Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA 5500 – Configuring PPPoE

KB ID 0000831 

Problem

Until very recently I’d never had to configure PPPoE. Most of my clients in that sort of connection speed range have ADSL with a router provided by their ISP. A Router that connects via PPPoA usually.

Here in the UK the main ISP’s (BT and Virgin) are busy rolling out FTTC connections that terminate with a ‘modem’ that presents an RJ45 socket.

So without the need for a router, you can get the ASA to perform the authentication (supply the username and password via PPPoE) and either use a static IP address, or obtain its IP via DHCP.

Solution

1. Before you attempt to configure the connection, you will need the following from your ISP;

  • Username
  • Password
  • IP Details (If you have bought static IP’s you will need the range of IP addresses and the IP address to use as the firewalls default route (default gateway). Some ISP’s will expect you to configure DHCP and will make sure you always get the same IP.
  • Authentication method: CHAP, MSCHAP, or PAP (If your ISP acts confused when you ask, it’s probably CHAP).

2. Connect to the ASA > Go to enable mode > Go to configuration mode > Create a ‘vpdn’ group, (here I’ve called it PNL-DIALER-GROUP) > Set the authentication method, (here I’m using CHAP).

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)# vpdn group PNL-DIALER-GROUP request dialout pppoe
PetesASA(config)# vpdn group PNL-DIALER-GROUP ppp authentication chap

[/box]

3. Supply your username and password. (The store-local command puts the details in a protected area of flash memory).

[box]

PetesASA(config)# vpdn group PNL-DIALER-GROUP localname username1234-fttc@ispname.net
PetesASA(config)# vpdn username username1234-fttc@ispname.net password Password12345 store-local

[/box]

4. Apply your vpdn group to the interface (or VLAN if your using an ASA5505), then configure the static IP address or DHCP;

[box]

Command for an ASA 5505 (By Default VLAN 2 will be the outside VLAN).

PetesASA(config)# Interface vlan2
PetesASA(config-if)#

Command for an ASA 5510 (or greater) (By Default Ethernet0/0 will be the outside interface).

PetesASA(config)# Ethernet0/0
PetesASA(config-if)#

The rest of the configuration is the same for all models

PetesASA(config-if)# pppoe client vpdn group PNL-DIALER-GROUP

If you have been given a static IP address and default route

PetesASA(config-if)# ip address 123.123.123.123 255.255.255.248 pppoe
PetesASA(config-if)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

If you are getting you IP address via DHCP

PetesASA(config-if)# ip address pppoe setroute

[/box]

5. Save your changes.

[box]

PetesASA(config-if)# exit
PetesASA(config)# exit
PetesASA# write mem
Building configuration…
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box]

Cisco ASA Debugging PPPoE

You can use the following command/syntax to troubleshoot.

[box]

PetesASA# show ip address outside pppoe
PetesASA# [no] debug pppoe {event | error | packet}
PetesASA# show vpdn session [l2tp | pppoe] [id sess_id | packets | state | window]
PetesASA# show vpdn

[/box]

Configure PPPoE via ASDM

1. Connect to the ASDM > Configuration > Device Setup > Interfaces > Ethernet0/0 > Edit > General Tab > Use PPPoE.

2. Enter VPDN Group name username and password.

3. Set the PPP Authentication method PAP / CHAP or MSCHAP.

4. Tick store username and password in flash > IP Address and Route Settings
Apply > OK.

5. File > Save Running Configuration to flash.

Related Articles, References, Credits, or External Links

NA