Cisco VPN authentication using NPS on Windows SBS 2008

Published by Anthony on

Wow – what a title!!

Hopefully this post will make things a bit clearer.

I have a Cisco 1721 router configured to be a VPN server for a few IPsec client PC’s. Currently the user authentication part is just being done with local users setup within the router config.

However we have Windows SBS 2008 internally providing Active Directory services, amongst other things.

So, my aim in this piece of work was to get the Cisco VPN using the AD accounts for client VPN user authentication.

There were two main parts to getting this working – the config on the Cisco router, and the configuration of NPS (Network Policy Service (formerly IAS) on Windows. In this post I will cover the Cisco side, and will try to put up some notes on the Windows side when I get home where I am able to grab some screenshots.

Config required for Cisco router

This is the trimmed down version of the statements I had to add/change. If you need to see full config for understanding, drop me a note.

aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 7 "removed"

Potential stumbling block

One snag I ran into was related to the VPN group authenticaion. During my config changes I applied the following line (remotely – DOH!!!) which killed the VPN completely.

aaa authorization network sdm_vpn_group_ml_1 radius local

The symptoms this presented was the VPN client would try to connect but fail almost immediately.

What I didn’t realise to start with was that this config statement was offloading the VPN group authentication part of the connection over to the Radius server, where I didn’t have any groups setup, as I was only looking to use Radius for the user authentication.

So by leaving removing the radius option with that statement, the Group authentication check is still done against the name/key within the crypto isakmp client configuration group section.

Hopefully this can be of use to someone else – feel free to add any comments/questions below.

Categories: Networking

0 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Networking

SSL Certificates from StartSSL for WebVPN on Cisco IOS

This document is intended to walk-through the steps I took to successfully implement a free SSL certificate for use with WebVPN on a Cisco IOS Router. I had tried a couple of times to use Read more…

Networking

Creating Exchange 2007 Shared mailbox Under SBS 2008 – Solved!

I’ve been banging my head against a brick wall recently with what should be a straightforward task. I look after an SBS 2008 install and we are preparing to rationalise the email setup in the Read more…

Networking

Cisco ACE Modules with Windows Sharepoint 2010

I recently ran into issues with a Windows Sharepoint 2010 environment that is load-balanced by Cisco ACE modules.  I’m no Sharepoint expert so if I get the WSS terminology slightly wrong – you’ll know why! Read more…