Try to set up authentication RADIUS on ASA5505 8.3

I set up my firewall with local authentication for a regular dynamic VPN put in place, but I need to change it to authenticate with the server. The server is configured and ready to go, but I want to make sure that the firewall will also be.

Here is my config:

ASA # sh run
: Saved
:
ASA Version 8.3 (1)

ASA host name
mydomain.local domain name
activate the encrypted password of GmSL9emLLUC2J7jz
2KFQnbNIdI.2KYOU encrypted passwd
names of

interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
PPPoE client vpdn group pppoe_group
IP address pppoe setroute

interface Ethernet0/0
switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

boot system Disk0: / asa831 - k8.bin
passive FTP mode

clock timezone CST - 6
clock to summer time recurring CDT

DNS server-group DefaultDNS
mydomain.local domain name

permit same-security-traffic inter-interface
permit same-security-traffic intra-interface

network obj_any object
subnet 0.0.0.0 0.0.0.0

object obj-vpnPool network
192.168.101.0 subnet 255.255.255.0

the SERVER01 object network
the host 192.168. *. *

object obj-internal network - 192.168.1.0
subnet 192.168.1.0 255.255.255.0

network of the SERVER02 object
the host 192.168. *. *

network of the SERVER03 object
the host 192.168. *. *

object obj-OutsideIP network
Home 74.164.148.6

splittunnel list standard access allowed 192.168.1.0 255.255.255.0

access extensive list ip 192.168.101.0 outside_in allow 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.1.0 outside_in allow 255.255.255.0 192.168.101.0 255.255.255.0

outside_in list extended access permit tcp any host 192.168. *. * eq www
outside_in list extended access permit tcp any host 192.168. *. * eq https
outside_in list extended access permit tcp any host 192.168. *. * eq smtp

pager lines 24
asdm of logging of information

Within 1500 MTU
Outside 1500 MTU

IP local pool vpnpool 192.168.101.50 - 192.168.101.100

ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400

NAT (inside, outside) source static obj-internal - 192.168.1.0 obj-internal - destination 192.168.1.0 static obj-vpnPool obj-vpnPool

network obj_any object
NAT dynamic interface (indoor, outdoor)

the SERVER01 object network
NAT (inside, outside) interface static tcp smtp smtp service

network of the SERVER02 object
NAT (inside, outside) interface static tcp www www service

network of the SERVER03 object
NAT (inside, outside) interface static tcp https https service

Access-group outside_in in external interface

Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console

Enable http server
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside

No snmp server location
No snmp Server contact

Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map-RA - VPN 1 set of transformation-ESP-3DES-MD5
Crypto dynamic-map-RA - VPN 1 set of security association lifetime seconds 28800
cryptographic kilobytes 4608000 life of the set - the association of security of VPN - RA 1 dynamic-map
Crypto than VPN-RA - dynamic-map 1jeu reverse-road
Crypto map 65535 ipsec-isakmp dynamic VPN - RA RA - VPN
RA - VPN interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400

ISAKMP crypto 10 nat-traversal
crypto ISAKMP ipsec-over-tcp port 1000

Telnet 0.0.0.0 0.0.0.0 inside
Telnet 0.0.0.0 0.0.0.0 outdoors
Telnet timeout 60

SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 60

Console timeout 0

management-access inside

VPDN group pppoe_group request dialout pppoe
VPDN group pppoe_group localname [email protected] / * /
VPDN group ppp authentication pap pppoe_group
VPDN username [email protected] / * / password *.

dhcpd dns 192.168. *. * 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd mydomain.local domain
dhcpd outside auto_config

dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd allow inside

priority queue inside
priority-queue outdoors

a basic threat threat detection
Statistics-list of access threat detection

no statistical threat detection tcp-interception
WebVPN

internal examplevpn group policy
attributes of the strategy of group examplevpn
value of server DNS 192.168. *. * 4.2.2.2
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnel
mydomain.local value by default-field

vicky 9fO.vlLc77pAFoHp of encrypted privilege 15 password username
username otherusers encrypted password privilege 10 hhckff6QokyoRdar
examplevpn IKg0RMHfprF6Ya3u username encrypted password

admin DwCTJcBn.Q0dDe9z encrypted privilege 15 password username
attributes of user admin name
VPN-group-policy examplevpn

type tunnel-group RA - VPN remote access
type tunnel-group examplevpn remote access
tunnel-group examplevpn General-attributes
address vpnpool pool
authorization-server-group (outside LOCAL)
Group Policy - by default-examplevpn

examplevpn group of tunnel ipsec-attributes
pre-shared key *.

Global class-card class
match default-inspection-traffic

class-map class_sip_tcp
sip port tcp eq game

class-map inspection_default
match default-inspection-traffic

type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512

Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sqlnet
inspect the tftp
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the icmp
inspect the amp-ipsec
Review the ip options
class class_sip_tcp
inspect the sip

global service-policy global_policy
context of prompt hostname
Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad

Did I all I have to add / is this correct?

RADIUS protocol AAA-server RADIUSvpn
Max - a attempts failed 5
AAA-server vpn (DMZ) host 172.16.1.1
interval before new attempt-1
timeout 30
key cisco123

type tunnel-group RA - VPN remote access
General-attributes of RA - VPN Tunnel-group
address vpnpool pool
authentication-server-group RADIUSvpn

I'm still relatively new to firewalls and find the overwhelming online help sometimes. Help, please

Vicky

Can you comapre the config with the doc and see if something may be missing?

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml

Use the troubleshooting area in the doc to find the DN, I think that you are missing a part of the DN string. Sorry for the late response

Tags: Cisco Security

Similar Questions

  • Setting up authentication Radius ACS 4.0.2

    Dear Experts,

    I have GBA 4.0.2 to my network, I want to use for 802. 1 x Radius for customers on the methodology of PEAP-MSCHAPv2 authentication.

    According to the documentation "" EAP authentication with RADIUS server ", Doc ID: 44844 "

    I have configured Network Configuration and populated by AAA client IP address range and the key secret.

    Question 1:

    Under option to authenticate using, there are various flavors available for the selection RANGE. For a Non AAA Cisco client, choose IETF RADIUS?

    Question 2:

    In the snapshot above, it has an option called Global authentication configuration, where we can configure EAP configuration. Under subsection PEAP, there is an option to 'allow EAP-MSCHAPv2' checkbox.

    After checking that a restart is required on the ACS server? It would cause disruptions to existing services on GBA?

    Kindly help that she is not mentioned in the documentation available with me.

    Kind regards

    Knockaert

    Hello

    Question 1:

    3 rd-Party devices should generally conform to the RADIUS standards. In this case select RADIUS (IETF) should be fine. If specific attributes of 3rd-party (for example the VLAN ID) are required and then contact support for 3rd - Party device to confirm if a RADIUS dictionary must be added to the RADIUS server in order to send vendor specific attributes.

    NOTE: We can add dictionaries of RADIUS for GBA in the case described above, but you will need to file the appropriate dictionary usually provided by 3rd - Party device support.

    Question 2:

    To enable PEAP or EAP 4.x GBA any other method, we need to use the option send + apply. ACS services will be restarted (RADIUS and Auth services). It should take less than a minute on a common scenario for the candidate countries to apply the changes. It is not a reboot of the server, but a restart of the services instead.

    I hope this helps.

    Kind regards.

  • When I try to set up the synchronization and open an account, I get the invalid e-mail when I start typing my e-mail address.

    not valid email appears when I try to set up the synchronization

    Just keep tapping until the e-mail address is typed completely.

  • Why say that I have a wrong e-mail address when I try to set up the synchronization?

    I have an ipod touch. I downloaded the app home of firefox on the device.
    I then tried to synchronize my computer at home.
    When I try to set up a private account with firefox that I go to 'tools', enter "set up a synchronization", and then "create a new account. A window is this "e-mail address." As soon as I start to get into my email, that an "x" appears, followed by "it's a wrong e-mail address. That is what it is?

    Just keep typing until you have entered the full e-mail address.

  • Cannot access Firefox sync. My email address is not accepted when I try to set up a new account or enter an account that I may have. Frustrating, because I need to move my favorites to a new computer. Thanks in advance.

    Cannot access Firefox sync. My email address is not accepted when I try to set up a new account or enter an account that I may have. Frustrating, because I need to move my favorites to a new computer. Thanks in advance.

    Ignore this message until all characters for your e-mail address are typed on the input field.

  • I try to sync my MS Outlook calendar & contacts to icloud/iphone, ipad.  Now icloud holds my calendar and contacts, but when I try OT set an appointment, I get the dreaded message that it is not in the calendar for this account & wi

    I try to sync my MS Outlook calendar & contacts to icloud/iphone, ipad.  Now icloud holds my calendar and contacts, but when I try to set up an appointment, I get the dreaded message that it is not in the calendar for this account & will not be counted.

    My schedule is extremely important as are my contacts.  How to export the icloud to get back them to outlook.  I use MS Outlook 2010.  I can't put the icloud as my default - Help

    Which calendar you use, there will be two, one to iCloud and who is not, you must be in the iCloud calendar

  • try to set up my mini iPad and it won't let me choose a network that no backup is compatible with the version of iOS on iPad (9.1)

    Try to set up my mini iPad and it won't let me choose a network that no backup is compatible with the version of iOS on iPad (9.1)

    kellycfromlosgatos wrote:

    Try to set up my mini iPad and it won't let me choose a network that no backup is compatible with the version of iOS on iPad (9.1)

    First talk you about selection of a network, and then say that there are no compatible backups. Do you have an older device? Having problems connecting to Wi - Fi, or restore a backup problems? If you had a device more former, is - it possible that this device had 9.2 on iOS? If Yes, then you will need configure the Mini iPad like new, update the iOS 9.1 to 9.2, and then you must use the settings > General > reset > erase all content and settings, to bring him back to the installation wizard. From there, you will be able to restore your previous backup.

  • When I try to set up "Remote support" I get the error message: "your current system settings prevent you from sending an invitation. How can I solve this problem?

    Using Windows XP Profwssional.

    (1) when I try to set up "Remote support" I get the error message: "your current system settings prevent you from sending an invitation. How can I solve this problem?

    (2) can I use this feature when both computers are on the same network?

    Hello

    (1) you must configure your computer to use the remote control - see here:

    http://www.winxptutor.com/raenable.htm

    and don't forget to make the firewall exceptions

    (2) this function works on the different network also (so a computer can be in the United States and one in Australia)

    Note - a computer can have Windows XP (family or professional edition) and another may have Windows 7, Vista.

    LC

  • Try to set up my Elipse on my computer. Have the microSDHC card/w adapter. Where should I go from here. The chip is in the adapter but where to insert into the computer to get results!

    Try to set up my cell phone to Elipse with microSDHC card/w adapter.  The chip is in the adaptor, but where can I insert the adapter in the computer.  Have an inspiron 531.  "Any help would be greatly apprecialted!   =}

    Hi NancyDolezal,

    Connect the phone via USB. You must insert it into a USB port and check if it detects is.

  • Whenever I try to set wmc for terrestrial tv

    Whenever I try to set wmc for land "all I get is 6 options for my area, but all are TNT? I had overland in the past, but had to reset the pc after you have moved the pc because of the decoration, & can not find how to configure overland again? I am in the United Kingdom, & postal code is hu5 3bh, I hope for the quick response - glenn.

    Thank you Debra' our young been down & sorted now thanks was missing the original menu set up? then he reinstalled my recovery - tools - Cyb * link Home Theatre, & hey presto' restored full menu... PS have saved me * n site for future refs thanks once again.

  • ACCESS DENIED WHEN YOU TRY TO SET THE AFFINITY OF THE PROGRAM.

    Hi people, this is my first post here. I have searched the forum for an answer but couldn't find it so please forgive me if I missed it and write the question again.

    I'm trying to get better performance from my pc. I am running a quad core C.P.F. and try to set the affinity for certain programs are not not multi thread. (PC ONLINE EVERQUEST GAME 2)
    I managed to channel some programs, but when I try to set the affinity for Everquest I comes up with an error message.  'ACCESS DENIED '.

    I found a page that had a work around, but I could not quite work on what they were saying.

    If you know an easy way to do it could you help me please.

    Thanks for your time :)

    Hi Dagenham Dave,

    You run the computer as an administrator?

    You can follow the steps indicated by the msspbm, which addresses a similar issue, please see the link below:

    http://social.answers.Microsoft.com/forums/en-us/vistaperformance/thread/a6a57cda-3f2c-48b2-ae8e-42c5965567bb

    This may interest you

    Optimize the performance of Microsoft Windows Vista

    http://support.Microsoft.com/kb/959062

    Please post if you have any questions

    Thank you, and in what concerns:

    Ajay K

    Microsoft Answers Support Engineer

    Visit our Microsoft answers feedback Forum and let us know what you think.

  • Authentication Radius Cisco with Windows NAP with encrypted authentication

    I need authentication radius configuration for Cisco IOS devices for device management. My radius server is on Windows 2008 R2.

    Can I implement this with encrypted authentication? In the attached diagram, can what protocol I use for encrypted authentication?

    According to some sites, we need activate authentication in clear text. All those put in place secure as MSCHAP authentication?

    Hello

    You activate the text authentication (PAP) clear. Don't forget Ray sends the username in clear but encrypts the password. You can confirm this take a wireshark capture. You will also get the RADIUS encryption using a key to Ray long and complex.

    If you want to encrypt the user name and password, then you would use GANYMEDE

    Thank you

    John

  • Error when you try to set the Parental control 'Unable to set settings for administrators user or unknown users.

    I am trying to set up Parental controls for the user account of my son and I get the following error: error when you try to set the Parental control 'Unable to set settings for administrators user or unknown users.

    I tried to use the administrator account.

    When I ran the System File Check sfc/scannow

    TI completed indicating certain files may be damaged and cannot be repaired and check the convertible bonds. LOG file.

    How can I know which files are corrupted.

    Any other Suggestions on how to fix this user profile?  Do I have a profile that I don't know?

    Hi wimuggss,
     
    Step 1: Disable UAC (User Account Control) and check the result
    See How can I change the behavior of user account control by using the cursor?
    Note: You must restart your computer when you enable or disable UAC. Change levels of notification does not require that you restart your computer.
     
    Important: Enable UAC after you complete the steps.
     
    Step 2: If the problem persists, try to set the parental control in safe mode and check the result. If you are able to apply settings in safe mode, this means that some program is causing this problem, mainly the security software.
    See Start your computer in safe mode
    Kind regards
    Syed - Microsoft technical support.
    Visit our Microsoft answers feedback Forum and let us know what you think.

  • When I try to set up the live tv watch, he finds and then says cannot detect ir material. What can I do to fix this

    I INSTALLED A "AVERTV HYBRID VOLAR MAX TV TUNER AND MY WINDOWS 7 SHOWS THAT, BUT WHEN I TRY TO SET UP LIVE TV IT SAYS"IR MATERIAL.
    NOT DETECTED... " I HAVE ALSO A REMOTE WINDOWS 7 THAT WORKS, I BOUGHT IT THINKING HE COULD SOLVE MY PROBLEM, BUT IT DID NOT.
    JUST LIKE HOW TO IMPLEMENT HELP WOULD BE MUCH APPRECIATED THANKS

    Hello

    What program do you use to watch TV Online?

    Run the implementation of corner store TV tuner - he made sure that your computer receives a TV signal, and that your TV tuner is connected and configured properly.

    Open the set up TV tuner Troubleshooter
    http://Windows.Microsoft.com/en-us/Windows7/open-the-set-up-TV-tuner-Troubleshooter

    Please visit the links below for more information:

    Set up a TV signal in Windows Media Center
    http://Windows.Microsoft.com/en-us/Windows7/set-up-a-TV-signal-in-Windows-Media-Center

    What should I know before adding TV tuners to use with Windows Media Center?
    http://Windows.Microsoft.com/en-us/Windows7/what-should-I-know-before-adding-TV-tuners-to-use-with-Windows-Media-Center

    Let us know the result!

  • Try to set a collection online, he says "generate URL" constantly, but it does not generate a URL

    I try to set a collection online, as usual it is said to "generate URL", but nothing else happens, he just continues by saying that it is the generation a URL. I tried this for a few days, using different collections using different workstations - no way to put online. What can I do else?

    merthin wrote:

    Sorry, I don't know if I understand your comment - of course, I can open this site in Adobe Photoshop Lightroom

    But what has this to do with my problem?

    Kind regards

    Achim

    Well, sometimes this message "generate URL" seems to go forever - yesterday I synced a few collections and it happened once. But if you wait a while and connect to Lr Web, you will see the collection is listed and that everything went well, despite the message.

Maybe you are looking for

  • Just me, or is the 50g low in solving differential equations?

    Hi all I used Ti-89 s widely in the past, as well as the Ti-NSpire CX CASE and now the 50 g for about 1.5 years. I love some aspects of the 50g (sensation of keys, ease of unit, RPN conversion), but I can't help but notice some areas where it reallll

  • Subscription renewal problem

    Read through several posts and have found similar cases where Skype cancels subscriptions more alumni who are at the premium rate. I received an email on 11 October/16 my sub expires in 20 days on Nov 01/16 automatic renewal for Skype credit that to

  • Reading and saving data of two serial ports

    Hi, I googled similar questions in the forum, but I don't have an answer for my problem so I'm posting it here. I would read and record data of two balances throgh serial ports. I have a drop down menu in VI, I can choose the availabe ports on my pc.

  • My help files do not link properly

    I use Windows XP Professonal worm. 2002 SP 3 and sometimes when I click on the links in the help file that does nothing. I can do a right click on the propertey link and select navigate to the file listed in the subdirctory of C:\windows\hep and load

  • I have a gateway lt4008u with windows 7 starter. Can it be upgraded to full windows 7 or even windows 8.1

    I want to upgrade my HDD to the ssd in the hope that it would accelerate it. How to save the old startup information or should I try to upgrade to windows?