Cisco ASA VPN integration with Symantec VIP Access

I have been working on migrating the Cisco ASA VPN from an RSA key solution to a Symantec VIP Access solution that integrates with smart devices e.g. iPhone, iPad through an App.

For this to work I ran through the below:

Active Directory

  1. Create a service account for Symantec VIP to be able to read AD
  2. Create a group for enabled users to be able to access ASA-VIP VPN

Symantec VIP server

  1. Create a user store
  2. Attach the above AD group for enabled users
  3. Configure RADIUS Validation details including port and shared secret

Cisco ASA

  1. Create a new IPSec Connection Profile with a new Pre-shared key
  2. Configure a new AAA Server Group which used the RADIUS authentication protocol
  3. Create a AAA Server (the Symantec VIP server)
  4. Set the Server Authentication and Accounting ports as well as the RADIUS Server Secret Key and Common Password which were initially setup on the VIP server
  5. Assign the DHCP Servers
  6. Assign the Group Policy

Note: The IPSec Connection Profile is case-sensitive.

On the client machine, I changed the corresponding profile parameters e.g. Connection Profile and Pre-shared key. The destination address points to the Outside interface of the ASA. When you hit connect button, the authentication box appears followed by a prompt on the iPhone VIP App seeking approval for the access. When approval is granted, the VPN connection completes and the padlock is displayed within the Cisco VPN client.

Advertisements