{"id":556,"date":"2012-02-26T19:00:45","date_gmt":"2012-02-27T00:00:45","guid":{"rendered":"http:\/\/blog.xfloyd.net\/?p=556"},"modified":"2012-02-26T22:30:56","modified_gmt":"2012-02-27T03:30:56","slug":"using-windows-server-2008-as-a-radius-server-for-a-cisco-asa","status":"publish","type":"post","link":"https:\/\/xfloyd.net\/blog\/?p=556","title":{"rendered":"Using Windows Server 2008 as a RADIUS Server for a Cisco ASA"},"content":{"rendered":"<p>Recently I needed to get a Cisco ASA 5510 to use a RADIUS Server on Server 2008 to authenticate Active Directory users for VPN access. The ASA was already configured to use a Server 2003 RADIUS server, so much of the below was just replicating the existing configuration on a 2008 server. I suspect many of the settings are less than ideal and some are unnecessary, but the below steps worked for now.<!--more--><\/p>\n<h2>Components<\/h2>\n<ul>\n<li>\n<div>AD1:<\/div>\n<ul>\n<li>Windows Server 2008<\/li>\n<li>Also the domain controller<\/li>\n<li>IP: 192.168.1.10<\/li>\n<\/ul>\n<\/li>\n<li>\n<div>CiscoASA:<\/div>\n<ul>\n<li>ASA 5510 (though I believe these instructions should work for all ASA models)<\/li>\n<li>IP: 192.168.1.2<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Cisco Configuration<\/h2>\n<p>I performed the Cisco configuration using the ASDM management tool. The same configuration could be achieved via the command line interface, but I found the ASDM was more convenient for checking existing settings and then replicating.<\/p>\n<p>Launch ASDM and connecting to the ASA, I went to the <strong>Configuration<\/strong> view.<\/p>\n<h3>Create an IP Name object for the target<\/h3>\n<ol>\n<li>Under the <strong>Firewall<\/strong> section, expand the <strong>Objects<\/strong> link and select the <strong>IP Names<\/strong>.<\/li>\n<li>Click the <strong>Add<\/strong> button at the top.<\/li>\n<li>Enter a descriptive name, the IP address and a description of the server. For this server I used<\/li>\n<li>Name: INT-AD1<\/li>\n<li>IP: 192.168.1.10<\/li>\n<li>Description: AD \/ RADIUS<\/li>\n<li>Click OK and then Apply<\/li>\n<\/ol>\n<h3>Create a new AAA Server Group<\/h3>\n<ol>\n<li>Click the<strong> Remote Access VPN<\/strong> section.<\/li>\n<li>Expand <strong>AAA Setup<\/strong> and select<strong> AAA Server Groups<\/strong>.<\/li>\n<li>Click the <strong>Add<\/strong> button to the right of the AAA Server Groups section.<\/li>\n<li>Give the server group a name, like TEST-AD, and make sure the <strong>RADIUS<\/strong> protocol is selected.<\/li>\n<li>Accept the default for the other settings. And click OK<\/li>\n<\/ol>\n<h3>Add the RADIUS server to the Server Group.<\/h3>\n<ol>\n<li>Select the server group created in the step above.<\/li>\n<li>Click the <strong>Add<\/strong> button to the right of <strong>Servers in the Select Group<\/strong>.<\/li>\n<li>Under the <strong>Interface Name<\/strong> select the interface on the ASA that will have access to the RADIUS server, most likely <em>inside<\/em>.<\/li>\n<li>Under <strong>Server Name or IP Address<\/strong> enter the IP Name you created for the RADIUS server above.<\/li>\n<li>Skip to the <strong>Server Secret Key<\/strong> field and create a complex password. Make sure you document this as it is required when configuring the RADIUS server. Re-enter the secret in the <strong>Common Password<\/strong> field.<\/li>\n<li>Leave the rest of the settings at the defaults and click <strong>Ok<\/strong>.<\/li>\n<\/ol>\n<h2>Setting Up RADIUS on Windows Server 2008<\/h2>\n<p>This part gave me the most trouble. The documentation from Microsoft was somewhat vague and other resources I found using the trusty Google method listed steps and addition pieces I knew to be unnecessary.<\/p>\n<p>To perform the below steps you need Administrator permissions to the server that will host the RADIUS server. You also will need permissions to \u201cRegister\u201d the server in AD. I believe this requires Domain Admin privileges.<\/p>\n<h3>Add the Network Policy Server function.<\/h3>\n<ol>\n<li>Connect to the Windows Server 2008 server and launch Server Manager.<\/li>\n<li>Click the <strong>Roles<\/strong> object and then click the <strong>Add Roles<\/strong> link on the right.<\/li>\n<li>Click <strong>Next<\/strong> on the Before You Begin page.<\/li>\n<li>Select the <strong>Network Policy and Access Services<\/strong> role and click <strong>Next<\/strong>.<\/li>\n<li>Under Role Service select only the <strong>Network Policy Server<\/strong> service and click <strong>Next<\/strong>.<\/li>\n<li>Click <strong>Install<\/strong>.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>After the role finishes installing you will need to set up the server using the Network Policy Server (NPS) management tool found under Administrative Tools.<\/p>\n<h4>Registering the server.<\/h4>\n<ol>\n<li>After launching the NPS tool right-click on the entry <strong>NPS(Local)<\/strong> and click the <strong>Register Server in Active Directory<\/strong>.<\/li>\n<li>Follow the default prompts.<\/li>\n<\/ol>\n<h4>Create a RADIUS client entry for the ASA.<\/h4>\n<ol>\n<li>Expand the RADIUS Clients and Servers folder.<\/li>\n<li>Right-click on RADIUS Clients and select New RADIUS Client.<\/li>\n<li>Create a Friendly Name for the ASA device. I used \u201cCiscoASA\u201d but if you had more than one you might want to make it more unique and identifiable. Make sure you document the Friendly Name used as it will be used later in some of the policies created.<\/li>\n<li>Enter the Server Secret Key specified on during the ASA configuration in the Shared secret and Confirm shared secret field.<\/li>\n<li>Leave the default values for the other settings and click OK. See Figure 1 for all the complete RADIUS Client properties.<br \/>\n<img decoding=\"async\" src=\"http:\/\/fixingit.files.wordpress.com\/2009\/09\/090809_2148_usingwindow1.png?w=480\" alt=\"\" \/><\/li>\n<\/ol>\n<p><strong>Figure 1<br \/>\n<\/strong><\/p>\n<h4>Create a Connection Request Policy.<\/h4>\n<ol>\n<li>Expand the <strong>Policies<\/strong> folder.<\/li>\n<li>Right-click on the <strong>Connection Request Policies<\/strong> and click <strong>New<\/strong>.<\/li>\n<li>Set the <strong>Policy Name<\/strong>to something meaningful. I used CiscoASA because this policy is geared specifically for that RADIUS client. Leave the <strong>Type of network access server<\/strong> as Unspecified and click <strong>Next<\/strong>.<\/li>\n<li>Under <strong>Conditions<\/strong> click <strong>Add<\/strong>. Scroll down and select the <strong>Client Friendly Name<\/strong> condition and click <strong>Add\u2026<\/strong><\/li>\n<li>Specify the friendly name that you used when creating the RADIUS Client above. Click <strong>OK <\/strong>and <strong>Next<\/strong>.<\/li>\n<li>On the next two pages leave the default settings and click <strong>Next<\/strong>.<\/li>\n<li>Under the <strong>Specify a Realm Name<\/strong> select the <strong>Attribute<\/strong> option on the left. From the drop down menu next to <strong>Attribute:<\/strong> on the right select <strong>User-Name<\/strong>. Click <strong>Next<\/strong> again.<\/li>\n<li>Review the settings on the next page and click <strong>Finish<\/strong>.<\/li>\n<\/ol>\n<h4>Create a Network Policy.<\/h4>\n<ol>\n<li>Right-click the <strong>Network Policy<\/strong> folder and click <strong>New<\/strong>.<\/li>\n<li>Set the <strong>Policy Name<\/strong> to something meaningful. Leave the <strong>Type of network access server<\/strong> as Unspecified and click <strong>Next<\/strong>.<\/li>\n<li>Under <strong>Conditions<\/strong> click <strong>Add<\/strong>.<\/li>\n<li>Add a <strong>UsersGroup<\/strong> condition to limit access to a specific AD user group. You can use a generic group like <strong>Domain Users<\/strong> or create a group specifically to restrict access.<\/li>\n<li>Add a <strong>Client Friendly Name<\/strong> condition and again specify the Friendly Name you used for your RADIUS client.<\/li>\n<li>Click <strong>Next<\/strong>. Leave <strong>Access granted<\/strong> selected and click <strong>Next<\/strong> again.<\/li>\n<li><strong>(Important Step)<\/strong> On the authentication methods leave the default selection and add <strong>Unencrypted authentication (PAP, SPAP)<\/strong>.<\/li>\n<li>Accept the default Constraints and click <strong>Next<\/strong>.<\/li>\n<li>Accept the default Radius Settings and click <strong>Next<\/strong>. Review the settings and click <strong>Finish<\/strong>.<\/li>\n<\/ol>\n<h4>Restart the <strong>Network Policy Server<\/strong> service.<\/h4>\n<ul>\n<li>This may not be necessary, but I did this at various points and cannot be certain the above steps work without restarting the service.<\/li>\n<\/ul>\n<h2>Test Your RADIUS Authentication<\/h2>\n<p>The ASDM utility includes functionality to test RADIUS Authentication.<\/p>\n<ol>\n<li>If necessary re-launch the ASDM utility.<\/li>\n<li>Return to Configuration -&gt; Remote Access VPN -&gt; AAA Setup -&gt; AAA Server Groups.<\/li>\n<li>Select the new Server Group you created.<\/li>\n<li>From the <strong>Servers in the Selected Group<\/strong> section highlight the server you created. Click the <strong>Test<\/strong> button on the right.<\/li>\n<li>Select the <strong>Authentication<\/strong> radio button. Enter the Username and Password of a user that meets the conditions specified in the Network Policy created above then click <strong>OK<\/strong>.<\/li>\n<li>If everything works as designed you should see something similar to:<br \/>\n<img decoding=\"async\" src=\"http:\/\/fixingit.files.wordpress.com\/2009\/09\/090809_2148_usingwindow2.png?w=480\" alt=\"\" \/><\/li>\n<\/ol>\n<h2>Save your Cisco Configuration<\/h2>\n<p>Don\u2019t forget to save the running configuration to memory on your ASA. Otherwise you\u2019ll lose all your settings the next time the device is rebooted.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently I needed to get a Cisco ASA 5510 to use a RADIUS Server on Server 2008 to authenticate Active Directory users for VPN access. The ASA was already configured to use a Server 2003 RADIUS server, so much of the below was just replicating the existing configuration on a 2008 server. I suspect many [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/556"}],"collection":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=556"}],"version-history":[{"count":3,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/556\/revisions"}],"predecessor-version":[{"id":560,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/556\/revisions\/560"}],"wp:attachment":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}