Cisco PIX VPN and Active Directory Integration

Rather than publishing this information in PDF form on my business website, I’ve decided to try something new and post it here as a blog entry. So, here goes.

This information assumes that you have some experience with the Cisco PIX firewall (i.e., you know how to enter configuration commands and have a basic idea of what the configuration commands actually do) as well as some experience with Windows and Active Directory.

With that information in hand, let’s get started.

Configuring the Cisco PIX

First, we’ll need to setup the PIX firewall. Use the commands below to configure the PIX for PPTP-based VPN connections that will authenticate against an Active Directory back-end.

ip local pool vpn-pool 10.10.10.1-10.10.10.254
aaa-server vpn-auth inside host 10.10.10.5 secretkey
aaa-server vpn-auth inside host 10.10.10.6 secretkey
aaa-server vpn-auth protocol radius
vpdn group vpn-pptp-group accept dialin pptp
vpdn group vpn-pptp-group ppp authentication mschap
vpdn group vpn-pptp-group ppp encryption mppe 128 required
vpdn group vpn-pptp-group client configuration \\
   address local vpn-pool
vpdn group vpn-pptp-group client configuration \\
   dns 10.10.10.5 10.10.10.6
vpdn group vpn-pptp-group client configuration \\
   wins 10.10.10.6 10.10.10.5
vpdn group vpn-pptp-group client authentication aaa vpn-auth
vpdn enable outside
sysopt connect permit-pptp
access-list acl-nat0 permit ip 10.10.1.0 255.255.255.0 \\
   10.10.10.0 255.255.255.0
nat (inside) 0 access-list acl-nat0

(Note that I have placed a backslash to indicate text that is wrapped onto two lines here but should be entered all on a single line in the PIX configuration.)

In this configuration, replace the IP addresses on lines 2 and 3 (the “aaa-server vpn-auth” commands) with the IP addresses of the servers running Internet Authentication Service (IAS) on Windows. See the next section for more information on configuring IAS.

On those same lines, replace the text “secretkey” with the RADIUS shared secret that will be used when configuring the RADIUS/IAS server in the next section.

Likewise, replace the IP addresses on lines 9 and 10 (the “vdpn group vpn-pptp-group client configuration” lines that pass out the DNS and WINS servers to VPN clients) with the IP addresses of your DNS and WINS servers, respectively.

That should do it. Save the configuration to the PIX and then move on to configuring IAS.

Configuring Internet Authentication Service

Before doing anything else, create a new global security group in Active Directory. Call it something like “VPN Users” or similar. We’ll use this group later as an additional security check in validating VPN connections.

Next, install IAS using the Add/Remove Programs icon in Control Panel. Once it has been installed, launch it from the Administrative Tools folder on the Start Menu and we’ll proceed with configuring it for authenticating VPN connections to the PIX firewall.

First, we need to grant IAS permission to read dial-in properties from user accounts in Active Directory. To do this, right-click on the “Internet Authentication Service (Local)” and select “Register Server in Active Directory”. Select Yes (or OK) if prompted to confirm.

With that done, we can now configure the PIX firewall as a RADIUS client. Right-click on RADIUS Clients and select New RADIUS Client. In the wizard, specify the IP address (or DNS name) of the PIX firewall’s internal IP address and the shared secret. Note that this shared secret is the same secret key specified in the PIX configuration above. RADIUS clients use this to authenticate to RADIUS servers, so make it a reasonably strong password.

Now create a remote access policy. Right-click on Remote Access Policies and select New Remote Access Policy. In the wizard, specify a name, select to create a custom policy, and then add the following conditions to the policy:

  • NAS-IP-Address: This will be the IP address of the PIX firewall’s internal interface. This helps to ensure that this policy only applies to VPN requests from this firewall and not from any other RADIUS client.
  • Windows-Groups: This should be the security group created earlier. Any user that should be allowed to authenticate on a VPN connection will need to be a member of this group.

The rest of the policy should be very straightforward. Make this policy the first policy (using the Move Up/Move Down commands in the IAS console), add a user to the group created earlier, and then test your connection. Remote systems attempting to connect via PPTP should now be able to authenticate the VPN connection using their Active Directory usernames and passwords.

Although this was written from the perspective of authenticating PPTP connections, the process should be very similar for IPSec VPN clients as well.

Tags: , , , , , , , , ,

  1. Alexei’s avatar

    Have you ever tried to assign addresses using AD and DHCP server, instead of defining a local pool on PIX?

  2. slowe’s avatar

    Alexei,

    I don’t think that I’ve ever tried anything other than a local pool on the PIX. I have some Cisco gurus in my office; I’ll ping them and see if they know anything about doing this.

    Scott

  3. Ste’s avatar

    Hi Alexei / Slowe,

    I am having some problems with the pix not unregistering ip address’s from dns after the client logs off.

    I know this maybe is a different topic but i just cannot find any info regarding this

    Any help would be great

    cheers Ste

  4. slowe’s avatar

    Ste,

    I haven’t noticed this issue, but that doesn’t mean anything. I don’t use the VPN connection to my PIX very often.

    Have you tried enabling scavenging on the DNS server? That will help automatically clear away old and unused DNS entries, but perhaps not in the time frame in which you were hoping.

    Thanks,
    Scott

  5. Manasi’s avatar

    I am a little confused on this point.
    Can PIX fiewall login authentication system be integrated with Microsoft’s Active Directory services?

  6. Anthony’s avatar

    Any feedback on using an internal DHCP server to assign addresses to PIX VPN clients? The local PIX DHCP server is causing some issues in my AD infrastructure because it doesn’t remove client DNS entries when the client disconnects and the scavenging cycle doesn’t come around fast enough.

  7. slowe’s avatar

    Manasi,

    Not the actual authentication to the firewall itself (not as far as I know), but the VPN authentication can be integrated into Active Directory. So, when users attempt to connect to the network via VPN, they can use their AD credentials to establish the encrypted VPN session. Does that make sense? The local authentication to the firewall itself is still handled locally.

    Anthony,

    I honestly don’t know if you can use an internal DHCP server or not. I’m checking with a couple of CCIEs I work with right now to see if they know. I’ll let you know what I find out.

  8. Manasi’s avatar

    Hi Scott,

    Perfect. That answers my question. It was a debate on if Cisco PIX, Routers, switches authentication can be integrated with Active Directory services.
    But as far as I knew it could not be and with your confirmation also I am more sure now.. it cannot be done as of today.

    The VPN authentication clients are different as they are not accessing PIX firewall for configuration. The firewall only checks for the validity and authorization of their connection. Yes, their authentication can be integrated with Active Directory services.

    But thanks for the confirmation.

    Regards,
    Manasi.

  9. slowe’s avatar

    Manasi,

    My answer was directed specifically at the PIX, not for other Cisco routers and switches. Routers and switches running IOS *can* (IIRC) have their login information integrated into Active Directory via RADIUS. So it’s a different story if you are talking about PIX firewalls vs. routers and switches running IOS. In addition, the story changes again if you compare PIX OS 6.x against PIX OS 7.x (used on the new ASA security appliances), which–to my understanding–are more like IOS and contain more IOS features.

  10. Manasi’s avatar

    Hi Scott,

    Ok. Correct me, if I am wrong. Switches / routers can be integrated with Active Directory services using RADIUS.

    I found an article which also states that the writer has integrated PIX firewall having IOS version 7.1 integrated with Active Directory Services, through RADIUS.

    http://briandesmond.com/blog/archive/2006/10/27/How-to-Authenticate-against-Active-Directory-from-a-Cisco-PIX.aspx

    Regards,
    Manasi.

  11. slowe’s avatar

    Manasi,

    I stand corrected–it looks like PIX OS 6.x (as well as the newer PIX OS 7.x, which the article you referenced mentions) can both be configured to authenticate against Active Directory. In addition, IOS-based devices (routers and switches) can also be configured to authenticate against AD as well.

    Thanks for the updated information and for the link!

  12. raymond’s avatar

    Hi

    I’m new to pix and I am following your instruction. The last 2 line I do not understand what’s it for.
    access-list acl-nat0 permit ip 10.10.1.0 255.255.255.0
    10.10.10.0 255.255.255.0
    nat (inside) 0 access-list acl-nat0

    What network is 10.10.1.0 on? 10.10.1.0 is your internal network?
    your example put aaa-server vpn-auth in the vpn-pool network. Is it a mistake and can I leave it in the internal network.

    thanks

  13. slowe’s avatar

    Raymond,

    The acl-nat0 access list and corresponding nat statement prevent VPN traffic from being NAT’d as it traverses the PIX firewall. Replace the addresses with your source (first network and mask) and destination (second network and mask) networks. In the example above, 10.10.1.0 is the source network and 10.10.10.0 is the destination network.

    The aaa-server defines the authentication for the VPN connection itself, and it should be a server on your internal network.

    Hope this helps!

  14. Tom’s avatar

    I’m trying to configure this exact thing, except using ipsec instead of pptp. I’ve followed everything here, and it didn’t work, searched more… asked tons of people… can’t seem to get it to work! I was wondering if you could shoot me an email and take a look at my running-config, see what exactly I’m missing. It may be on the pix, it may be on the IAS end… I’m not sure.

    Thanks
    Tom

  15. remco’s avatar

    With authentication against active directory is it possible to log in with a local account and
    use your network credentials fo login to the vpn. will any login script run with th eproper credentials

  16. slowe’s avatar

    Remco,

    Yes, you can do that. However, I do not believe that in this scenario your AD login scripts will run. I believe that the Cisco IPSec VPN client has a method of making login scripts work, but I have not tested that client with the Active Directory authentication.

  17. Fred’s avatar

    Tom,

    IPSec is a whole nother ball game. The commands above won’t help at all with IPSec VPN.

  18. ScottG’s avatar

    Has anyone got this going with IPSec? I have a PIX running IOS 7.1. I want to eliminate group authentication on the PIX and have VPN clients authenticated against AD. Can I do this using the radius server or do I need something else?

    Thanks.

  19. Jo’s avatar

    Sure you can use AD to authenticate VPN clients via PIX. I’m using Cisco Secure ACS Engine Solution as a RADIUS and a Cisco Remote Client comes with it and it’s installed on a member AD server. Works great.

    Before that I was using Cisco Secure ACS software and to be honest I like it better because it doesn’t require an additional client and once installed on a machine which is part of AD works great.

    Back there (3 years ago) the ACS software was working only on MS WIN 2000 Server. I don’t know what is the situation today but my new Solution Engine is running Win 2000 as well. I do not have access to the OS which is somehow good. The box is independent.

    ACS could be used for any device on your network including switches/routers etc, anything that could use RADIUS or TACACS. Very useful appliance. A bit expensive… mine came in for $8500.

    Does anybody use internal DHCP?

  20. slowe’s avatar

    Jo,

    From what I’ve seen, using internal DHCP seems to be problematic. If you have any solutions for that, I’d love to hear them!

  21. David’s avatar

    Hi guys,

    I am an IT manager trying to implement Cisco IPSEC VPN access along with including Windows Networking. So, users remotely can browse our Network Neighborhood or access servers/desktops using their NETBIOS names. I have not found any solid documentation on this type of implementation. I am using an ASA/PIX 5510 IOS 8.0.3 This is a 2nd gen PIX. Any help?

  22. Jared’s avatar

    Good read, everything worked and I can connect into my network with no issue.

    The problem is once I am connected, I cannot access any internet ips (like google yahoo etc) as if my routing table routes everything over the vpn. How can I fix this?

  23. Peter’s avatar

    Hi Scott,
    I am new to this Blog and i have a question related to the AD Auth over PIX.
    A Remote User did not log into the AD for a certain time and his password in AD has expired and needs to be changed.
    Usually he will be asked to change his password when he is logging on in the Domain on Local LAN.
    But what about remote users?
    VPN Client Ver.5 from CISCO and the Firewall is a PIX 506e with 6.3.
    AD Authentication is allready working fine.
    Is there a way that the user will be asked to change his Password because it has expired? As Domain Server we use Windows 2008 Enterprise and Winows XP as Client.

  24. vpn service’s avatar

    Hi,
    What I have seen using internal dhcp seems to be problematic.
    If you have any solutions for that, I had to hear them :)

  25. Heino’s avatar

    Hi Peter,

    will the Password change request from DC passed through to the Cisco CPN Client?

  26. Chris’s avatar

    Does anyone know if it is possible/how to integrate Microsoft Active Directory into Cisco ASA/FWSM policies such that a particular rule in a policy could use an Active Directory group as a source instead of a list of static IP addresses?

    We want to ensure the user is a particular user in a group, especially when they come from a Citrix host with multiple users on a single source IP.

    Thanks in advance.

  27. drummelhart’s avatar

    I have a question regarding the secret key, in the 2nd and 3rd line. So when built, my clients will need to type in a certain password, then AD will send them the challenge request, and once accepted they are in the network via VPN?

  28. slowe’s avatar

    Drummelhart,

    The secret key is for authentication between the Cisco firewall (RADIUS client) and the RADIUS server. It does nothing for user authentication whatsoever.

  29. drummelhart’s avatar

    once complete, will I need to make access lists allowing users with the ip network address to access servers IP addresses internally? I actually configured this beast in an hour, minus the extra acl’s

  30. slowe’s avatar

    Drummelhart,

    I don’t think you’ll need ACLs for VPN users to access internal resources, but I could be wrong. It’s been a while since I messed with this.

    Good luck!

  31. drummelhart’s avatar

    has anyone successfully VPN’s using Vista?

    I am having major problems with personnel

    Any ideas?

  32. fars’s avatar

    Hi
    I need help
    i can telnet to pix with radius authentication but vpn connection failed with error 691 .
    can help me?

  33. Jeff’s avatar

    Back on 9/6/2008 Peter asked about users being prompted to change their AD password when it has expired when AD is how they authenticate. I too would like to know if there is a way to make this happen. We use AD for authentication through the VPN, but users are not prompted to change their passwords when they expire.

    We have the “Enable notification upon password expirtion to allow user to change password” checked, along with the “Enable notification prior to expiration” box under that with a “14″ day notify prior to expiraion. But the users never get notified that their password has either expired or is about to expire. We do not have the “Override account-disabled indication from AAA server” right above this checked.

    Am I missing something to enable password expiration notifications?

  34. MAFHH’s avatar

    Hi,

    The problem is once I am connected, I cannot access any internet ips (like google yahoo etc) as if my routing table routes everything over the vpn. How can I fix this?

  35. slowe’s avatar

    MAFHH,

    Everything does route across the VPN. You’d need to configure the firewall for a split-tunnel VPN setup. There are numerous guides available online to help you with this configuration.