication for Cisco Router Logins, you have a Windows IAS server already set up and the configuration should be able to authenticate your IPsec VPN connections. One thing that I have noticed is that my IPsec VPN authentication does not work when I have the IAS service installed on a domain controller. If the IAS service is installed on a domain member server the VPN connections do work fine. To configure the Windows IAS service follow these steps:
On a domain controller go into Start > Admin Tools > Active Directory Users and Computers. Optionally you can create a new group and add users to it that you want to grant router login access. In this example I will grant access to the existing Domain Admins user group.
Now double click a user account that you want to provide router login capability. I will use the Administrator account.
In the user properties dialog click the Dial-in tab, then make sure that Remote Access Permission is set to “Allow access”. You can also set this to “Control access through Remote Access Policy”, in which case the user account will be granted permission by its group membership that will be specified in the policy. Since we’ll specify a group in the Remote Access Policy, the above step actually should not be necessary. Click OK.
Install Windows 2003 IAS/RADIUS Service
Now on the domain member server that will host the IAS service go to Start > Control Panel > Add or Remove Programs.
On the left click Add/Remove Windows Components.
Scroll down and highlight Networking Services, then click Details.
Place a check mark next to Internet Authentication Service, then click OK.
Click Next. Click Finish at the install confirmation window.
Configure Windows 2003 IAS/RADIUS Service for Cisco Router Logins
Now let’s configure the policies to allow our Cisco router to make authentications against this IAS/RADIUS server. Go to Start > Admin Tools > Internet Authentication Service.
In the left pane tree right click Remote Access Policies and choose New Remote Access Policy from the menu.
Select “Set up a custom policy” and type a name for your Cisco router policy. Click Next.
Click Add in the Policy Conditions.
Highlight the Windows Groups attribute type and click Add.
Click Add and we’ll select the user group that will be allowed access with this policy.
In this case I’m using a domain group and my group’s location is already set to the domain because this is a domain controller. I’m just going to use Domain Admins here. Type the group name and click Check Names. Then click OK.
We want to grant access to the Domain Admins so select “Grant remote access permission” and click Next.
Pages: 1 2