You want to set up a Cisco ASA to authenticate users (VPN access for example).

Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time.

*****Step 1 Set the ASA to get time from an External NTP Server.*****

1. Log onto the ASA > Go to "Enable Mode" > Issue the following command,

ntp server 130.88.212.143 source outside {enter}.

Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the following command,

show ntp status

Note If you see a message like the following, go and have a coffee.

Petes_ASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec

What you are looking for is "Clock is Syncronized"

Petes_ASA(config)# show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cdd7b741.119bcc72 (16:13:53.068 UTC Mon Jun 8 2009)
clock offset is 15.0836 msec, root delay is 56.50 msec
root dispersion is 15931.63 msec, peer dispersion is 15890.63 msec

3. Save the update to your firewall with a "write mem" command.

*****Step 2 Set the server(s) you are going to authenticate against to a public NTP Server.*****

Note TCP Port 123 needs to be open outbound for this to work :)

1. Log into the Server > Start > run > cmd {enter}

2. Issue the following commands

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update {enter}
net stop "windows time" {enter}
net start "windows time" {enter}
W32TM /resync {enter}

*****Step 3 Set up the AAA Kerberos in ASDM*****

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Add

3. Give the Server group a name i.e. KerberosGroup > Change the protocol to "Kerberos" > OK.

4. Move to the bottom section of the page (Servers In the Selected Group) > Add.

5. Enter the IP Address of the Domain Controller providing Authentication > In the Realm section enter the "Domain Realm."

Note: To Find out the REALM, on the domain controler issue the following command,

set USERDNSDOMAIN {enter}

Note: enter the Realm "IN CAPITALS"

6. Click Apply  > File > "Save running configuration to flash".

*****To set up from command line*****

      aaa-server KerberosGroup protocol kerberos
      aaa-server KerberosGroup (inside) host 192.1.2.10
        kerberos-realm PETENETLIVE.COM

*****Step 5 Test Kerberos Authentication*****

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Select the Kerberos Group.

3. In the bottom section click Test.

4. Enter the username and password > OK.

5. It should say that the test was successful.

If It says "Error: Authentication Rejected: Clock skew greater than 300 Seconds" then steps 1 and 2 did not work.

Also Note: You may need to turn of require pre-authentication on a user by user basis. If so Log onto the domain controller > Start > Run > dsa.msc > Locate the user > Right Click > Properties > account > Account options (scroll down) > Select "Do Not require Kerberos preauthentication".

If this post helped you, PLEASE take the time to +1 it.

Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation.

If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response).