Server 2008 R2 as RADIUS for CISCO ASA VPN Clients
As in every Enterprise or a private Data Centar network one must use various of IT systems to insure the security of via meshed systems. The other day I implemented a Cisco 5520 Failover scenario and the main problem I had with the users, is how will they manage so many passwords for VPN, AD, Mail and etc. So I thought why not use Kerberos for VPN and simplify the tasks.
This easy done task I will explain as short and much I can. The main goal is to make Cisco ASA failover to use the Active Directory for authenticating the users against VPN policy.
Easiest way to configure ASA quick is using the ASDM utility. I use CLI only for initial interface and http commands , after that all is downstream.
First we need to configure an object:
Using the Firewall section we expand Objects and select IP names. Then click ADD and describe the Radius server. After that we enter the IP address of the Intranet located Domain controller.
Next step is to define a AAA Radius group:
Click the Remote Access VPN section.
Expand AAA Setup and select AAA Server Groups.
Click the Add button to the right of the AAA Server Groups section.
Give the server group a name, like TEST-AD, and make sure the RADIUS protocol is selected.
Accept the default for the other settings.
And click OK.
Next step is to add our RADIUS server to this created group:
Select the server group created in the step above.
Click the Add button to the right of Servers in the Select Group.
Under the Interface Name select the interface on the ASA that will have access to the RADIUS server, most likely inside.
Under Server Name or IP Address enter the IP Name you created for the RADIUS server above.
Skip to the Server Secret Key field and create a complex password. Make sure you document this as it is required when configuring the RADIUS server. Re-enter the secret in the Common Password field.
Leave the rest of the settings at the defaults and click Ok.
To enable RADIUS on Server 2008 we must add a role:
Connect to the Windows Server 2008 server and launch Server Manager.
Click the Roles object and then click the Add Roles link on the right.
Click Next on the Before You Begin page.
Select the Network Policy and Access Services role and click Next.
Under Role Service select only the Network Policy Server service and click Next.
Click Install.
After launching the NPS tool right-click on the entry NPS(Local) and click the Register Server in Active Directory. Follow the default prompts.
We need to define a Radius CLIENT on Server 2008 for our ASA Cluster:
Right-click on RADIUS Clients and select New RADIUS Client.
Create a Friendly Name for the ASA device. I used “CiscoASA” but if you had more than one you might want to make it more unique and identifiable. Make sure you document the Friendly Name used as it will be used later in some of the policies created.
Enter the Server Secret Key specified on during the ASA configuration in the Shared secret and Confirm shared secret field.
Leave the default values for the other settings and click OK. See Figure 1 for all the complete RADIUS Client properties.
Connection Request Policy
Expand the Policies folder.
Right-click on the Connection Request Policies and click New.
Set the Policy Nameto something meaningful. I used CiscoASA because this policy is geared specifically for that RADIUS client. Leave the Type of network access server as Unspecified and click Next.
Under Conditions click Add. Scroll down and select the Client Friendly Name condition and click Add…
Specify the friendly name that you used when creating the RADIUS Client above. Click OK and Next.
On the next two pages leave the default settings and click Next.
Under the Specify a Realm Name select the Attribute option on the left. From the drop down menu next to Attribute: on the right select User-Name. Click Next again.
Review the settings on the next page and click Finish.
Create a Network Policy
Right-click the Network Policy folder and click New.
Set the Policy Name to something meaningful. Leave the Type of network access server as Unspecified and click Next.
Under Conditions click Add.
Add a UsersGroup condition to limit access to a specific AD user group. You can use a generic group like Domain Users or create a group specifically to restrict access.
Add a Client Friendly Name condition and again specify the Friendly Name you used for your RADIUS client.
Click Next. Leave Access granted selected and click Next again.
(Important Step) On the authentication methods leave the default selection and add Unencrypted authentication (PAP, SPAP).
Accept the default Constraints and click Next.
Accept the default Radius Settings and click Next. Review the settings and click Finish.
Restart the Network Policy Server service.
The last thing left is to Test and Save the config.
If necessary re-launch the ASDM utility.
Return to Configuration -> Remote Access VPN -> AAA Setup -> AAA Server Groups.
Select the new Server Group you created.
From the Servers in the Selected Group section highlight the server you created. Click the Test button on the right.
Select the Authentication radio button. Enter the Username and Password of a user that meets the conditions specified in the Network Policy created above then click OK.
Feel free to comment.
