We help IT Professionals succeed at work.

Cisco ASA5510 VPN user authentication on Windows 2008 RADIUS server

agradmin
agradmin asked
on
This is directly related to Q ID: 24687836 ;
I have a Cisco ASA firewall that currently passes on remote access VPN user authentication to a Windows 2000 IAS RADIUS server. I wish to move this to a Windows 2008 x64 server.
I have tried configuring NPS on Windows 2008 to accept RADIUS requests to no avail - testing from the Cisco firewall indicates that the server is not responding.
I need to understand how this authentication works in IAS, and what needs to be done in NPS to make this functional ( I have the NPS service running, but feel that Routing & Remote access server should not be needed).
Our IAS config is very basic. We are allowing domain users to connect - but I am unable to see anything that specifically relates to the firewall (as a RADIUS client, policies).
What I'd like to know;
1) Is anyone using Windows 2008 (64 bit) NPS as a RADIUS server to authenticate Cisco VPN clients?
2) If so, how is this accomplished (services, RADIUS client setup, policies)
3) How does RADIUS authetication work in IAS (in light of above)

I appreciate all input on this - I've had a consultant in to help to no avail, and a call to Cisco support (from consulted) resulted in the fact that they don't know how to set it up either.....
Comment
Watch Question

Commented:
Hi
I managed to get my ASA 5510 authenticating against my WS 2k8 radius server this afternoon, it's nice to know there are other people struggling with the same problem!

follow the directions in this article from Q ID 24409126
http://www.mcmis.co.uk/TechArt/Technical%20Articles.htm

when you install the NPS role it has some default policies which deny permission, you therefore need to 'move up' your new policy allowing your Domain users etc... htis is what fixed it for me.

Now i have to try and get the VPN connection working....

dc
Agradmin,

If all you want to do is allow any authenticated user to connect then it would probably be easier to us the built in LDAP functionality that the ASA supports. From the ASDM the setup is pretty simple and you can see a walk through here.

http://www.cisco.com/application/pdf/paws/98625/asa_ldap_authentication.pdf

The document is specifically for webvpn but it works the same for normal VPN.

As to you question about the new NPS in Server 2008 verses IAS, it functions on the same basic princple. The couple of things that might help you are as follows.

First, did you add this new radius server to the ASA?

Secondly did you add the asa as a client to the NPS?

Lastly I have had problems with NPS when the server 2008 server thinks it can't access the internet. I have been able to get the repair feature to work on occasion but generally the 2008 server seems to get confused and needs to be rebooted.

Regards,

3nerds

Author

Commented:
That's great!
Did you have to set up the ASA as a client? I tried but was thrown off by the need of the shared secret (where's that set up in the ASA?) and the fact that we do not have it set up in IAS.

Thanks,
Alan

Author

Commented:
Sorry, we seemed to have posted at the same time. My last response was directed to JDMC43.

BTW the Radius server has been added to the ASA (and authentication tests run against it), but not fully as a client as above.

Keep those responses coming - they're a great help.
So you are using the ASDM and have the new server added as a client and you select it and click test and you can authenticate?

Also a shared sercret is just a password. The client(ASA) and the server both know it so that not just anyone can authenticate against you radius server.

Regards,

3nerds

Author

Commented:
I have added the server in ASDM and testing against that fails (legacy IAS server passes).

I understand what the shared secret does but have been confused by the fact that the ASA has not been set up as a client in IAS (on Windows 2000 DC) and works fine. This is coupled with the fact I cannot see where to add the shared secret in the ASDM - does this have to be accomplished via the command line?
In the ASDM it is added via the "Server Secret Key" or can be added via the command line like this:

aaa-server RADIUS (inside) host 192.168.x.x key xyz123

"ASA has not been set up as a client in IAS (on Windows 2000 DC)" -->  that would be odd.


3nerds
Commented:
Hi
If you want to use WS2k8 as a RADIUS server the article i mentioned before is a very good step-by-step guide with screenshots, the general theme is

1) install NPS service
2) register the NPS to the AD (right mouse click on NPS(Local) in the NPS console)
3) configure a radius client (your ASA device) this is where you put in the secret shared key
4) configure a network policy (set it for your domain users etc..)
5) move the policy to the top

you should now be able to use the full authentication test from the ASA device - the domain prefix might be necessary, the authorization test will not work for some reason. if you configure logging for the service you will be able to see if any connection is being made.

dc

Author

Commented:
Problem solved! The original config had the AAA server group configured for "NT Domain" protocol. Apparently this does not require the ASA to be set up as a RADIUS client, and does not use a shared secret key.
I set up a new AAA server group using RADIUS protocol and the addition of servers allowed the insertion of the shared secret. Testing proves OK and we are now using this to authenticate VPN users.
Thanks so much for your insight, which ultimately led me to the problem source.

Author

Commented:
Expert advice led me to the source of the problem - thanks!