Cisco VPN authentication using NPS on Windows SBS 2008
Wow – what a title!!
Hopefully this post will make things a bit clearer.
I have a Cisco 1721 router configured to be a VPN server for a few IPsec client PC’s. Currently the user authentication part is just being done with local users setup within the router config.
However we have Windows SBS 2008 internally providing Active Directory services, amongst other things.
So, my aim in this piece of work was to get the Cisco VPN using the AD accounts for client VPN user authentication.
There were two main parts to getting this working – the config on the Cisco router, and the configuration of NPS (Network Policy Service (formerly IAS) on Windows. In this post I will cover the Cisco side, and will try to put up some notes on the Windows side when I get home where I am able to grab some screenshots.
Config required for Cisco router
This is the trimmed down version of the statements I had to add/change. If you need to see full config for understanding, drop me a note.
aaa new-model aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 group radius local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local radius-server host 220.127.116.11 auth-port 1812 acct-port 1813 key 7 "removed"
Potential stumbling block
One snag I ran into was related to the VPN group authenticaion. During my config changes I applied the following line (remotely – DOH!!!) which killed the VPN completely.
aaa authorization network sdm_vpn_group_ml_1 radius local
The symptoms this presented was the VPN client would try to connect but fail almost immediately.
What I didn’t realise to start with was that this config statement was offloading the VPN group authentication part of the connection over to the Radius server, where I didn’t have any groups setup, as I was only looking to use Radius for the user authentication.
So by leaving removing the radius option with that statement, the Group authentication check is still done against the name/key within the crypto isakmp client configuration group section.
Hopefully this can be of use to someone else – feel free to add any comments/questions below.