Cisco VPN authentication using NPS on Windows SBS 2008

Wow – what a title!!

Hopefully this post will make things a bit clearer.

I have a Cisco 1721 router configured to be a VPN server for a few IPsec client PC’s. Currently the user authentication part is just being done with local users setup within the router config.

However we have Windows SBS 2008 internally providing Active Directory services, amongst other things.

So, my aim in this piece of work was to get the Cisco VPN using the AD accounts for client VPN user authentication.

There were two main parts to getting this working – the config on the Cisco router, and the configuration of NPS (Network Policy Service (formerly IAS) on Windows. In this post I will cover the Cisco side, and will try to put up some notes on the Windows side when I get home where I am able to grab some screenshots.

Config required for Cisco router

This is the trimmed down version of the statements I had to add/change. If you need to see full config for understanding, drop me a note.

aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 7 "removed"

Potential stumbling block

One snag I ran into was related to the VPN group authenticaion. During my config changes I applied the following line (remotely – DOH!!!) which killed the VPN completely.

aaa authorization network sdm_vpn_group_ml_1 radius local

The symptoms this presented was the VPN client would try to connect but fail almost immediately.

What I didn’t realise to start with was that this config statement was offloading the VPN group authentication part of the connection over to the Radius server, where I didn’t have any groups setup, as I was only looking to use Radius for the user authentication.

So by leaving removing the radius option with that statement, the Group authentication check is still done against the name/key within the crypto isakmp client configuration group section.

Hopefully this can be of use to someone else – feel free to add any comments/questions below.

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *