I have a Cisco PIX 515E that is currently acting as office's router. We have an MS domain, and utilize MS VPN for remote access. I would like to use the Cisco VPN functionality built into the PIX and leverage active directory for authentication; however, I have not found a good source for instructions on how to do this. I am a programmer with a sys admin hobby, so the instructions I'm looking for should not be geared towards a Cisco or AD expert. Do any instructions like these exist?
-
What version of ASA software are your running? What version of ASDM are you running? – GregD Jun 08 '09 at 21:43
3 Answers
You need the Internet Authentication Service (IAS) installed on a domain member server and a shared secret that you enter on the IAS server and PIX.
then execute on your PIX:
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host IAS_SERVER SharedSecretHere timeout 10
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
vpngroup Remote address-pool pix_inside
vpngroup Remote dns-server DNS_SERVER_1 DNS_SERVER_2
vpngroup Remote wins-server WINS_SERVER
vpngroup Remote default-domain domainToAuthenticate
vpngroup Remote idle-time 1800
That should point you in the right direction and get you started.
- 852
- 1
- 8
- 27
It's been a few years since I've worked with PIX, so this might have changed if they added direct LDAP support.
What you want to setup is a RADIUS server. It's a component of Windows Server. You can setup the PIX to authentication against your specific RADIUS server, and it knows how to communicate to Active Directory.
A search on Google for 'setup RADIUS in Windows' should get you plenty of guides on how to do it.
- 1,681
- 14
- 15
-
You don't necessarily have to set up a RADIUS server to use AD authentication... – GregD Jun 08 '09 at 21:46
Since 8.x the PIX/ASA Release can use fully supported ldap.
I would suggest that you upgrade your PIX to the ASA Image 8.0(4). It's not a big deal.. All you need is at least 64mb Ram (normaly the pix 515e has 32mb build in, but you can still find cheap ram on ebay..) and the software of course.
- 155
- 2
- 5
- 17
-
I would also add that with the latest release of ASA software (8.2.1), the pix's are no longer supported. The version that sam offered up, is one of the last for the pix. – GregD Jun 08 '09 at 21:51