Cisco PIX VPN and Active Directory Integration

Tuesday, November 22, 2005 in Interoperability, Networking | 26 comments

Rather than publishing this information in PDF form on my business website, I’ve decided to try something new and post it here as a blog entry.  So, here goes.

This information assumes that you have some experience with the Cisco PIX firewall (i.e., you know how to enter configuration commands and have a basic idea of what the configuration commands actually do) as well as some experience with Windows and Active Directory.

With that information in hand, let’s get started.

Configuring the Cisco PIX

First, we’ll need to setup the PIX firewall.  Use the commands below to configure the PIX for PPTP-based VPN connections that will authenticate against an Active Directory back-end.

ip local pool vpn-pool 10.10.10.1-10.10.10.254
aaa-server vpn-auth inside host 10.10.10.5 secretkey
aaa-server vpn-auth inside host 10.10.10.6 secretkey
aaa-server vpn-auth protocol radius
vpdn group vpn-pptp-group accept dialin pptp
vpdn group vpn-pptp-group ppp authentication mschap
vpdn group vpn-pptp-group ppp encryption mppe 128 required
vpdn group vpn-pptp-group client configuration \
    address local vpn-pool
vpdn group vpn-pptp-group client configuration \
    dns 10.10.10.5 10.10.10.6
vpdn group vpn-pptp-group client configuration \
    wins 10.10.10.6 10.10.10.5
vpdn group vpn-pptp-group client authentication aaa vpn-auth
vpdn enable outside
sysopt connect permit-pptp
access-list acl-nat0 permit ip 10.10.1.0 255.255.255.0 \
    10.10.10.0 255.255.255.0
nat (inside) 0 access-list acl-nat0

(Note that I have placed a backslash to indicate text that is wrapped onto two lines here but should be entered all on a single line in the PIX configuration.)

In this configuration, replace the IP addresses on lines 2 and 3 (the “aaa-server vpn-auth” commands) with the IP addresses of the servers running Internet Authentication Service (IAS) on Windows.  See the next section for more information on configuring IAS.

On those same lines, replace the text “secretkey” with the RADIUS shared secret that will be used when configuring the RADIUS/IAS server in the next section.

Likewise, replace the IP addresses on lines 9 and 10 (the “vdpn group vpn-pptp-group client configuration” lines that pass out the DNS and WINS servers to VPN clients) with the IP addresses of your DNS and WINS servers, respectively.

That should do it.  Save the configuration to the PIX and then move on to configuring IAS.

Configuring Internet Authentication Service

Before doing anything else, create a new global security group in Active Directory.  Call it something like “VPN Users” or similar.  We’ll use this group later as an additional security check in validating VPN connections.

Next, install IAS using the Add/Remove Programs icon in Control Panel.  Once it has been installed, launch it from the Administrative Tools folder on the Start Menu and we’ll proceed with configuring it for authenticating VPN connections to the PIX firewall.

First, we need to grant IAS permission to read dial-in properties from user accounts in Active Directory.  To do this, right-click on the “Internet Authentication Service (Local)” and select “Register Server in Active Directory”.  Select Yes (or OK) if prompted to confirm.

With that done, we can now configure the PIX firewall as a RADIUS client.  Right-click on RADIUS Clients and select New RADIUS Client.  In the wizard, specify the IP address (or DNS name) of the PIX firewall’s internal IP address and the shared secret.  Note that this shared secret is the same secret key specified in the PIX configuration above.  RADIUS clients use this to authenticate to RADIUS servers, so make it a reasonably strong password.

Now create a remote access policy.  Right-click on Remote Access Policies and select New Remote Access Policy.  In the wizard, specify a name, select to create a custom policy, and then add the following conditions to the policy:

  • NAS-IP-Address:  This will be the IP address of the PIX firewall’s internal interface.  This helps to ensure that this policy only applies to VPN requests from this firewall and not from any other RADIUS client.
  • Windows-Groups:  This should be the security group created earlier.  Any user that should be allowed to authenticate on a VPN connection will need to be a member of this group.

The rest of the policy should be very straightforward.  Make this policy the first policy (using the Move Up/Move Down commands in the IAS console), add a user to the group created earlier, and then test your connection.  Remote systems attempting to connect via PPTP should now be able to authenticate the VPN connection using their Active Directory usernames and passwords.

Although this was written from the perspective of authenticating PPTP connections, the process should be very similar for IPSec VPN clients as well.

Tags: , , , ,

26 comments

Comments feed for this article

Thursday, December 28, 2006 at 3:59 am

Alexei

Have you ever tried to assign addresses using AD and DHCP server, instead of defining a local pool on PIX?

Thursday, December 28, 2006 at 8:21 am

slowe

Alexei,

I don’t think that I’ve ever tried anything other than a local pool on the PIX. I have some Cisco gurus in my office; I’ll ping them and see if they know anything about doing this.

Scott

Tuesday, January 16, 2007 at 4:05 am

Ste

Hi Alexei / Slowe,

I am having some problems with the pix not unregistering ip address’s from dns after the client logs off.

I know this maybe is a different topic but i just cannot find any info regarding this

Any help would be great

cheers Ste

Tuesday, January 16, 2007 at 8:27 pm

slowe

Ste,

I haven’t noticed this issue, but that doesn’t mean anything. I don’t use the VPN connection to my PIX very often.

Have you tried enabling scavenging on the DNS server? That will help automatically clear away old and unused DNS entries, but perhaps not in the time frame in which you were hoping.

Thanks,
Scott

Thursday, March 29, 2007 at 6:06 am

Manasi

I am a little confused on this point.
Can PIX fiewall login authentication system be integrated with Microsoft’s Active Directory services?

Thursday, March 29, 2007 at 10:37 am

Anthony

Any feedback on using an internal DHCP server to assign addresses to PIX VPN clients? The local PIX DHCP server is causing some issues in my AD infrastructure because it doesn’t remove client DNS entries when the client disconnects and the scavenging cycle doesn’t come around fast enough.

Friday, March 30, 2007 at 10:27 am

slowe

Manasi,

Not the actual authentication to the firewall itself (not as far as I know), but the VPN authentication can be integrated into Active Directory. So, when users attempt to connect to the network via VPN, they can use their AD credentials to establish the encrypted VPN session. Does that make sense? The local authentication to the firewall itself is still handled locally.

Anthony,

I honestly don’t know if you can use an internal DHCP server or not. I’m checking with a couple of CCIEs I work with right now to see if they know. I’ll let you know what I find out.

Sunday, April 1, 2007 at 11:45 pm

Manasi

Hi Scott,

Perfect. That answers my question. It was a debate on if Cisco PIX, Routers, switches authentication can be integrated with Active Directory services.
But as far as I knew it could not be and with your confirmation also I am more sure now.. it cannot be done as of today.

The VPN authentication clients are different as they are not accessing PIX firewall for configuration. The firewall only checks for the validity and authorization of their connection. Yes, their authentication can be integrated with Active Directory services.

But thanks for the confirmation.

Regards,
Manasi.

Monday, April 2, 2007 at 7:27 am

slowe

Manasi,

My answer was directed specifically at the PIX, not for other Cisco routers and switches. Routers and switches running IOS *can* (IIRC) have their login information integrated into Active Directory via RADIUS. So it’s a different story if you are talking about PIX firewalls vs. routers and switches running IOS. In addition, the story changes again if you compare PIX OS 6.x against PIX OS 7.x (used on the new ASA security appliances), which–to my understanding–are more like IOS and contain more IOS features.

Wednesday, April 4, 2007 at 6:01 am

Manasi

Hi Scott,

Ok. Correct me, if I am wrong. Switches / routers can be integrated with Active Directory services using RADIUS.

I found an article which also states that the writer has integrated PIX firewall having IOS version 7.1 integrated with Active Directory Services, through RADIUS.

http://briandesmond.com/blog/archive/2006/10/27/How-to-Authenticate-against-Active-Directory-from-a-Cisco-PIX.aspx

Regards,
Manasi.

Wednesday, April 4, 2007 at 8:55 pm

slowe

Manasi,

I stand corrected–it looks like PIX OS 6.x (as well as the newer PIX OS 7.x, which the article you referenced mentions) can both be configured to authenticate against Active Directory. In addition, IOS-based devices (routers and switches) can also be configured to authenticate against AD as well.

Thanks for the updated information and for the link!

Thursday, June 7, 2007 at 8:36 pm

raymond

Hi

I’m new to pix and I am following your instruction. The last 2 line I do not understand what’s it for.
access-list acl-nat0 permit ip 10.10.1.0 255.255.255.0
10.10.10.0 255.255.255.0
nat (inside) 0 access-list acl-nat0

What network is 10.10.1.0 on? 10.10.1.0 is your internal network?
your example put aaa-server vpn-auth in the vpn-pool network. Is it a mistake and can I leave it in the internal network.

thanks

Thursday, June 7, 2007 at 10:33 pm

slowe

Raymond,

The acl-nat0 access list and corresponding nat statement prevent VPN traffic from being NAT’d as it traverses the PIX firewall. Replace the addresses with your source (first network and mask) and destination (second network and mask) networks. In the example above, 10.10.1.0 is the source network and 10.10.10.0 is the destination network.

The aaa-server defines the authentication for the VPN connection itself, and it should be a server on your internal network.

Hope this helps!

Sunday, July 8, 2007 at 11:47 pm

Tom

I’m trying to configure this exact thing, except using ipsec instead of pptp. I’ve followed everything here, and it didn’t work, searched more… asked tons of people… can’t seem to get it to work! I was wondering if you could shoot me an email and take a look at my running-config, see what exactly I’m missing. It may be on the pix, it may be on the IAS end… I’m not sure.

Thanks
Tom

Friday, August 24, 2007 at 6:23 pm

remco

With authentication against active directory is it possible to log in with a local account and
use your network credentials fo login to the vpn. will any login script run with th eproper credentials

Friday, August 24, 2007 at 6:32 pm

slowe

Remco,

Yes, you can do that. However, I do not believe that in this scenario your AD login scripts will run. I believe that the Cisco IPSec VPN client has a method of making login scripts work, but I have not tested that client with the Active Directory authentication.

Friday, October 12, 2007 at 4:53 pm

Fred

Tom,

IPSec is a whole nother ball game. The commands above won’t help at all with IPSec VPN.

Thursday, January 3, 2008 at 1:40 pm

ScottG

Has anyone got this going with IPSec? I have a PIX running IOS 7.1. I want to eliminate group authentication on the PIX and have VPN clients authenticated against AD. Can I do this using the radius server or do I need something else?

Thanks.

Saturday, January 26, 2008 at 7:55 am

Jo

Sure you can use AD to authenticate VPN clients via PIX. I’m using Cisco Secure ACS Engine Solution as a RADIUS and a Cisco Remote Client comes with it and it’s installed on a member AD server. Works great.

Before that I was using Cisco Secure ACS software and to be honest I like it better because it doesn’t require an additional client and once installed on a machine which is part of AD works great.

Back there (3 years ago) the ACS software was working only on MS WIN 2000 Server. I don’t know what is the situation today but my new Solution Engine is running Win 2000 as well. I do not have access to the OS which is somehow good. The box is independent.

ACS could be used for any device on your network including switches/routers etc, anything that could use RADIUS or TACACS. Very useful appliance. A bit expensive… mine came in for $8500.

Does anybody use internal DHCP?

Saturday, January 26, 2008 at 9:40 am

slowe

Jo,

From what I’ve seen, using internal DHCP seems to be problematic. If you have any solutions for that, I’d love to hear them!

Thursday, April 17, 2008 at 7:17 pm

David

Hi guys,

I am an IT manager trying to implement Cisco IPSEC VPN access along with including Windows Networking. So, users remotely can browse our Network Neighborhood or access servers/desktops using their NETBIOS names. I have not found any solid documentation on this type of implementation. I am using an ASA/PIX 5510 IOS 8.0.3 This is a 2nd gen PIX. Any help?

Wednesday, June 4, 2008 at 11:15 am

Jared

Good read, everything worked and I can connect into my network with no issue.

The problem is once I am connected, I cannot access any internet ips (like google yahoo etc) as if my routing table routes everything over the vpn. How can I fix this?

Saturday, September 6, 2008 at 8:43 am

Peter

Hi Scott,
I am new to this Blog and i have a question related to the AD Auth over PIX.
A Remote User did not log into the AD for a certain time and his password in AD has expired and needs to be changed.
Usually he will be asked to change his password when he is logging on in the Domain on Local LAN.
But what about remote users?
VPN Client Ver.5 from CISCO and the Firewall is a PIX 506e with 6.3.
AD Authentication is allready working fine.
Is there a way that the user will be asked to change his Password because it has expired? As Domain Server we use Windows 2008 Enterprise and Winows XP as Client.

Thursday, October 2, 2008 at 10:20 am

vpn service

Hi,
What I have seen using internal dhcp seems to be problematic.
If you have any solutions for that, I had to hear them :)

Thursday, November 13, 2008 at 6:30 am

Heino

Hi Peter,

will the Password change request from DC passed through to the Cisco CPN Client?

Friday, November 14, 2008 at 11:39 am

Chris

Does anyone know if it is possible/how to integrate Microsoft Active Directory into Cisco ASA/FWSM policies such that a particular rule in a policy could use an Active Directory group as a source instead of a list of static IP addresses?

We want to ensure the user is a particular user in a group, especially when they come from a Citrix host with multiple users on a single source IP.

Thanks in advance.