Windows Server Setup RADIUS for Cisco ASA 5500 Authentication

KB ID 0000685

Problem

Note: The procedure is the same for Server 2016 and 2019

This week I was configuring some 2008 R2 RADIUS authentication, so I thought I’d take a look at how Microsoft have changed the process for 2012. The whole thing was surprisingly painless.

I will say that Kerberos Authentication is a LOT easier to configure, but I’ve yet to test that with 2012, (watch this space).

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration.

ASDM Configuration

2. Remote Access VPN.

Cisco ASDM Remote Access VPN

3. AAA Local Users > AAA Server Groups.

AAA Server

4. In the Server group section > Add.

Add AAA Server Group

5. Give the group a name and accept the defaults > OK.

RADIUS Cisco ASA

6. Now (with the group selected) > In the bottom (Server) section > Add.

Add AAA Server

7. Specify the IP address, and a shared secret that the ASA will use with the 2012 Server performing RADIUS > OK.

RADIUS shared Secret

8. Apply.

Apply Firewall Changes

Configure AAA RADIUS from command line;

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
 key 123456
 radius-common-pw 123456
 exit

Step 2 Configure Windows 2012 Server to allow RADIUS

9. On the Windows 2012 Server > Launch Server Manager > Local Server.

2012 Server Manager

10. Manage > Add Roles and Features.

2012 Add Server Role

11. If you get an initial welcome page, tick the box to ‘skip’ > Next > Accept the ‘Role based or feature based installation’ > Next.

Role or Feature Install 2012

12. We are installing locally > Next.

Local Server Install

13. Add ‘Network Policy and Access Server’ > Next.

2012 Network Policy and Access Server

14. Add Features.

Role Features 2012

15. Next.

Additional Features Server 2012

16. Next.

2012 NAP

17. Next.

Windows Server 2012 Network Policy Server

18. Install.

Install Roles and Features

19. When complete > Close.

Server 2012 Role Installation

20. Select NPAS (Server 2016), or NAP (Server 2012).

NAP NPAS Windows Server

21. Right click the server > Network Policy Server.

Network Policy Server

22. Right click NPS > Register server in Active Directory.

Register NPS in AD Server 2012

23. Expand RADIUS > right click RADIUS clients > New.

New RADIUS Client

24. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 7) > OK.

2012 RADIUS Shared Secret

25. Expand policies > right click ‘Connection Request Policies’ > New.

Conenction Request Policy

26. Give the policy a name > Next.

Connection Policy Name

27. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

Client Friendly Name

28. Specify the name you set up above (number 24) > OK > Next.

ASA RADIUS Name

29. Next.

Request Forwarding

30. Next.

Authentication Methods

31. Change the attribute to ‘User-Name’ > Next.

User Name RADIUS

32. Finish.

NPS wizard

33. Now right click ‘Network Policies’ > New.

2012 NPS Network Policy

34. Give the policy a name> Next.

Network Policy Name

35. Add a condition > User Groups.

User Group Condition

36. Add in the AD security group you want to allow access to > OK > Next.

Allow Domain Users VPN

37. Next.

Network Conditions

38. Access Granted > Next.

NPS Access Permission

39. Select ‘Unencrypted Authentication PAP SPAP” > Next.

ASA RADIUS Authentication Types PAP SPAP

40. Select No.

NPS Warning

41. Next.

NPS Constraints

42. Next.

Policy Settings NPS NAP

43. Finish.

Completing Network Policy

Step 3 Test RADIUS Authentication

44. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

Test RADIUS

45. Change the selection to Authentication > Enter your domain credentials > OK.

Test ASA RADIUS Authentication

46. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

RADIUS Successful

To Test AAA RADIUS Authentication from Command Line

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

47. Finally, save the firewall changes > File > Save running configuration to flash.

Cisco ASA Save Changes

 

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

 

 

Author: Migrated

Share This Post On