agradmin
asked on
Cisco ASA5510 VPN user authentication on Windows 2008 RADIUS server
This is directly related to Q ID: 24687836 ;
I have a Cisco ASA firewall that currently passes on remote access VPN user authentication to a Windows 2000 IAS RADIUS server. I wish to move this to a Windows 2008 x64 server.
I have tried configuring NPS on Windows 2008 to accept RADIUS requests to no avail - testing from the Cisco firewall indicates that the server is not responding.
I need to understand how this authentication works in IAS, and what needs to be done in NPS to make this functional ( I have the NPS service running, but feel that Routing & Remote access server should not be needed).
Our IAS config is very basic. We are allowing domain users to connect - but I am unable to see anything that specifically relates to the firewall (as a RADIUS client, policies).
What I'd like to know;
1) Is anyone using Windows 2008 (64 bit) NPS as a RADIUS server to authenticate Cisco VPN clients?
2) If so, how is this accomplished (services, RADIUS client setup, policies)
3) How does RADIUS authetication work in IAS (in light of above)
I appreciate all input on this - I've had a consultant in to help to no avail, and a call to Cisco support (from consulted) resulted in the fact that they don't know how to set it up either.....
I have a Cisco ASA firewall that currently passes on remote access VPN user authentication to a Windows 2000 IAS RADIUS server. I wish to move this to a Windows 2008 x64 server.
I have tried configuring NPS on Windows 2008 to accept RADIUS requests to no avail - testing from the Cisco firewall indicates that the server is not responding.
I need to understand how this authentication works in IAS, and what needs to be done in NPS to make this functional ( I have the NPS service running, but feel that Routing & Remote access server should not be needed).
Our IAS config is very basic. We are allowing domain users to connect - but I am unable to see anything that specifically relates to the firewall (as a RADIUS client, policies).
What I'd like to know;
1) Is anyone using Windows 2008 (64 bit) NPS as a RADIUS server to authenticate Cisco VPN clients?
2) If so, how is this accomplished (services, RADIUS client setup, policies)
3) How does RADIUS authetication work in IAS (in light of above)
I appreciate all input on this - I've had a consultant in to help to no avail, and a call to Cisco support (from consulted) resulted in the fact that they don't know how to set it up either.....
Agradmin,
If all you want to do is allow any authenticated user to connect then it would probably be easier to us the built in LDAP functionality that the ASA supports. From the ASDM the setup is pretty simple and you can see a walk through here.
http://www.cisco.com/application/pdf/paws/98625/asa_ldap_authentication.pdf
The document is specifically for webvpn but it works the same for normal VPN.
As to you question about the new NPS in Server 2008 verses IAS, it functions on the same basic princple. The couple of things that might help you are as follows.
First, did you add this new radius server to the ASA?
Secondly did you add the asa as a client to the NPS?
Lastly I have had problems with NPS when the server 2008 server thinks it can't access the internet. I have been able to get the repair feature to work on occasion but generally the 2008 server seems to get confused and needs to be rebooted.
Regards,
3nerds
If all you want to do is allow any authenticated user to connect then it would probably be easier to us the built in LDAP functionality that the ASA supports. From the ASDM the setup is pretty simple and you can see a walk through here.
http://www.cisco.com/application/pdf/paws/98625/asa_ldap_authentication.pdf
The document is specifically for webvpn but it works the same for normal VPN.
As to you question about the new NPS in Server 2008 verses IAS, it functions on the same basic princple. The couple of things that might help you are as follows.
First, did you add this new radius server to the ASA?
Secondly did you add the asa as a client to the NPS?
Lastly I have had problems with NPS when the server 2008 server thinks it can't access the internet. I have been able to get the repair feature to work on occasion but generally the 2008 server seems to get confused and needs to be rebooted.
Regards,
3nerds
ASKER
That's great!
Did you have to set up the ASA as a client? I tried but was thrown off by the need of the shared secret (where's that set up in the ASA?) and the fact that we do not have it set up in IAS.
Thanks,
Alan
Did you have to set up the ASA as a client? I tried but was thrown off by the need of the shared secret (where's that set up in the ASA?) and the fact that we do not have it set up in IAS.
Thanks,
Alan
ASKER
Sorry, we seemed to have posted at the same time. My last response was directed to JDMC43.
BTW the Radius server has been added to the ASA (and authentication tests run against it), but not fully as a client as above.
Keep those responses coming - they're a great help.
BTW the Radius server has been added to the ASA (and authentication tests run against it), but not fully as a client as above.
Keep those responses coming - they're a great help.
So you are using the ASDM and have the new server added as a client and you select it and click test and you can authenticate?
Also a shared sercret is just a password. The client(ASA) and the server both know it so that not just anyone can authenticate against you radius server.
Regards,
3nerds
Also a shared sercret is just a password. The client(ASA) and the server both know it so that not just anyone can authenticate against you radius server.
Regards,
3nerds
ASKER
I have added the server in ASDM and testing against that fails (legacy IAS server passes).
I understand what the shared secret does but have been confused by the fact that the ASA has not been set up as a client in IAS (on Windows 2000 DC) and works fine. This is coupled with the fact I cannot see where to add the shared secret in the ASDM - does this have to be accomplished via the command line?
I understand what the shared secret does but have been confused by the fact that the ASA has not been set up as a client in IAS (on Windows 2000 DC) and works fine. This is coupled with the fact I cannot see where to add the shared secret in the ASDM - does this have to be accomplished via the command line?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Problem solved! The original config had the AAA server group configured for "NT Domain" protocol. Apparently this does not require the ASA to be set up as a RADIUS client, and does not use a shared secret key.
I set up a new AAA server group using RADIUS protocol and the addition of servers allowed the insertion of the shared secret. Testing proves OK and we are now using this to authenticate VPN users.
Thanks so much for your insight, which ultimately led me to the problem source.
I set up a new AAA server group using RADIUS protocol and the addition of servers allowed the insertion of the shared secret. Testing proves OK and we are now using this to authenticate VPN users.
Thanks so much for your insight, which ultimately led me to the problem source.
ASKER
Expert advice led me to the source of the problem - thanks!
I managed to get my ASA 5510 authenticating against my WS 2k8 radius server this afternoon, it's nice to know there are other people struggling with the same problem!
follow the directions in this article from Q ID 24409126
http://www.mcmis.co.uk/TechArt/Technical%20Articles.htm
when you install the NPS role it has some default policies which deny permission, you therefore need to 'move up' your new policy allowing your Domain users etc... htis is what fixed it for me.
Now i have to try and get the VPN connection working....
dc