ASA VPN Authentication with Windows 2008 R2 RADIUS

I am having a problem authenticating a vpn user to Windows server 2008 R2 RADIUS.  The test authentication to host from ASA is successful, but when I use Cisco Anyconnect client to authenticate I am getting login fail.

Anyone came across similar problem?  I did disabled firewall, but that did not fixed. Some how authentication is rejected my RAIUS server.
IT DepartmentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Oliver KaiserSystems EngineerCommented:
Could you provide any logs from ASA and Windows Event Log? From my experience such issues are related to RADIUS configuration on the NPS side.
0
btanExec ConsultantCommented:
The test aaa-server authentication command always uses PAP. Only when a user initiates a connection to tunnel-group with password-management enabled does the ASA use MSCHAP-v2. In such a case, ensure that the Microsoft CHAPv2 Capable check box is checked in the Edit AAA Server window configured in the ASDM configuration section.

You can also enable debug radius all on the ASA. To surface any error. Also since the authentication still fails, you can also look in the event viewer on the Windows NPS. Under Event Viewer > Windows Logs, choose Security. Look for events associated with NPS around the time of the authentication request. Once you open Event Properties, you should be able to see the reason for failure

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT DepartmentAuthor Commented:
I did verify the Microsoft CHAPv2 is checked. Somewhere there is no even log reporting authentication failure.  I also recreate RADIUS client, connection policy, and network policy based on the Cisco article above with no luck. Any other suggestions?
0
btanExec ConsultantCommented:
There should be some NPS Security log if there are login failure and ASA did sent over to NPS for checking. The link advices how to enable NPS audit trail @ via CLI
At the command prompt, type the following command, and then press ENTER:
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
https://support.microsoft.com/en-us/kb/951005, or via GUI
Configure NPS event logging. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. To configure NPS event logging using the Windows interface

Open the Network Policy Server (NPS) snap-in.
Right-click NPS (Local), and then click Properties.
On the General tab, select each required option, and then click OK.
https://technet.microsoft.com/en-us/library/cc731085(v=ws.10).aspx

We can go down into client cert logging as well
Logging of client certificate validation failures is a secure channel event, and is not enabled on the server running NPS by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
https://technet.microsoft.com/en-us/library/cc753898(v=ws.10).aspx

It stated possible failure points too
Connection requests are rejected or ignored for a variety of reasons, including the following:
-The RADIUS message is not formatted according to RFCs 2865 or 2866.
-The RADIUS client is unknown.
-The RADIUS client has multiple IP addresses and sent the request on an address other than the one defined in NPS.
-The shared secret is invalid.
-The message authenticator (also known as a digital signature) sent by the client is invalid.
-NPS was unable to locate the user name's domain.
-NPS was unable to connect to the user name's domain.
-NPS was unable to access the user account in the domain.
But do note - Logging connection request successes can result in the recording of large volumes of data. If you choose to log successful connection request events, use event logging options in Event Viewer to manage the Event Viewer logs.
1
IT DepartmentAuthor Commented:
I was able to fix the problem. I think my windows server was not authenticating the client, but your link was very useful. I wish I know about this link before I west so many hours..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.