Set Cisco ASA for Kerberos Authentication

KB ID 0000039

Problem

You want to set up a Cisco ASA to authenticate users (VPN access for example).

Solution

Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time.

Step 1: Set the ASA to get time from an External NTP Server

1. Log onto the ASA > Go to “Enable Mode” > Issue the following command;

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside

Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

If you see a message like the following, go and have a coffee.
Petes-ASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
What you are looking for is "Clock is Syncronized"
Petes-ASA(config)# show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cdd7b741.119bcc72 (16:13:53.068 UTC Mon Jun 8 2009)
clock offset is 15.0836 msec, root delay is 56.50 msec
root dispersion is 15931.63 msec, peer dispersion is 15890.63 msec

3. Save the update to your firewall with a “write mem” command.

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside
Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

Step 2 – Set the server(s) you are going to authenticate against to a public NTP Server.

Note TCP Port 123 needs to be open outbound for this to work 🙂

1. Log into the Server > Start > run > cmd {enter}

2. Issue the following four commands;

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update {enter}
net stop "windows time" {enter}
net start "windows time" {enter}
W32TM /resync {enter}

Step 3 – Set up the AAA Kerberos in ASDM

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Add

3. Give the Server group a name i.e. KerberosGroup > Change the protocol to “Kerberos” > OK.

AAA Group

4. Move to the bottom section of the page (Servers In the Selected Group) > Add.

5. Enter the IP Address of the Domain Controller providing Authentication > In the Realm section enter the “Domain Realm.”

Note: To Find out the REALM, on the domain controller issue the following command;

set USERDNSDOMAIN

Note: enter the Realm “IN CAPITALS

6. Click Apply  > File > “Save running configuration to flash”.

To set up from Kerberos AAA command line

Petes-ASA>
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server KerberosGroup protocol kerberos
Petes-ASA(config-aaa-server-group)# aaa-server KerberosGroup (inside) host 192.1.2.10
Petes-ASA(config-aaa-server-host)# kerberos-realm PETENETLIVE.COM
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

Step 5 – Test Kerberos Authentication

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Select the Kerberos Group.

3. In the bottom section click Test.

4. Enter the username and password > OK.

5. It should say that the test was successful.

If It says “Error: Authentication Rejected: Clock skew greater than 300 Seconds” then steps 1 and 2 did not work.

Kerberos Pre-Authentication

Also Note: You may need to turn of “Require pre-authentication” on a user by user basis. If so, log onto the domain controller > Start > Run > dsa.msc > Locate the user > Right Click > Properties > account > Account options (scroll down) > Select “Do Not require Kerberos preauthentication”.

Do Not require Kerberos preauthentication

Related Articles, References, Credits, or External Links

Thanks to Zsolt Horvath at Cisco TAC Cisco ASA – Configuring for NTP

Author: Migrated

Share This Post On