FortiGate LDAPS Authentication Failure

KB ID 0001733

Problem

Here’s a brief one that tripped me up a couple of weeks ago, I was deploying FortiGate LDAPS authentication for some FortiClient SSL VPN connections into a FortiGate firewall like so;

Despite my best efforts I was getting authentication failures? If I tested the username and password in the GUI web management portal, that worked fine?

Testing FortiGate LDAPS

First step is to test authentication at command line, like so;

[box]

Forti-FW # diag test auth ldap My-DC test.user Password123
authenticate 'test.user' against 'My-DC' failed!

[/box]

Note: My-DC is the domain controller, test, user is the username, and Password123 is the password for my AD user. (The fact I need to explain that is depressing, but c’est la vie).

So despite what the GUI is telling me, authentication is actually failing, remember I’m using LDAPS, so the FortiGate needs to have the CA certificate, (that issued the Kerberos certificates on my domain controller(s)), in its trusted CA list! And TCP port 636 needs to be open between the firewall and the domain controllers.

Debugging FortiGate LDAPS

So now we need to debug what’s going on;

[box]

Forti-FW # diagnose debug enable
Forti-FW # diagnose debug application fnbamd 255
Debug messages will be on for 30 minutes.

[/box]

Then simply attempt to authenticate via FortiClient, or recall the ‘diag test’ command from above.

[box]

Forti-FW # diag test auth ldap My-DC test.user Password123
[1932] handle_req-Rcvd auth req 1296531457 for test.user in My-DC opt=0000001b prot=0
[424] __compose_group_list_from_req-Group 'My-DC', type 1
[617] fnbamd_pop3_start-test.user
[970] __fnbamd_cfg_get_ldap_list_by_server-
[976] __fnbamd_cfg_get_ldap_list_by_server-Loaded LDAP server 'My-DC'
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
[1713] fnbamd_ldap_init-search filter is: sAMAccountName=test.user
[1722] fnbamd_ldap_init-search base is: dc=testbench,dc=co,dc=uk
[1146] __fnbamd_ldap_dns_cb-Resolved My-DC:192.168.1.122 to 192.168.1.122, cur stack size:1
[919] __fnbamd_ldap_get_next_addr-
[1152] __fnbamd_ldap_dns_cb-Connection starts My-DC:192.168.1.122, addr 192.168.1.122 over SSL
[874] __fnbamd_ldap_start_conn-Still connecting 192.168.1.122.
[591] create_auth_session-Total 1 server(s) to try
[1097] __ldap_connect-tcps_connect(192.168.1.122) failed: ssl_connect() failed: 337047686 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).
[930] __ldap_error-My-DC:192.168.1.122, addr 192.168.1.122
[725] __ldap_stop-Conn with 192.168.1.122 destroyed.
[919] __fnbamd_ldap_get_next_addr-
[902] __ldap_try_next_server-No more server to try for 'My-DC'.
[785] __ldap_done-svr 'My-DC'
[755] __ldap_destroy-
[2870] fnbamd_ldap_result-Error (3) for req 1296531457
[217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1296531457, len=2044
authenticate 'test.user' against 'My-DC' failed!
Forti-FW # [747] destroy_auth_session-delete session 1296531457
[755] __ldap_destroy-
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'My-DC' ctx
[2099] fnbamd_ldap_free-Freeing 'My-DC'

[/box]

OK so it’s SSL related? For SSL to work you need the following;

  1. To trust the CA that issued the certificate
  2. To be able to resolve (via DNS) the common name (or Subject Alternative Name) on the certificate
  3. If you’ve specified the LDAP server by IP address the IP address of the server needs to be on the certificate as a Subject Alternative Name (SAN).
  4. Your firewall and the AD/LDAP server need to have compatible SSL ciphers.

So I had number 1 covered, and the chance of it being number 4 are rare, (server and firewall are fully updated).

So my problem was initially number 2 I’d specified the LDAPS server via its internal IP. I needed to use its FQDN, then of course the firewall needed to be able to resolve that IP with a DNS lookup (try execute ping server-name.doman-name if you’re unsure!)

[box]

Forti-FW # execute ping win-server.testbench.co.uk
Unable to resolve hostname.  <---OOPS THAT'S NOT GOOD!

Forti-FW # execute ping 192.168.1.122 <---CONNECTIVITY IS OK!
PING 192.168.1.122 (192.168.1.122): 56 data bytes
64 bytes from 192.168.1.122: icmp_seq=0 ttl=128 time=5.4 ms
64 bytes from 192.168.1.122: icmp_seq=1 ttl=128 time=2.0 ms
64 bytes from 192.168.1.122: icmp_seq=2 ttl=128 time=1.9 ms
^C
--- 192.168.1.122 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.9/3.1/5.4 ms

[/box]

Once DNS was setup correctly;

[box]

Forti-FW # execute ping win-server.testbench.co.uk
PING win-server.testbench.co.uk (192.168.1.122): 56 data bytes
64 bytes from 192.168.1.122: icmp_seq=0 ttl=128 time=1.9 ms
64 bytes from 192.168.1.122: icmp_seq=1 ttl=128 time=2.3 ms
64 bytes from 192.168.1.122: icmp_seq=2 ttl=128 time=2.1 ms
^C
--- win-server.testbench.co.uk ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss <---BOOM THAT'S BETTER
round-trip min/avg/max = 1.9/2.1/2.3 ms

[/box]

Then retest.

[box]

Forti-FW # diag test auth ldap My-DC test.user Password123
authenticate 'test.user' against 'My-DC' succeeded!
Group membership(s) - CN=GS-VPN-Users,OU=Securty-Groups,DC=testbench,DC=co,DC=uk
                      CN=Domain Users,CN=Users,DC=testbench,DC=co,DC=uk

[/box]

Related Articles, References, Credits, or External Links

NA

Exchange – ‘Not all the required authentication methods were found’

KB ID 0001180 

Problem

I had to visit a client who had recently gone through an Exchange migration, now his external mail clients were having a nightmare staying connected to Outlook Anywhere. I ran the Exchange connectivity tester and got this;

Additional details
Not all the required authentication methods were  found
Methods Found: Basic
Methods Required: NTLM

 

Solution

Looks like an open and shut case, someone forgot to enable Windows Authentication on the ‘rpc’ virtual directory in Exchange, and when I looked, it wasn’t so I enabled it, like so;

Now I was feeling smug, and enjoying a coffee before I left site, when it went off again? As it happens, not only do you need to set it correctly in IIS, but if someone has set it incorrectly in Exchange, then Exchange wins! As you can see by my query below;

[box]

[PS] C:\Windows\system32>Get-OutlookAnywhere


RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL03
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic} << OOPS! :(
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL03.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL03
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL03
DistinguishedName               : CN=PNLMAIL03,CN=HTTP,CN=Protocols,CN=PNLMAIL03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL03\PNLMAIL03
Guid                            : 3403795b-af71-4687-ba81-da4c876ed7bc
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 01/10/2015 13:34:26
WhenCreated                     : 14/06/2013 09:27:03
WhenChangedUTC                  : 01/10/2015 12:34:26
WhenCreatedUTC                  : 14/06/2013 08:27:03
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL02
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic}
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL02.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL02
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL02
DistinguishedName               : CN=PNLMAIL02,CN=HTTP,CN=Protocols,CN=PNLMAIL02,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL02\PNLMAIL02
Guid                            : 40ea303b-9c68-47ab-84fd-362c07f0a2db
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 01/10/2015 13:34:37
WhenCreated                     : 14/06/2013 09:26:49
WhenChangedUTC                  : 01/10/2015 12:34:37
WhenCreatedUTC                  : 14/06/2013 08:26:49
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

[/box]

Well that explains the error! To fix that;

[box]

[PS] C:\Windows\system32>get-outlookanywhere | set-outlookanywhere -iisauthentication ntlm, basic

[/box]

Now let’s check again.

[box]

[PS] C:\Windows\system32>Get-OutlookAnywhere


RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL03
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic, Ntlm} << BOOM :)
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL03.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL03
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL03
DistinguishedName               : CN=PNLMAIL03,CN=HTTP,CN=Protocols,CN=PNLMAIL03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL03\PNLMAIL03
Guid                            : 3403795b-af71-4687-ba81-da4c876ed7bc
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 02/10/2015 13:13:55
WhenCreated                     : 14/06/2013 09:27:03
WhenChangedUTC                  : 02/10/2015 12:13:55
WhenCreatedUTC                  : 14/06/2013 08:27:03
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL02
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic, Ntlm}
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL02.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL02
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL02
DistinguishedName               : CN=PNLMAIL02,CN=HTTP,CN=Protocols,CN=PNLMAIL02,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL02\PNLMAIL02
Guid                            : 40ea303b-9c68-47ab-84fd-362c07f0a2db
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 02/10/2015 13:13:58
WhenCreated                     : 14/06/2013 09:26:49
WhenChangedUTC                  : 02/10/2015 12:13:58
WhenCreatedUTC                  : 14/06/2013 08:26:49
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

[/box]

 

Related Articles, References, Credits, or External Links

NA

Ubuntu – Evolution Error MAPI_E_LOGON_FAILED

KB ID 0000375 

Problem

Seen when trying to connect the Evolution mail client to a Microsoft Exchange server (via evolution-mapi). As soon as you hit authenticate you will see the following error.

Authentication failed. MapiLogonProvider:MAPI_E_LOGON_FAILED

Solution

In my case it was a very quick fix, instead of using the DNS/Netbios name of the Exchange server put in the servers IP address.

If all else fails, and you cannot rectify the problem with the solution above. You can always setup domain authentication.

 

Related Articles, References, Credits, or External Links

NA

Ubuntu – Joining / Logging into Windows Domains

KB ID 0000384

Problem

You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don’t have too much history with Linux, but from what I’ve read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.

Note: The domain controller is a Windows 2008 R2 Server.

Solution

Notes

1. The commands needed to install the “likewise-open5” package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).

[box]sudo apt-get install likewise-open5 sudo domainjoin-cli join domaina.com administrator sudo reboot[/box]

2. Then to allow users to logon from the Ubuntu welcome screen,

[box]sudo nano /etc/samba/lwiauthd.conf[/box]

3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.

[box]winbind use default domain = yes[/box]

4. Then reboot.

[box]sudo reboot[/box]

5. To allow sudo for the domain user(s),

[box]sudo nano /etc/sudoers[/box]

Locate the line that reads “#Members of the Admin group may gain root privileges and do the following:”. Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).

[box]%domainadomain^admins ALL=(ALL) ALL[/box]/p>

Problem 1

Error: Lsass Error [code 0x00080047]

9502 (0x251E) DNS_ERROR_BAD_PACKET – A bad packet was received from a DNS server. Potentially the requested address does not exist.

 

This plagued me for a while, I tried everything I read online (like making sure that my time was correct – which it wasn’t (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.

FIX

Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it’s DNS, the following command will tell you,

[box]cat /etc/resolv.conf[/box]

Then get the domain syntax right, in my case the domain name.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator
[WONT WORK] sudo domainjoin-cli join domaina administrator
[WONT WORK] sudo domainjoin-cli join DOMAINA administrator

[/box]

And then it connected faultlessly.

Problem 2

Error: Lsass Error [code 0x00080047]

5 (0x5) ERROR_ACCESS_DENIED – Access is denied.

This turned out to be a variation on the problem above, If you put in the domain name in UPPER CASE you will see this error.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator

[/box]

If you would like to add your domain user(s) to the welcome screen click here.

Update 04/01/12

Attention:  PeteNetLive – Suggestion 

Message: Hi,

Thanks very much for you YouTube and description of joining Ubuntu to a domain.  There was however one step extra that I needed to do to enable to logon screen to show users other than the local use and the guest account.  To do this I had to add the following line to /etc/lightdm/lightdm.conf

greeter-show-manual-login=true

I was joining Ubuntu 12.10 to the domain so maybe it is specific to 12.10 since you didn’t experience it but it would be good to add it to your article along with the other fixes to issues.

Thanks again.

From: Roland Elferink

Related Articles, References, Credits, or External Links

Thanks to Roland Elferink for the update.

Original Article written 27/01/11

SmoothWall – Allowing Windows Updates and Windows Activation

KB ID 0000441 

Problem

I’ve had fun this week installing a new virtual environment for a client with a SmoothWall firewall. It took a call to SmoothWall support for me to get Windows updates to work, then after activating a few 2008 R2 servers via phone, I was motivated to get online activation running as well.

Windows Activation Error – (We are being blocked by the SmoothWall Proxy).

A problem occurred when Windows tried to activate. Error Code 0x8004FE33

Windows Update Error – (We are being blocked by the SmoothWall Proxy).

A error occurred while checking for new updates for your computer Code 80072EFD

Solution

1. Connect to the web management console of the SmoothWall. Select Guardian > User defined categories.

2. Select the “User Defined Categories” tab.

3. Give the Category a name > Set Filter type to “Content and URL filtering” > Copy and paste in the domains listed below > Then click “Add”.

Domains Required for Windows Update

[box]

windowsupdate.microsoft.com
update.microsoft.com
c.microsoft.com
download.windowsupdate.com
genuine.microsoft.com

[/box]

Domains Required for Windows Activation

[box]

sls.microsoft.com
wer.microsoft.com
connect.microsoft.com
go.microsoft.com
sls.microsoft.com
crl.microsoft.com
microsoft.com

[/box]

Note: These are the top level domains.

4. Select the “Filters” tab > Give it a name > Set the filter type to “Content and URL filtering” > Expand “Good” content > Tick “Software Updates”.

5. Scroll down and expand “User Defined” > Locate the user defined category you created in step 3 and tick it > Click Add.

6. Select the Policy tab > Groups = All groups > Change the filter to the one you created in step 4 > Time period = Always >Action = Allow > Tick “Enabled” > Add.

7. From the menu select Guardian > Authentication > Settings.

8. Scroll down to the “Do not require authentication for these domains….” section > Paste in the domains you also pasted in in step 3 > Click “Save and Restart”.

 

Related Articles, References, Credits, or External Links

NA

Unable to Contact, Connect to, or Manage, a DNS Server from DNS Management Console

KB ID 0000559 

Problem

If you open the DNS Management console on a server running an older OS than 2008 R2, then attempt to connect to a 2008 R2 DNS Server you will see this error.

You will also see this error on a 2012 Server, whilst attempting to add another DNS Server

Error:
Dnsmgmt
Cannot Contact the DNS Server

The specified DNS server cannot be contacted. Some possible reasons include; the DNS server may not be running, there may be network problems, or the computer associated with the specified name or IP address could not be found.

To retry connection, either press F5. or on the Action menu, click refresh.

For more information about troubleshooting a DNS server, see help.

Why this happens

This is normal, 2008 R2 introduced a more secure DNS Management authentication system to prevent “Man in the middle DNS attacks” that had been exploited in earlier versions of Windows.

Solution

The correct way to approach this problem is to accept it, your 2008 R2 Servers are more secure, if you need to manage them do so from the DNS management console on the 2008 R2 server itself. Or install the RSAT tools on a client machine.

You can also change the way it works so you can see and manage it from an older version of Windows. (Note: Be advised Microsoft recommend you do not do this, they turned this on for a reason).

1. Launch a command window (Right click and select run as administrator, or select the cmd icon and press CTRL+SHIFT+ENTER).

2. Execute the following four commands.

[box]dnscmd.exe /Config /RpcProtocol 7

dnscmd.exe /Config /RpcAuthLevel 0

net stop “DNS Server”

net start “DNS Server”[/box]

Note: If you see an Access Denied error, you are probably NOT running the command window as an administrator.

3. You should now be able to connect to and manage the 2008 R2 DNS Server from an older Windows OS DNS Management console.

To Do the same by Directly Editing the Registry

Run the following .reg file

[box]Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDNSParameters]
“RpcAuthLevel”=dword:00000000

“RpcProtocol”=dword:00000007[/box]

Related Articles, References, Credits, or External Links

Thanks to Noel Reynolds for his patience, and for putting up with my terrible typing 🙂

Original Article Written 20/01/12

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Deploying Certificates via ‘Auto Enrollment’

KB ID 0000919

Problem

SHA CERTIFICATE WARNING: Note This article was written some time ago, ensure your CA environment does NOT use SHA1 for your certificates, if it does, Please visit the following link for migration instructions;

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

I need to setup wireless authentication based on computer certificates, I’ve done similar jobs before by manually issuing certificates for Cisco AnyConnect, but this will be for NAP/RADIUS authentication to MSM. I’ll be working with Server 2008 R2 and Windows 7 clients. So task one was getting my head round ‘auto enrollment’. As stated I’m deploying Computer certificates but the process is practically the same for issuing User certificates (I’ll point out the differences where applicable).

Solution

Prerequisites: A Windows domain environment, with working DNS.

Setup a Certification Authority

1. Launch Server Manager (Servermanager.msc) Roles > Add Roles > Active Directory Certificate Services > Next > I’m going to accept all the defaults.

2. The only thing I’m going to change is the lifetime, I usually change that from 5 to 10 years (force of habit, after 5 years it will probably still be my problem, in 10 years it will be replaced, or in a skip!)

Create a Computer Certificate Template and Issue it.

3. Start > Administrative Tools > Certification Authority > Certificate Templates > Manage.

4. Locate and make a copy of the Workstation Authentication template. If you were using User certificates the you would copy the User template.

Note: I got an email a few months ago form someone who had an argument about whether to make copies or edit the originals, and was asking what I thought was best practice. Well I would ALWAYS copy a template and edit that copy. Then if you ‘stuff it up’ you still have the original. It’s always best practice to avoid looking like a cretin!

5. If you still have Server 2003 servers choose the default, if not pick 2008 > OK.

6. General Tab > Give the template a sensible name.

7. Subject Name Tab: Tick User principle name (UPN).

8. Security Tab: Ensure Domain Computers have the rights to Read and Autoenroll > OK > Close the template console.

9. Certificate templates > New > Certificate Template to Issue.

10. Pick the one you just created > OK.

11. Make sure it’s listed > Close the Certificate Authority management console.

Deploy Auto-enrolled Certificates via Group Policy

Note: You could just add this to the to the default domain group policy, and all computers would get a certificate, but for this exercise I’ve created an OU, and I’m going to create a new policy and link it there.

12. Select an OU or container that contains the computer objects you want to send certificates to.

Note: Obviously if you are sending out User certificates then link it to a user OU, (you would be surprised!)

13. Navigate to;

[box]

Computer Certificate Auto-Enrollment

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment

User Certificate Auto-Enrollment

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

WARNING: If deploying user certificates read this article.

14. Enable the policy > Select the two options available > Apply > OK > Close the GPO management editor.

Test Windows Certificate Auto-Enrollment

15. Before we do anything else, you can see there are no certificates on the Windows 7 client machine, and there are no certificates ‘issued’ from the server.

Note: To see a computers certificates, you need to be logged in with administrative rights, run mmc and add in the certificates snap-in for ‘local computer’.

16. Now if I move this machine into the OU that I’ve linked the GPO to.

17. And then force that client to refresh its group policies, (or reboot it).

18. Now when you check, you can see it has received a certificate, and the server is now showing one certificate issued.

Now I’ve got to work out NAP and RADIUS and force them to use the certificates, but I’ve got a headache and I need a brew, watch this space….

Related Articles, References, Credits, or External Links

Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’