In a previous post I discussed configuring an IPsec VPN between a Cisco router and a Windows PC with the Cisco VPN client installed. Today I’ll expand on this by configuring the VPN to utilize the RADIUS protocol to authenticate VPN users. This will ease administration and will allow users access to their VPN sessions using their directory services user accounts. For the RADIUS server I will use a Windows Server 2003 R2 that is part of an Active Directory domain with the IAS service installed. The IAS service can be just as easily configured with local user accounts on the Windows workgroup server if desired. When I first started implementing this I had great difficultly getting the IPsec VPN to work with RADIUS, I guess the IOS configuration commands can be a bit tricky. But now it just keeps on working!
Configure the Cisco Router IOS
In this example my router is configured as in the example Configure Cisco Router for Remote Access IPsec VPN Connections. Run through that article and come back here once you’ve completed it.
Next we need to modify AAA to allow user authentication using the RADIUS server.
R1# conf t R1(config)# aaa authentication login VPN_CLIENT_LOGIN group radius local
Now we need to add the RADIUS server. Specify the IP address and a key to use.
R1(config)# radius-server host 192.168.2.4 auth-port 1645 acct-port 1646 key RadiusKey
That’s it for the configuration in the Cisco IOS. Now let’s move over to the Windows 2003 IAS configuration.
Configure Windows Server 2003 IAS RADIUS Service
If you have previously read my article Set Up Windows 2003 IAS Server with RADIUS Authentication for Cisco Router Logins, you have a Windows IAS server already set up and the configuration should be able to authenticate your IPsec VPN connections. One thing that I have noticed is that my IPsec VPN authentication does not work when I have the IAS service installed on a domain controller. If the IAS service is installed on a domain member server the VPN connections do work fine. To configure the Windows IAS service follow these steps:
On a domain controller go into Start > Admin Tools > Active Directory Users and Computers. Optionally you can create a new group and add users to it that you want to grant router login access. In this example I will grant access to the existing Domain Admins user group.
Now double click a user account that you want to provide router login capability. I will use the Administrator account.
In the user properties dialog click the Dial-in tab, then make sure that Remote Access Permission is set to “Allow access”. You can also set this to “Control access through Remote Access Policy”, in which case the user account will be granted permission by its group membership that will be specified in the policy. Since we’ll specify a group in the Remote Access Policy, the above step actually should not be necessary. Click OK.