Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server

Similar documents
Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

Configuring the VPN Client 3.x to Get a Digital Certificate

ACS 5.x: LDAP Server Configuration Example

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Configuring the Cisco VPN 3000 Concentrator 4.7.x to Get a Digital Certificate and a SSL Certificate

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Configuring Funk RADIUS to Authenticate Cisco Wireless Clients With LEAP

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

SSL Certificate Based VPN

ASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note

Client VPN OS Configuration. Android

Wireless LAN Controller Web Authentication Configuration Example

Cisco Secure Desktop (CSD) on IOS Configuration Example using SDM

Cisco Aironet Client Adapter Installation Tips for Windows NT v4.0

The information in this document is based on the Cisco VPN 3000 Series Concentrator.

Configuring Redundant Routing on the VPN 3000 Concentrator

Table of Contents 1 Cisco AnyConnect...1

Wired Dot1x Version 1.05 Configuration Guide

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Checkpoint VPN-1 NG/FP3

How to Authenticate VPN 5000 Client to the VPN 5000 Concentrator with Cisco Secure NT 2.5 and Later (RADIUS)

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

CRS Historical Reports Schedule and Session Establishment

LAB: Configuring LEAP. Learning Objectives

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example

RADIUS Authentication and Authorization Technical Note

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Managing WCS User Accounts

Configuring Split and Dynamic DNS on the Cisco VPN 3000 Concentrator

Configuring the VPN Client

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Implementing Authentication Proxy

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Secure ACS Database Replication Configuration Example

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Configuring L2TP over IPsec

Integration Guide. LoginTC

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example

Configuring RADIUS Clients

AAA and the Local Database

CallManager Configuration Requirements for IPCC

ISA 2006 and OWA 2003 Implementation Guide

Configuring an IPSec Tunnel Between a Cisco SA500 and the Cisco VPN Client

Managing WCS User Accounts

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Check Password Synchronization with the Admin Utility in the Cisco CallManager Cluster

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

Protected EAP (PEAP) Application Note

DIGIPASS Authentication for Cisco ASA 5500 Series

SETUP FOR OUTLOOK (Updated October, 2018)

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Access Gateway 9.3, Enterprise Edition

Configuring a Cisco 827 Router Using PPPoA With CHAP and PAP

Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping Configuration Example

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

CVP 40 EVAL, CVP 40 DISTI, CVP 40 DART, CVP 41 EVAL,CVP 41 DIST NFR, CVP 41 DART NFR, CVP 70 EVAL, CVP 70 DIST NFR

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

Client Configuration Guide

Cisco IOS Firewall Authentication Proxy

Using SANDeploy iscsi SAN for VMware ESX / ESXi Server

Tune the CTC HEAP Variables on the PC to Improve CTC Performance

CRYPTOCard Migration Agent for CRYPTO-MAS

Configuring Basic AAA on an Access Server

Barracuda SSL VPN Integration

Configuring Request Authentication and Authorization

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Authentication of Wireless LAN Controller's Lobby Administrator via RADIUS Server

AT&T Global Network Client for Mac User s Guide Version 2.0.0

Configuring Outlook from an Off-Campus Location to Use Enterprise Exchange

Lab 5.6b Configuring AAA and RADIUS

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Identity Firewall. About the Identity Firewall

Barracuda Networks SSL VPN

How to Configure Authentication and Access Control (AAA)

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft NPS Technical Manual Template

HOB Remote Desktop VPN

User Databases. ACS Internal Database CHAPTER

Stonesoft Integration

Managing WCS User Accounts

Log Server Configuration Utility

Endpoint Security. Gateway Integration Guide R72

Firepower extensible Operating System (FXOS) 2.2: Chassis Authentication and Authorization for remote management with ACS using RADIUS

OneGate Linux Client. Release Notes. Version Thinspace Technology Ltd Published: 03 JULY Updated:

MeetingPlace for Outlook Onsite Installation or Upgrade

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

CDR Database Copy or Migration to Another Server

Lab - Configure Browser Settings in Windows 8

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

NAT Support for Multiple Pools Using Route Maps

Managing NCS User Accounts

Transcription:

Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server Document ID: 12086 Contents Introduction Prerequisites Requirements Components Used Network Diagram Configuring the VPN 3000 Concentrator Group Configuration RADIUS Configuration Configuring the Cisco Secure NT RADIUS Server Configuring an Entry for the VPN 3000 Concentrator Configuring the Unknown User Policy for NT Domain Authentication Testing the NT/RADIUS Password Expiration Feature Testing RADIUS Authentication Actual NT Domain Authentication Using RADIUS Proxy to Test the Password Expiration Feature Related Information Introduction This document includes step by step instructions on how to configure the Cisco VPN 3000 Series Concentrators to support the NT Password Expiration feature using the RADIUS server. Refer to VPN 3000 RADIUS with Expiry Feature Using Microsoft Internet Authentication Server in order to learn more about the same scenerio with the Internet Authentication Server (IAS). Prerequisites Requirements If your RADIUS server and NT Domain Authentication server are on two separate machines, make sure that you have established IP connectivity between the two machines. Make sure that you have established IP connectivity from the concentrator to the RADIUS server. If the RADIUS server is towards the public interface, don't forget to open up the RADIUS port on the Public Filter. Ensure that you can connect to the concentrator from the VPN client using the Internal User Database. If this is not configured, please refer to Configuring IPSec Cisco 3000 VPN Client to VPN 3000 Concentrator. Note: The Password expiration feature cannot be used with Web VPN or SSL VPN clients.

Components Used This configuration was developed and tested using the software and hardware versions below. VPN 3000 Concentrator Software Version 4.7 VPN Client Release 3.5 Cisco Secure for NT (CSNT) version 3.0 Microsoft Windows 2000 Active Directory Server for User Authentication The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Network Diagram This document uses this network setup: Diagram Notes 1. The RADIUS server in this configuration is on the public interface. If this is the case with your specific setup, please create two rules in your public filter to allow RADIUS traffic to enter and leave the concentrator. 2. This configuration shows CSNT software and NT Domain Authentication Services running on the same machine. These elements can be run on two separate machines if required by your configuration. Configuring the VPN 3000 Concentrator Group Configuration 1. To configure the group to accept the NT Password Expiration Parameters from the RADIUS Server, go to Configuration > User Management > Groups, select your group from the list, and click Modify Group. The example below shows how to modify a group named "ipsecgroup."

2. Go to the IPSec tab, make sure that RADIUS with Expiry is selected for the Authentication attribute. 3. If you want this feature to be enabled on the VPN 3002 Hardware Clients, go to the HW Client tab, make sure that Require Interactive Hardware Client Authentication is enabled, then click Apply. RADIUS Configuration 1. To configure the RADIUS server settings on the concentrator, go to Configuration > System > Servers > Authentication > Add.

2. On the Add screen, type in the values that correspond to the RADIUS server and click Add. The example below uses the following values. Server Type: RADIUS Authentication Server: 172.18.124.96 Server Port = 0 (for default of 1645) Timeout = 4 Reties = 2 Server Secret = cisco123 Verify: cisco123 Configuring the Cisco Secure NT RADIUS Server Configuring an Entry for the VPN 3000 Concentrator 1. Log into CSNT and click Network Configuration in the left panel. Under "AAA Clients," click Add Entry.

2. On the "Add AAA Client" screen, type in the appropriate values to add the concentrator as the RADIUS Client, then click Submit + Restart. The example below uses the following values. AAA Client Hostname = 133_3000_conc AAA Client IP Address = 172.18.124.133 Key = cisco123 Authenticate using = RADIUS (Cisco VPN 3000)

An entry for your 3000 concentrator will appear under the "AAA Clients" section. Configuring the Unknown User Policy for NT Domain Authentication 1. To configure User Authentication on the RADIUS server as a part of the Unknown User Policy, click External User Database in the left panel, then click the link for Database Configuration.

2. Under "External User Database Configuration," click Windows NT/2000. 3. On the "Database Configuration Creation" screen, click Create New Configuration.

4. When prompted, type a name for the NT/2000 Authentication and click Submit. The example below shows the name "Radius/NT Password Expiration." 5. Click Configure to configure the Domain Name for User Authentication. 6. Select your NT domain from the "Available Domains," then click the right arrow button to add it to the "Domain List." Under "MS CHAP Settings," ensure that the options for Permit password changes using MS CHAP version 1 and version 2 are selected. Click Submit when you are done.

7. Click External User Database in the left panel, then click the link for Database Group Mappings (as seen in this example). You should see an entry for your previously configured external database. The example below shows an entry for "Radius/NT Password Expiration," the database that we just configured.

8. On the "Domain Configurations" screen, click New configuration to add the domain configurations. 9. Select your domain from the list of "Detected Domains" and click Submit. The example below shows a domain named "JAZIB ADS." 10. Click on your domain name to configure the group mappings. This example shows the domain "JAZIB ADS."

11. Click Add mapping to define the group mappings. 12. On the "Create new group mapping" screen, map the group on the NT domain to a group on the CSNT RADIUS server, then click Submit.. The example below maps the NT group "Users" to the RADIUS group "Group 1."

13. Click External User Database in the left panel, then click the link for Unknown User Policy (as seen in this example). Make sure that the option for Check the following external user databases is selected. Click the right arrow button to move the previously configured external database from the list of "External Databases" to the list of "Selected Databases."

Testing the NT/RADIUS Password Expiration Feature The concentrator offers a function to test RADIUS authentication. To test this feature properly, make sure that you follow these steps carefully. Testing RADIUS Authentication 1. Go to Configuration > System > Servers > Authentication. Select your RADIUS server and click Test. 2. When prompted, type your NT domain user name and password, and then click OK. The example below shows user name "jfrahim" configured on the NT domain server with "cisco123" as the password.

3. If your authentication is set up properly, you should get a message stating "Authentication Successful." If you receive any message other than the one shown above, there is some configuration or connection problem. Please repeat the configuration and testing steps outlined in this document to ensure that all settings were made properly. Also check the IP connectivity between your devices. Actual NT Domain Authentication Using RADIUS Proxy to Test the Password Expiration Feature 1. If the user is already defined on the domain server, modify the properties so that the user will be prompted to change the password at the next logon. Go to the "Account" tab of the user's properties dialog box, select the option for User must change password at next logon, then click OK.

2. Launch the VPN client, then try to establish the tunnel to the concentrator. 3. During User Authentication, you should be prompted to change the password.

Related Information Cisco VPN 3000 Series Concentrator IPSec Cisco Secure Access Control Server for Windows RADIUS Requests for Comments (RFCs) Contacts & Feedback Help Site Map 2014 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Jan 19, 2006 Document ID: 12086

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback