Cisco ASA: Keep VPN Always Up

VPN Always UP KB ID 0001839

Problem

This was information that was passed to me by a colleague (Thanks Ajay) this week. If you have a site to site VPN tunnel after a period of inactivity the tunnel will be torn down. In most cases when required it will simply be re-established, but what if you wanted it to be permanently up?

I have had situations where only the ASA side of a tunnel can bring it up (usually because of misconfiguration at the ‘other end‘) and that situation cannot be rectified.

Search for how to do this and the usual answer is to simply set the vpn-idle-timeout on the group policy that applied to the tunnel to none, remember if you haven’t specified a group policy for a tunnel it should take its settings from the DfltGrpPolicy so you would simply do this.

[box]

Petes-HomeASA# conf t
Petes-HomeASA(config)# group-policy DfltGrpPolicy attributes
Petes-HomeASA(config-group-policy)# vpn-idle-timeout none
Petes-HomeASA(config-group-policy)# exit
Petes-HomeASA(config)# wr mem

[/box]

However, I’ve tested that AND IT DOES NOT WORK!

Solution : VPN Always UP

The solution that works, is to use the event manager applet, and schedule an event to happen periodically, (like send some traffic down the tunnel to keep it up).  This is simple to do.

[box]

Petes-HomeASA# conf t
Petes-HomeASA(config)# event manager applet VPN-Always-UP
Petes-HomeASA(config-applet)# event timer watchdog time 1500
Petes-HomeASA(config-applet)# action 1 cli command "ping tcp inside 192.168.100.3 80 source 10.254.254.212 55555 repeat 2"
Petes-HomeASA(config-applet)# output none
Petes-HomeASA(config-applet)# exit
Petes-HomeASA(config)# exit
Petes-HomeASA# write mem
Building configuration...
Cryptochecksum: b81da41e 32a6843e 07680a8f aaacd646

10988 bytes copied in 0.370 secs
[OK]
Petes-HomeASA#

[/box]

To test,simply wait a moment then issue a ‘show cry isa’ command on the firewall. You will see that there is a tunnel established, or if your too lazy, just ping something at the other end of the tunnel in ‘most‘ cases if the first packet times out, then it starts to respond, then that’s a warning the tunnel was NOT up. If it instantly responds that’s a good indicator that the tunnel was already up.

Related Articles, References, Credits, or External Links

Thanks to Ajay Mandava for the article.

Bring up a VPN Tunnel From the ASA

macOS – SSH Error ‘No Matching Exchange Method Found’

Mac SSH Error KB ID 0001245 

Problem

Certified working all the way up to macOS Ventura version 13.6
Certified working all the way up to macOS Sonoma version 14.1

I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error;

 

Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1

Note: You may also see the following error;

Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Update: 10/04/20: With newer equipment you may see the following error;

Unable to negotiate with x.x.x.x port 22: no matching MAC found Their offer: hmac-sha2-256

Update 08/12/21: With newer Cisco equipment you may see the following error;

Unable to negotiate with x.x.x.x.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Mac SSH Error – Fix

WARNING: My usual fix for this is to edit the macs ssh_config file directly and allow the older (less secure) connection methods. It has been (correctly) pointed out, that this is the ‘least preferred‘ method, as it will allow these less sure methods for ALL SSH connections. The preferred fix, is to create a new file in your own home folder, with the connection settings for EACH SSH CONNECTION. However, I manage hundreds of firewalls. routers and switches so that method is a little unwieldy for me. But I will include it at the end of the article, for the more security conscious of you.

Not Apple’s fault to be fair, it’s OpenSSH version 7. SHA1 is weak, so support for it has been removed. Which is fine, but all my clients Cisco Firewalls, Routers, Switches are probably all using  RSA/SHA1. So until they re all updated I’m going to need to re-enable SHA1.

Open a terminal windows and execute the following;

[box]

sudo nano /etc/ssh/ssh_config
ENTER YOUR PASSWORD

[/box]

Locate the line ‘ #   MACs hmac-md5,hmac-sha1,hmac-sha2-256,umac-64@openssh.com,hmac-ripemd160′ and remove the Hash/Pound sight from the beginning, and add the extra hashing algorithm that I’ve shown above in red. 

Locate the line ‘ #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’ and remove the Hash/Pound sight from the beginning.

Then paste the following on the end;

HostkeyAlgorithms ssh-dss,ssh-rsa

KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

Like so;

Mac SSH Error – Quitting Nano

To quit nano, use the Ctrl-X key combination. because you are working on has been modified since the last time you saved it, you will be prompted to save the file first. Type y to save the file.

Theres no reason to reboot, it should work straight away.

But Wait – Theres More!

It’s going to happen every time you upgrade your mac, I’ve started taking a backup of the ssh_config file, then I can just restore it back again, like so;

Backup macOS SSH Settings & Ciphers

[box]

sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

[/box]

Restore macOS SSH Settings & Ciphers

[box]

sudo rm /etc/ssh/ssh_config
sudo mv /etc/ssh/ssh_config.bak /etc/ssh/ssh_config
sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

[/box]

Mac SSH Error (The More Secure & Preferred) Fix

Using this method you will create a connection (entry) for each asset you want to connect to. This will be saved in your Home directory so if multiple people use the Mac you will need to do this for each user.

Firstly create a config file in you home directory.

[box]

sudo nano ~/ssh/config

[/box]

What this does is create a blank file that you can then create an entry for each of the assets you want to connect to. Firstly specify the hostname, then the settings for that particular asset, like so:

[box]

Host YOUR-SWITCH
User YOUR-USER
port 22
KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Ciphers +aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

[/box]

Note: Simply add new host entries at a new line in the SAME config file.

Related Articles, References, Credits, or External Links

NA

ASDM on Windows 11?

ASDM on Windows 11 KB ID 0001806

Problem

Can you install ASDM on Windows 11? yes, but as usual there’s some pre requisites. Someone asked this question on EE today, so I thought I’d check.

ASDM on Windows 11 Solution

ASDM requires Java, theres an open Java version, but to be honest, most people (and certainly most older firewalls) are using the Oracle JRE so make sure you have that installed before you do anything.

Note: Some older versions of ASDM may require older versions of Java, I like to keep my ASDM images up to date, so this never trips me up. Consider updating your firewalls OS and ASDM images (I’ll put instructions at the bottom of the page – if you unsure how to do that). 

Browse to the interface on the firewall you have ASDM working on, and add /admin to the end of the URL, i.e. https://192.168.1.1/admin or https://10.1.1.1:444/admin (if you have ASDM on a non standard port). From there select Install ASDM Launcher.

Note: If you DON’T know how to enable ADSM then read this article.

The installer (.msi) will open and load to your default browsers download directory.

Run the installer.

Accept all the defaults.

Open the shortcut

Note: At this point if you get an error that says “This app can’t run on your PC” then see this article.

All being well, your ASDM will open.

Related Articles, References, Credits, or External Links

Cisco ASA5500 Update System and ASDM (From CLI)

Cisco ASA5500 Update System and ASDM (From ASDM)

Update Cisco ASA – Directly from Cisco (via ASDM)

Windows: Cisco ASDM ‘This app can’t run on your PC’

Cannot Access / Open ASDM

Windows: Cisco ASDM ‘This app can’t run on your PC’

‘This app can’t run on your PC’ KB ID 0001574

Problem

Whys isn’t Java dead yet? 🙁 Anyway, I tried to connect to a clients ASDM today, and from my Windows 10 machine, I got the following error;

Windows 11

Windows 10

This app can’t run on your PC
To find a version for your PC, check with the software publisher.

‘This app can’t run on your PC’ Solution

Make sure you have installed Java (www.java.com) and also make sure you are using an Intel (Not ARM based processor)

If you are launching straight for the desktop open the properties of the ASDM shortcut, and look at the ‘Target‘ value.

Change it to;

[box]

C:\Windows\system32\wscript.exe invisible.vbs run.bat

[/box]

Apply > OK.

Try again.

If you are launching from the ‘Start Menu’ Open the file location of the shortcut;

Windows 11

Windows 10

 

And change the target to “C:\Windows\system32\wscript.exe invisible.vbs run.bat“. > Apply > OK.

Related Articles, References, Credits, or External Links

NA

AnyConnect Error: Cannot Connect to to this Gateway

AnyConnect Error KB ID 0001799

Problem

Out of the blue this started happening (to a previously working AnyConnect deployment).

Cannot connect to this gateway. Please choose another gateway and try again

I upgraded the client, the AnyConnect package in the firewall, the OS on the firewall and the ADSM! The error would not go away.

AnyConnect Error: Solution

Sadly I’d also blown away the Anyconenct config on the firewall, and rebuilt it from scratch, (because that caused a boatload of other problems down the line). Before I finally realised what the problem was.

The previous week I’d been doing some work on my public DNS and had incorrectly set the IP address of my AnyConect (the IP should have been x.x.x.6 and I’d changed it to x.x.x.How did I find out? I simply opened a browser and went to the AnyConnect URL and instead of looking at the firewall I was greeted with the logon screen for my exchange server!

So make sure you have NOT got a static NAT on your firewall set to the public IP of the firewall, or you have not PORT forwarded https (TCP Port 443) to an internal IP.

Related Articles, References, Credits, or External Links

NA

FortiGate Certificate Import Errors

FortiGate Certificate KB ID 0001791

Problem

A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error;

Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert.

FortiGate Certificate Problems

A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error {apparently}. But for us this was not the problem.

This was happening because the ASA (like Windows) exports its certificates in ‘base64‘ encoding and the FortiGate does not like that, so it throws its toys out of the pram. Firstly ENSURE you exported the certificate as a PKCS12 file like so,

Otherwise the certificate will NOT be exported with its private key, and if you import a certificate into a FortiGate without the private key you will get this error;

Certificate file is duplicated for CA/LOCAL./REMOTE/CRL cert.

We now have a copy of our exported ‘base64 encoded’ certificate. (Note: It has no file extension, don’t panic!) If it was extracted from Windows, it might have a .PFX extension. If yours does, simply use the following commands with that file extension.

And put it on a machine that has OpenSSL installed, or if like me you’re a macOS user copy it there, (OpenSSL is installed by default). Firstly we have to decode the extracted certificate;

[box]

openssl base64 -in /Users/petelong/Dropbox/PNL-EXPORTED-CERT -d -out /Users/petelong/Dropbox/PNL-DECODED-CERT

[/box]

Now we have decoded that certificate, we can extract the private key with the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -nocerts -out /Users/petelong/Dropbox/PNL-PRIVATE-KEY.pem

[/box]

Then to extract the identity information use the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -clcerts -nokeys -out /Users/petelong/Dropbox/PNL-IDENTITY-CERT.pem

[/box]

Import FortiGate Certificate

Now that you have those TWO files you can import them into your FortiGate, like so.

Related Articles, References, Credits, or External Links

NA

Cisco to FortiGate Command Conversion

KB ID 0001776

Problem

Bah what the hell is ‘show run‘? If you’ve spent years on Cisco IOS and ASA/Firepower, then FortiGate can be a little confusing. Hopefully this Cisco to FortiGate list below will make it a little easier.

Cisco to Fortigate Translation

Cisco Command FortiGate Command
Basic commands
show run show full-config
show version get system status
show ip interface brief show system interface
show run interface x/x show system interface <port #>
show interface x/x get hardware nic <port #> / diagnose hardware deviceinfo nic
show ip arp diagnose ip arp list
show mac address-table diagnose switch mac-address list | grep -i mac
show lldp neighbor diagnose lldprx neighbor summary
show ip nat translation get system session list
show vlan diagnose switch vlan list
show failover diagnose system ha status
copy running-configuration startup-configuration execute backup config
reload execute reboot
ping x.x.x.x execute ping x.x.x.x
Basic Routing Commands
show ip route get router info routing-table all
show ip route x.x.x.x get router info routing-table details x.x.x.x
sh ip route summary get router info routing-table all
show  run | sec route-map show router route-map
show run | sec ip prefix-list show router prefix-list
OSPF Commands
show ip ospf neighbor get router info ospf neighbor
show ip ospf neighbor details get router info ospf neighbor detail all
BGP Commands
show ip bgp summary get router info bgp summary
show run | sec router bgp show router bgp
show ip bgp neighbor x.x.x.x routes get router info bgp neighbors x.x.x.x routes
show ip bgp neighbor x.x.x.x advertised-routes get router info bgp neighbors x.x.x.x advertised-routes
show ip bgp neighbor x.x.x.x received-routes get router info bgp neighbors x.x.x.x received-routes
show ip bgp x.x.x.x get router info bgp network x.x.x.x
VPN Commands
show crypto isakmp diagnose vpn ike gateway list
show crypto ipsec sa diagnose vpn tunnel list

Please comment below if you want to add any I’ve missed.

Related Articles, References, Credits, or External Links

NA

Cisco FPR – Re-image from FTD to ASA Code

KB ID 0001766

Problem

Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010). 

Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an activation code for the ASA. But if you are using an FPR device then YOU DON’T NEED TO DO THAT.

You might also want to do this because, (at time of writing) buying a Cisco FPR device running ASA code, the lead times in the UK are eye wateringly long (200-300 days!) But you can buy a chassis running FTD code and then convert that to ASA code with the following procedure.

Solution

Connect to your FPR device with a console cable, and log on as admin (the default password is Admin123, unless you have changed it of course!) Download the latest version of ASA code for your device from Cisco, in my case (at time of writing) that’s cisco-asa-fp1k.9.14.3.15.SPA. Copy that onto a USB drive (WARNING: The drive needs to be formatted with FAT32, the firewall will not recognise or mount the drive unless it is!) Finally insert the USB drive into the firewall, and issue the following commands.

[box]

FTD-1# scope firmware
FTD-1 /firmware # download image usbA:/cisco-asa-fp1k.9.14.3.15.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
FTD-1 /firmware # show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloading

% Download-task cisco-asa-fp1k.9.14.3.15.SPA : completed successfully.

[/box]

Note: If it says, ‘failed. Download failure – USB drive is not mounted‘ the drive is probably formatted incorrectly. If it says ‘Download-task failed. Failed signature validation‘, then the image is probably corrupt, try again, or use a different version.

Verify the file has downloaded correctly.

[box]

show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloaded

[/box]

Then make sure the package is listed with a show package command.

[box]

FTD-1 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.13.1.2.SPA                   9.13.1.2
cisco-asa-fp1k.9.14.3.15.SPA                  9.14.3.15
cisco-ftd-fp1k.6.6.0-90.SPA                   6.6.0-90

[/box]

Note: You can see (above) there’s an ASA code version from a previous install and it shows the current running FTD code also. To re-image the firewall execute the following commands. (Note: you enter the VERSION NOT THE FILENAME!)

[box]

FTD-1 /firmware # scope auto-install
FTD-1 /firmware/auto-install # install security-pack version 9.14.3.15

The system is currently installed with security software package 6.6.0-90, which has:
   - The platform version: 2.8.1.105
   - The CSP (ftd) version: 6.6.0.90
If you proceed with the upgrade 9.14.3.15, it will do the following:
   - upgrade to the new platform version 2.8.1.172
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes {Enter}

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes {Enter}

Triggered the install of software package version 9.14.3.15
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
FTD-1 /firmware/auto-install #

[/box]

Now go and have a coffee, it will take 20 minutes, and a few reboots before it’s finished. When completed you should see a login prompt, login with admin/Admin123 and reset the password. 

[box]

firepower-1010 login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Last failed login: Sun Nov 21 16:55:16 UCT 2021 on ttyS0
There was 1 failed login attempt since the last successful login.
Hello admin. You must change your password.
Enter new password: password123
Confirm new password: password123
Your password was updated successfully.

[/box]

Then connect to the ASA CLI with the connect asa command. Go to enable mode, and set the enable password. Finally, save the config.

[box]

firepower-1010# connect asa
firepower-1010# Verifying signature for cisco-asa.9.14.3.15 ...
Verifying signature for cisco-asa.9.14.3.15 ... success
ciscoasa>
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: password123
Repeat Password: password123
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory
Building configuration...
Cryptochecksum: a607255a a64f2898 97bb6b40 9a8ff25c

[/box]

You will now be running ASA code with the factory settings (Inside 192.168.1.1/24, Management 192.168.45.1/24 (with DHCP enabled), Outside set to get IP dynamically, and all traffic allowed out).

Remember if you’re a ‘light weight’ and cant use command line, then you will need to install and configure the ASDM 🙂 

Related Articles, References, Credits, or External Links

Reimage Cisco 1010 ASA to FTD

Convert ASA 5500-X To FirePOWER Threat Defence

Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

And the same in Azure AD.

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

[box]

Install-WindowsFeature NPAS -IncludeManagmentTools

[/box]

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Execute the following PowerShell command to create a registry key

[box]

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

[/box]

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

[box]

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

[/box]

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Policies > Network Policies > New > Give it a sensible name > Next.

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

To actually enable it against your Azure AD, Execute the following PowerShell commands;

[box]

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

[/box]

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

You will be asked to provide your Azure Tennant ID.

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

And on my phone I get prompted to allow

 

Authentication successful!

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

[/box]

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA DHCP Reservation (Solved)

KB ID 0001751

Problem

We have been asking for this for years! Even on my home network I’ve not been able to allocate an ASA DHCP reservation for my laptop and my MyCloud drive. I’ve been in discussions in forums with people who are convinced that putting a static ARP entry into the ASA would solve the problem (it doesn’t – I tested it extensively!)

But finally in version 9.13(1) we can now add a static DHCP reservation (MAC address to IP address).

Create an ASA DHCP Reservation

Assuming you have DHCP already setup e.g.

[box]

!
dhcpd address 10.254.254.10-10.254.254.75 inside
dhcpd enable inside
!

[/box]

Then simply add the reservation, you need to specify the MAC address as xxxx.xxxx.xxxx (that’s with full stops not colons), if in doubt, ping the existing IP address then execute a ‘show arp’ command to show you all the MAC addresses the firewall can see, so you can copy/paste it into the following command;

[box]

dhcpd reserve-address 10.254.254.50 38f9.d326.66cc inside

[/box]

Quite why it took so long for Cisco to give us this basic function, I have no idea.

Related Articles, References, Credits, or External Links

NA