Change AAA Server for Remote-Access VPN on Cisco Firewall
Jika ingin mengganti AAA server VPN di ASA, ada beberapa poin yang harus diubah, agar setiap user yang konek ke VPN akan diautentikasi ke server baru terlebih dahulu sebelum bisa masuk ke jaringan.
Topologi
Bagian yang diganti adalah:
1. Radius setting
2. Tunnel-group
Pada ASA Firewall:
RADIUS Setting
|
1 2 3 4 5 6 |
aaa-server PACKETNOTES protocol radius aaa-server PACKETNOTES (inside) host 10.159.149.132 key ***** user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL |
Group Policies Setting
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
group-policy USERVPN internal group-policy USERVPN attributes wins-server value 10.130.0.5 10.130.0.6 dns-server value 10.159.148.236 10.155.87.23 vpn-tunnel-protocol ikev1 split-tunnel-network-list value VPN-USER_splitTunnelAcl default-domain value packetnotesnet.packetnotes.intranet group-policy VPN-USER internal group-policy VPN-USER attributes wins-server value 10.159.35.101 10.130.0.6 dns-server value 10.159.148.236 vpn-tunnel-protocol ikev1 ikev2 split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN-USER_splitTunnelAcl default-domain value packetnotesnet.packetnotes.intranet |
VPN Remote-Access Tunnel-Group Setting
|
1 2 3 4 5 6 7 8 9 10 11 12 |
tunnel-group VPN-USER type remote-access tunnel-group VPN-USER general-attributes address-pool VPN-USER authentication-server-group PACKETNOTES LOCAL default-group-policy VPN-USER tunnel-group VPN-USER ipsec-attributes ikev1 pre-shared-key ***** tunnel-group USERVPN type remote-access tunnel-group USERVPN general-attributes address-pool VPN-USER authentication-server-group PACKETNOTES LOCAL default-group-policy USERVPN |
Setting ini berlaku di ASA versi 8.3 ke atas dan bisa digunakan untuk AnyConnect dan EasyVPN (VPN Client).