Cisco AnyConnect With Server 2016 NPAS (RADIUS) Different Groups

KB ID 0001474

Problem

A few years ago I replaced a firewall that was setup like this, and while it took me a while to work out what was going on, I remember thinking it was an elegant solution. Fast forward to today, and I’m now working with the guy who set it up! (Kudos to Paul White).

So when I had a client with a similar requirement, I sat down fired up the lab, and documented it.

What was used;

  • Windows 10 Remote Client
  • AnyConnect v4 Client
  • Server 2016 NAP (NPAS) Server
  • Windows 2016 Domain.
  • Cisco vASA (v9.2)

Solution

Deploy Microsoft NAP

Rather than reinvent the wheel, I’ve already ran though this. Use the link (below) to install the role, add the ASA as a RADIUS client, then return here (before configuring any policies!)

Windows Server 2016 & 2012 Setup RADIUS for Cisco ASA 5500 Authentication

Configure NAP Network Policies For Group Authentication

Firstly you will need some groups setup in AD, with some users in them, for testing.

Then, on your NAP Server create a Network Policy (for each group), like so;

Add the ‘User Group Condition’ with the correct AD Group for this policy.

Add the ‘Client Friendly Name‘ condition, and set to to the name you used for the RADIUS client.

Next > Next > Add in ‘Unencrypted (PAP SPAP)‘ > Next > No.

Next > Add > Select ‘Class’ > Add  > Enter ‘ou={Name-of-Cisco-Group-Policy-To-Apply}‘ > OK > Close > Next > Finish.

Cisco ASA Configuration

[box]

First, configure RADIUS AAA;

!

aaa-server PNL-RADIUS protocol radius

aaa-server PNL-RADIUS (inside) host 192.168.110.19

 key 666999

 radius-common-pw 666999

 exit

!

Create a ‘Pool’ of IP addresses for the remote clients;

! 

ip local pool POOL-ANYCONNECT-SN 192.168.249.1-192.168.249.254 mask 255.255.255.0

!

Create some ‘Objects’ one for the Pool you created above, one for the server(s) that everyone can access, and one for the server(s) only restricted users can access;

!

object network OBJ-ANYCONNECT-SN

  subnet 192.168.249.0 255.255.255.0

!

object-group network OBJ-USER-ACCESS-SERVERS

 description Servers than can be accessed by VPN-USER-ACCESS AD Group

 network-object host 192.168.110.10

!

object-group network OBJ-RESTRICTED-ACCESS-SERVERS

 description Servers than can only be accessed by VPN-RESTRICTED-ACCESS AD Group

 network-object host 192.168.110.19

!

Enable Webvpn and AnyConnect;

!

webvpn

  enable outside

  no tunnel-group-list enable

  anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1

  anyconnect image disk0:/anyconnect-macos-4.6.00362-webdeploy-k9.pkg 2

  anyconnect enable

!

Create the ACLs for your TWO AD user groups;

!

access-list ACL-VPN-USER-ACCESS-SERVERS extended permit ip object-group OBJ-USER-ACCESS-SERVERS object OBJ-ANYCONNECT-SUBNET

!

access-list ACL-VPN-RESTRICTED-ACCESS-SERVERS permit ip object-group OBJ-USER-ACCESS-SERVERS object OBJ-ANYCONNECT-SUBNET

access-list ACL-VPN-RESTRICTED-ACCESS-SERVERS permit ip object-group OBJ-RESTRICTED-ACCESS-SERVERS object OBJ-ANYCONNECT-SUBNET

!

Stop NAT being performed on the remote AnyConnect traffic;

!

nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-SN OBJ-ANYCONNECT-SN no-proxy-arp route-lookup

!

Each Group-Policy (below) wont have its own tunnel-group so you need to enable RADIUS on the default web tunnel-group, and assign the IP Pool you created (above). Note: I’m allowing authentication to fall back to LOCAL in case the RADIUS server fails;

!

tunnel-group DefaultWEBVPNGroup general-attributes 

 authentication-server-group PNL-RADIUS LOCAL

 address-pool POOL-ANYCONNECT-SN

!

Finally, create a group-policy that the NAP server will tell the ASA to allocate to the users of the AD Groups (VPN-USER-ACCESS, and VPN-RESTRICTED-USER-ACCESS);

!

group-policy GP-USER-ACCESS-SERVERS internal

group-policy GP-USER-ACCESS-SERVERS attributes

 dns-server value 192.168.110.10

 vpn-idle-timeout 30

 vpn-tunnel-protocol ssl-client

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ACL-VPN-USER-ACCESS-SERVERS

 default-domain value test.net

!

group-policy GP-RESTRICTED-ACCESS-SERVERS internal

group-policy GP-RESTRICTED-ACCESS-SERVERS attributes

 dns-server value 192.168.110.10

 vpn-idle-timeout 30

 vpn-tunnel-protocol ssl-client

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ACL-VPN-RESTRICTED-ACCESS-SERVERS

 default-domain value test.net

!

[/box]

Related Articles, References, Credits, or External Links

Thanks to Paul White and Trevor Stanley.

Windows Server 2016 & 2012 Setup RADIUS for Cisco ASA 5500 Authentication

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA5500 Client VPN Access Via RADIUS (Server 2003 & IAS)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Cisco WLC: EAP-TLS Secured Wireless with Certificate Services

KB ID 0001420

Problem

Ah certificates! If I had a pound for every time I’ve heard “I don’t like certificates”, I could retire! The following run through is broken down into the following parts;

Note: If you are scared of certificates, sometimes it’s easier to setup password (PEAP) Authentication, get that working then migrate to EAP-TLS, but I’ll leave that to you.

 

Setup The Cisco WLC (WLAN)

I’m assuming your WLC is deployed, and working, and all your AP’s are properly configured, we are simply going to add a RADIUS Server and configure a new wireless LAN to use that RADIUS server for authentication.

WLC RADIUS Setup

Log into the WLC web console > Security > AAA > RADIUS > authentication > New.

Specify the IP address of the RADIUS server and a shared secret (you will need to enter this on the Windows RADIUS server, so write it down!) > Apply.

WLC WLAN Setup

WLAN > Create New > Go.

Specify a profile name, and SSID for the new WLAN  > Apply

Edit your new WLAN > Select  enabled. If your WLC has many VLANs/Interfaces select the one you want your wireless clients to egress on. Note: you can also turn off SSID broadcast if you wish, remember your GPO will need an additional setting if you do this.

Security > Layer 2  >Set the following;

  • Layer 2 Security: WPA+WPA2
  • WPA +WPA2 Parameters: WPA2 Policy-AES
  • Authentication Key Management: 802.1x

 

Security Tab > AAA Servers.

  • Authentication Servers: Enabled
  • Server1: {Your RADIUS Server}
  • EAP Parameters: Enable

Note: You may wish to scroll down, and remove Local and LDAP authentication methods, but you dont have to.

Click APPLY.

 

Save Configuration > OK > OK.

SETUP Windows NAP (RADIUS)

Network Access Protection is a server ‘Role‘, Launch Server Manager > Local Server > Manage >Add Roles and Features > If you get an initial welcome page, tick the box to ‘skip’ > Next > Accept the ‘Role based or feature based installation’ > Next > Next > Add ‘Network Policy and Access Server’ > Next > Add Features > Next > Next > Network Policy Server > Next Install.

Go and have a coffee, when complete  open administrative tools ‘Network Policy Server.’ Right click NPS > Register server in Active Directory.

Radius Clients > New > Enter a friendly name >Enter the IP address of the WLC > Enter, and confirm the shared secret you used above > OK.

Note: This may be a different IP to the management IP of the WLC, ensure you enter the correct IP that the AAA requests will be coming from.

Connection Request Policies > New > Give it a sensible name > Next.

Add > NAS Port Type > Wireless- IEEE 802.11 > Wireless Other > OK > OK.

Note: You don’t actually need ‘Wireless other’, I usually add it for Meraki and it’s force of habit.

Next > Next > Next.

Next > Finish.

Network Polices> New > Give it a sensible name > Next

Add > NAS Port Type > Wireless- IEEE 802.11 > Wireless Other > OK > OK.

Note: You don’t actually need ‘Wireless other’, I usually add it for Meraki and it’s force of habit.

Next > Access granted > Next.

Add > Microsoft Smart Card or Other certificate > OK

Note: If you wanted to use PEAP then then you would add this here instead!

Untick all the bottom options, (unless you are using PEAP, which would need MS-CHAP-v2) > Next.

Edit > Ensure the certificate information for the NAP server is correct > OK > Next.

Next > Nap Enforcement > Untick ‘Enable auto remediation…’ > Next.

Finish.

Setup Certificate Auto Enrolment

Again I’m assuming you have a domain PKI/Certificate Services deployment already, if not, then follow the instructions in the post below;

Microsoft PKI Planning and Deploying Certificate Services

So rather than reinvent the wheel, I’ve already covered computer certificate auto enrolment, see the following article, then come back here when you are finished.

Deploying Certificates via ‘Auto Enrolment’

At this point: You might want to connect to the WLAN manually to make sure everything is OK before deploying the settings via GPO!

Deploy Wireless Settings via Group Policy

Remember this is a Computer Policy, so it needs to link to an OU that has computer (not user) in it, create and link a new GPO > then give it a sensible name. 

Edit the GPO.

Navigate to: Computer Configuration > Policies > Window Settings > Security Settings > Wireless Network (IEEE 802.11) Policies > Create A New Wireless Network Policy for Windows Vista and Later Releases.

Give it a name > Add > Infrastructure > Supply the Profile name and SSID, (I keep them the same to avoid confusion).

Note: As mentioned above, if you are not Broadcasting the SSID, then also tick the bottom option also.

Security Tab: Authentication = WPA2 Enterprise > Encryption = AES > Change Authentication Method to Microsoft Smart Card or other certificate > Properties > In here you can choose to verify the NAP server via its certificate, if you do then locate and tick your CA server cert in the list (as shown). Though I do not ‘verify the servers identity…’ So I would untick this option (your choice) > OK > OK > Close the Policy Editor.

Then either wait fo the policy to apply for force it.

Windows – Forcing Domain Group Policy

Troubleshooting RADIUS Authentication

On the NAP server in C:\Windows\System32\Logfiles you can find the RADIUS logs they look like INI{number}

You can also use the Event Log (Security Log) and there’s a dedicated logging section under Windows Logs. In extreme cases install Wireshark on the NAP server and scan for traffic from your WLC

Related Articles, References, Credits, or External Links

Configure Wireless Network Stings via Group Policy

Windows ‘Always On’ VPN Part 2 (NPS, RAS, and Clients)

KB ID 0001403

Problem

Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.

My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
  • UDP 1645 (RADIUS Authentication)
  • UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1813 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.

Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

Next > Next > Finish.

Your connection request policies should look like this.

Your network policies should look like this.

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remote Access > Next.

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

Open the Getting Started Wizard > Select VPN Only.

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

VPN Access > Next > Finish > Start service.

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Accounting provider, (below).

Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Add a VPN Connector.

  • VPN Provider: Windows (Built-in).
  • Connection Name: Connection-Template.
  • Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Change Adapter options.

Right click the VPN connection > Properties.

Security Tab:

  • Type of VPN: IKEv2
  • Data Encryption: Maximum
  • Use Extensible Authentication Protocol (EAP)
  • Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
  • Tick your Root CA Cert for the domain.
  • Select ‘Don’t prompt user to authorise new servers or new authorities’.

Connect your VPN to test it.

Make sure everything works.

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.


That covers USER tunnels, you can also, (Post 1709 Windows 10 Builds,) have DEVICE tunnels. Which I would write a part three about, but I simply cannot get them to work, so I’m waiting for the bugs to be ironed out, and I will revisit it at some point in the future.

Related Articles, References, Credits, or External Links

NA

Windows ‘Always On’ VPN Part 1 (Domain and PKI)

KB ID 0001399

Problem

Always On VPN was a bit of a misnomer when it was released, as it was only really ‘on’ when a user logged on. So when comparing it with ‘Direct Access‘ it didn’t have the capacity to ‘Manage Out’. With the release of Windows 10 (1709) this has been rectified with ‘Device Tunnels’, (more on that later).

The solution uses RAS, NAP (NPS), and PKI (Certificate Services). Obviously Active Directory is a requirement, and in addition I’ve also got a file server setup just for ‘testing’ access to domain resources.

Note: The VPN setup, (on everything, apart from the Windows 10 clients), is just the same as it ever was. This technology is for copying VPN settings from a Windows 10 client, and then being able to put those settings on other Windows 10 clients, so that when a user logs on, the VPN connects (User Tunnels), or when a machine gets a network connection it connects (Device tunnels).

Step 1: Active Directory Work

You will need to setup some security groups in AD, I’m going to use;

  • VPN-NPS-Servers
  • VPN-RAS-Servers
  • VPN-Users

Note: You can of course use ‘domain users’ if you are rolling this out domain wide.

Add your NAP/NPS server(s) to the VPN-NPS-Servers group, (remember you need to add computers to the search criteria, or you wont find them).

Add your RAS server(s) to the VPN-RAS-Servers group.

Add your domain users(s) to the VPN-Users group.

Step 2: PKI (Certificate Services)

PLEASE: Don’t just race forward and install Certificate Services. Every domain certificate problem I’ve ever had to worked on has been the result of someone ‘just lashing it in’. Take the time to do it properly, and think about your domain PKI design, consider things like, Offline Root CA’s, Multi-Tier Sub CA’s, CRL, and OCSP.

Luckily, I’ve spent a ton of time already on Certificate services, look though the following article;

Microsoft PKI Planning and Deploying Certificate Services

If you are simply setting this up on the test bench, or for a POC, (in a non-production domain). Then add the role from Server Manager.

These are the roles I deploy, but for this solution you only really need the Certification Authority, role.

Note: If you are interested what the other roles do, then search for them above, (I’ve blogged about NDES, and the Enrollment Web Services before).

Step 3: Certificate Templates

You will need to create and publish three certificate templates;

  • VPN-User (Based on the User Template)
  • NPS-Servers (Based on the RAS and IAS Template)
  • VPN-Servers (Based on the RAS and IAS Template)

VPN-User Certificate: Open the certificate services management console > Certificate Teplates > Manage > User > Duplicate Template.

General Tab

  • Template Display Name: VPN-User
  • Publish certificate in Active Directory UNTICK.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work)
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work)

Request Handling Tab:

Allow private key to be exported: UNTICK

Cryptography Tab:

  • Provider Category: Key Storage Provider
  • Providers: First: Microsoft Platform Crypto Provider, Second: Microsoft Software Key Storage Provider.

Note: Theres two because the first one requires a TPM chip, if the client machine does not have one the procedure fails. By allowing ‘Microsoft Software Key Storage Provider’ if will ‘fall-back’ to that option, if there is not TPM chip.

Security Tab:

  • ADD: VPN-users: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: Domain Users

Note: In a test environment, you may also want to UNTICK the option ‘Include e-mail name in subject name‘ on the Subject Name tab or you may see this problem.

Issue the certificate template.

Repeat the procedure but this time make a duplicate of the RAS and IAS template.

General Tab:

  • Template Display Name: NPS-Servers.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Security Tab:

  • ADD: VPN-NPS-Servers: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: RAS and IAS Servers.

Apply > OK > Now make a second duplicate of the RAS and IAS certificate template.

General Tab:

  • Template Display Name: VPN-Servers.

Extensions Tab:

  • Edit > Add > IP Security IKE Intermediate > OK > OK.

Security Tab:

  • ADD: VPN-RAS-Servers: GRANT: Read and Enrol ONLY.
  • DELETE: RAS and IAS Servers.

Subject Name Tab:

Supply In the Request: TICK (Accept the warning).

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Issue Both of the server certificate templates.

Step 4: Group Policies Auto-Enrolment

Again, I’ve written about this before, so for some extra reading on the subject, see the following article;

Deploying Certificates via ‘Auto Enrollment’

In the’ Group Policy Management Console’ create a new GPO, I’m simply linking it to the root of the domain, you can of course link it to the OUs that your RAS and NPS servers live in.

Edit the policy.

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Close and exit the policy editor.

Now Im creating another policy for my USER auto enrolment, (I could have used the same policy above, that’s linked to the root of the domain, but I like to keep them separate, it’s your choice). Anyway just ensure the policy is linked to your USERS.

Edit the policy.

Navigate to: User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Step 5: Testing CertificateDeployment

Remember we are deploying two computer certificates and one user certificate, and they are all based on group membership, so your servers need to be rebooted before they will get their group membership, and your user(s) need to log off and log on. Also bear in mind you might want to force group policy, see the following article;

Windows – Forcing Domain Group Policy

NPS-Servers Certificate: Windows Key+R > certlm.msc > Personal > Certificates > You should have a certificate based on the NPS-Server template.

VPN-Server Certificate: Windows Key+R > certlm.msc > Personal > Certificates > All Tasks > Request New Certificate > Next.

Note: You are doing this one manually, because this certificate does not auto-enrol, that’s because the certificate will need a different common name on it, (the public DNS name of the RAS server).

Next > Click the ‘More information…’ link > In the Subject Name Section, Set the Common name to the private DNS name of the RAS server. In the Alternative name section set the DNS value to the public name  the server > Apply > OK.

 

Enroll > Finish.

You now have a certificate based on the VPN-Server template.

 

VPN-User Certificate: Just a quick note, on the Windows 10 client, run certlm.msc again but this time ensure you have your domain CA server certificate listed in the ‘Trusted Root Certification Authorities’ folder.

Now this console lists computer certificates, and we need to look at user certificates (I could just run certmgr.msc instead), but old habits die hard, so I’ll launch an mmc console > and add a snap-in.

And add ‘certificates’ (Note: If I were an administrator I would be prompted to choose computer or user certificates, as I’m just a user, then current user is selected by default). > OK.

And there’s my certificate based on the VPN-User template.

If you’re struggling, and the user certificate refuses to appear, read my note (above) about e-mail addresses (that’s a very common error that causes auto-enrollment to fail). For troubleshooting look in the Event logs and in the ‘Failed Requests’ Section on your CA server. For all certificates, if something isn’t working then either somethings in the wrong group, the wrong group has been given permissions on the certificate template, or the GPO is linked to the wrong location.

That’s it for Part One, in Part Two I will look at deploying my RAS/VPN server into my DMZ, and having a rant/sneer at Microsofts continuing policy of trying  to bypass my firewall. 

Related Articles, References, Credits, or External Links

A massive thank you to Joseph Moody, and Kevin Kaminski, fellow MVP’s who took the time to reply to my Always On VPN queries.

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Deploying Certificates via ‘Auto Enrollment’

KB ID 0000919

Problem

SHA CERTIFICATE WARNING: Note This article was written some time ago, ensure your CA environment does NOT use SHA1 for your certificates, if it does, Please visit the following link for migration instructions;

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

I need to setup wireless authentication based on computer certificates, I’ve done similar jobs before by manually issuing certificates for Cisco AnyConnect, but this will be for NAP/RADIUS authentication to MSM. I’ll be working with Server 2008 R2 and Windows 7 clients. So task one was getting my head round ‘auto enrollment’. As stated I’m deploying Computer certificates but the process is practically the same for issuing User certificates (I’ll point out the differences where applicable).

Solution

Prerequisites: A Windows domain environment, with working DNS.

Setup a Certification Authority

1. Launch Server Manager (Servermanager.msc) Roles > Add Roles > Active Directory Certificate Services > Next > I’m going to accept all the defaults.

2. The only thing I’m going to change is the lifetime, I usually change that from 5 to 10 years (force of habit, after 5 years it will probably still be my problem, in 10 years it will be replaced, or in a skip!)

Create a Computer Certificate Template and Issue it.

3. Start > Administrative Tools > Certification Authority > Certificate Templates > Manage.

4. Locate and make a copy of the Workstation Authentication template. If you were using User certificates the you would copy the User template.

Note: I got an email a few months ago form someone who had an argument about whether to make copies or edit the originals, and was asking what I thought was best practice. Well I would ALWAYS copy a template and edit that copy. Then if you ‘stuff it up’ you still have the original. It’s always best practice to avoid looking like a cretin!

5. If you still have Server 2003 servers choose the default, if not pick 2008 > OK.

6. General Tab > Give the template a sensible name.

7. Subject Name Tab: Tick User principle name (UPN).

8. Security Tab: Ensure Domain Computers have the rights to Read and Autoenroll > OK > Close the template console.

9. Certificate templates > New > Certificate Template to Issue.

10. Pick the one you just created > OK.

11. Make sure it’s listed > Close the Certificate Authority management console.

Deploy Auto-enrolled Certificates via Group Policy

Note: You could just add this to the to the default domain group policy, and all computers would get a certificate, but for this exercise I’ve created an OU, and I’m going to create a new policy and link it there.

12. Select an OU or container that contains the computer objects you want to send certificates to.

Note: Obviously if you are sending out User certificates then link it to a user OU, (you would be surprised!)

13. Navigate to;

[box]

Computer Certificate Auto-Enrollment

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment

User Certificate Auto-Enrollment

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

WARNING: If deploying user certificates read this article.

14. Enable the policy > Select the two options available > Apply > OK > Close the GPO management editor.

Test Windows Certificate Auto-Enrollment

15. Before we do anything else, you can see there are no certificates on the Windows 7 client machine, and there are no certificates ‘issued’ from the server.

Note: To see a computers certificates, you need to be logged in with administrative rights, run mmc and add in the certificates snap-in for ‘local computer’.

16. Now if I move this machine into the OU that I’ve linked the GPO to.

17. And then force that client to refresh its group policies, (or reboot it).

18. Now when you check, you can see it has received a certificate, and the server is now showing one certificate issued.

Now I’ve got to work out NAP and RADIUS and force them to use the certificates, but I’ve got a headache and I need a brew, watch this space….

Related Articles, References, Credits, or External Links

Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’