• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 431
  • Last Modified:

NPS and an ASA

I have a Cisco ASA5500 that is using a Windows Server 2008 R2 machine as a RADIUS server to authenticate users for VPN and TSWeb access. The RADIUS server also services other Cisco equipment with AAA authentication. I have no problems with this setup.

However, since all 3 are on the same NPS server, the rules interfere with security. If a user has permissions to access TSWeb but not VPN, they are still granted access because they fall into one of the rules. I was hoping to be able to sort the requests based on the UDP Port that they came in on but I have been unable to handle that from the Microsoft side of things. At this point the only available option I see is have a different server for each type of access but that seems insane.

After several hours of searching the Internet for the answer, I turn to the Experts. I will provide any additional information necessary, just ask.
0
NHEC_Networking
Asked:
NHEC_Networking
2 Solutions
 
btassureCommented:
RADIUS isn't great for that level of granularity.

Active Directory AA and LDAP are more suited to group based authentication.

What version of ASA are you using?

Have you considered other options than RADIUS?
0
 
RobMobilityCommented:
Hi,

You may be able to control access using Cisco Dynamic Access Policies - this will evaluate a user against criteria such as tunnel group, AnyConnect version and LDAP/RADIUS AD user group - you could use this to control access.

Easiest to set in ASDM

Regards,


RobMobility
0
 
kevinhsiehCommented:
You need to adjust your NPS policies to include the type of device. I can elaborate later once i get onto the office. I use NPS for RD gateway, 802.1x wired, 802.1x Wireless, and ASA VPN without issue. I found radius to work better than LDAP.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
NHEC_NetworkingAuthor Commented:
Kevinhsieh - The problem is that I use TSWeb (handled by the ASA), VPN (handled by the ASA) and CLI. All of which are generated by the ASA.

Btassure and RobMobility - I am working on getting LDAP setup on the ASA but I'm running into issues. I will continue to troubleshoot those and get back to you, this option looks  promising. Thank you
0
 
RobMobilityCommented:
Hi,

You should be able to use Radius Attributes for Dynamic Access Policies as well.

Try LDAP over SSL and make sure your LDAP service account is a Domain Admin - other permissions do not appear to work.

Kind regards,


RobMobility.
0
 
NHEC_NetworkingAuthor Commented:
I was able to make LDAP work. Now I just need to work out the DAPs and applying them. This is great progress so far. Thank you for your assistance!
0
 
RobMobilityCommented:
Hi,

I use Dymanic Access Policies to control access between multiple user groups and multiple end-points.

It's quite flexible in this respect.

Regards,


RobMobility.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now