Cisco EasyVPN authenticate with Windows IAS (RADIUS)
Over the past 24 hours, I’ve been involved with installing a couple routers at locations where the VPN was an integral part of the overall implementation. At both locations I wanted to use Active Directory for authentication. In the past, with PoPToP installations or other routers the RADIUS was very straight forward. For Cisco, it is for the most part, but there are some gotcha’s that I’ve run into, and am going to post here. Basically I was never really able to get the group authentication up and running through RADIUS and I’m not even sure that its worth getting working. Its so easy to setup the group in the Cisco SDM and input all of your pertinent settings there, and then use RADIUS for the actual user authentication.
So your steps are really pretty simple and straight forward. You will want to:
Install and configure IAS
Setup a RADIUS client in IAS with vendor set as Cisco (remember your shared secret)
Delete the existing Policies, and create a new policy and connect it to your windows group that will have VPN access
Set the policy to Grant Remote Access and go into Edit Profile
On the Authentication tab, make sure that ONLY the top option (MS-CHAP v2) is checked
On the Advanced tab, I set only a single service type of RADIUS Standard and set to Login
On the router, start the EasyVPN setup, choosing ‘local’ for the group authentication. For the User Authentication, choose RADIUS and input the IP address of your IAS server and put in the secret. Then setup your group policy normally (which is what you’ll give to your VPN clients).
That’s basically it. When the remote user sets up their connection they will put in the group info that you specify from the EasyVPN setup, and as soon as they try to connect, they will get a login box with the familiar user name, password, and domain sections. Works like a charm and only takes few minutes.
Very cool! Now to see if I can get the same IAS server to work with the wireless AP to do EAS! That’ll be another post.