?
Solved

NPS and an ASA

Posted on 2013-06-04
7
Medium Priority
?
429 Views
Last Modified: 2013-06-06
I have a Cisco ASA5500 that is using a Windows Server 2008 R2 machine as a RADIUS server to authenticate users for VPN and TSWeb access. The RADIUS server also services other Cisco equipment with AAA authentication. I have no problems with this setup.

However, since all 3 are on the same NPS server, the rules interfere with security. If a user has permissions to access TSWeb but not VPN, they are still granted access because they fall into one of the rules. I was hoping to be able to sort the requests based on the UDP Port that they came in on but I have been unable to handle that from the Microsoft side of things. At this point the only available option I see is have a different server for each type of access but that seems insane.

After several hours of searching the Internet for the answer, I turn to the Experts. I will provide any additional information necessary, just ask.
0
Comment
Question by:NHEC_Networking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Assisted Solution

by:btassure
btassure earned 1000 total points
ID: 39221350
RADIUS isn't great for that level of granularity.

Active Directory AA and LDAP are more suited to group based authentication.

What version of ASA are you using?

Have you considered other options than RADIUS?
0
 
LVL 25

Accepted Solution

by:
RobMobility earned 1000 total points
ID: 39221379
Hi,

You may be able to control access using Cisco Dynamic Access Policies - this will evaluate a user against criteria such as tunnel group, AnyConnect version and LDAP/RADIUS AD user group - you could use this to control access.

Easiest to set in ASDM

Regards,


RobMobility
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39221908
You need to adjust your NPS policies to include the type of device. I can elaborate later once i get onto the office. I use NPS for RD gateway, 802.1x wired, 802.1x Wireless, and ASA VPN without issue. I found radius to work better than LDAP.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:NHEC_Networking
ID: 39221955
Kevinhsieh - The problem is that I use TSWeb (handled by the ASA), VPN (handled by the ASA) and CLI. All of which are generated by the ASA.

Btassure and RobMobility - I am working on getting LDAP setup on the ASA but I'm running into issues. I will continue to troubleshoot those and get back to you, this option looks  promising. Thank you
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 39222019
Hi,

You should be able to use Radius Attributes for Dynamic Access Policies as well.

Try LDAP over SSL and make sure your LDAP service account is a Domain Admin - other permissions do not appear to work.

Kind regards,


RobMobility.
0
 

Author Comment

by:NHEC_Networking
ID: 39222029
I was able to make LDAP work. Now I just need to work out the DAPs and applying them. This is great progress so far. Thank you for your assistance!
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 39225939
Hi,

I use Dymanic Access Policies to control access between multiple user groups and multiple end-points.

It's quite flexible in this respect.

Regards,


RobMobility.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question