Thursday, April 22, 2010

Misc 21

Notice that I left a RADIUS server in the previous topology. I left it there intentionally so that I can use it for Remote Access VPN Authentication (AAA). The configuration is exactly the same for the VPN initiation part. The only thing that we need to change now is the AAA lines and the addition of a RADIUS server:aaa authentication login VPNAUTHEN gr rad local
radius-server host acct-port 1813 auth-port 1812 key cisco

Notice that I didn't change the authorization to use RADIUS. This should be local unless you have a good reason to change it. If your RADIUS server is properly configured, the connection should be working now. However, if you haven't done your RADIUS server, I'll walk you through. In this article I'll be using NPS. NPS is Windows Server 2008's implementation of RADIUS. It was previously known as IAS in 2003. This picks up from a clean Active Directory install. NPS is installed as a role:

Now the only thing left is to configure the NPS server. To do this, go to:
Start > Administrative Tools > Network Policy Server

The first thing you want to do is to add your RADIUS client. To do this, right-click on RADIUS Clients and click on Add new RADIUS Client.

Add a RADIUS client as shown:

Now, browse on down to Network Policies and change the Deny policies to Grant policies like this:

Finally, head on over to the Constraints tab and allow PAP authentication:

Right now you should be able to Authenticate with your RADIUS server.

I noticed that I actually missed out client configuration in the previous article, so I'll touch on that now. The Cisco VPN client can actually be downloaded here. To get to the downloads, look at the right navigation bar and hit "Download Software". You would actually need a CCO contract so you'll have to get your friends to help you with it.

After launching the application, you should be at this page:

Click on the New button and configure your VPN as follows:

You would have a new entry in your list. Right-click and select Connect and you would be asked for credentials and hopefully be connected.

No comments :

Post a Comment