Menu Close

ASA AAA authentication against Windows 2016 server (AD)

The article describes the configuration of AAA service on Cisco ASA against Network policy server running on Windows 2016 server. The implementation of Network policy server on Windows is defacto the MS implementaion of RADIUS server.

Configuration of AAA radius server on Cisco ASA


1) Connect to your ASA using ASDM
2) Select “Configuration” from the menu
3) From the left panel select “Remote Access VPN”
4) Within of the “Remote Access VPN” select AAA/Local Users
5) Then Select “AAA Server Group”
6) On the right two panels appears, the “AAA Server Group” and the “Servers in the Selected Group”
7) Add a new server within Server Group
– choose name for the server group
– Select RADIUS as the protocol
– other options may leave default
8) Now select just added server gorup and within second half of panel (the bottom one) add a new server itself
– select ASA interface where the server operate
– specify IP address of the server
– specify “Server Secret Key”
– check MS CHAPv2 Capable
9) Ok and APPLY

Command line

The configuration in general is

aaa-server NAME protocol radius
 key *****
where in my case is
aaa-server KIS-DC protocol radius
aaa-server KIS-DC (vlan200) host
 key *****

Configuration of Windows 2016 Server – cofiguration of the Network police server

1) Login to your windows server
2) Open “Server Manager”
3) From the Dashboard select “Add roles nad features” (or through Manage > Add roles and features)
4) Go through welcome page slecting Next
5) Select “Role-based or feature-based installation” then Next
6) Select your server then Next
7) We are on Server roles step, where select “Network Policy and Access Services”, then Next
8) Click “Add features” and then Next/Next and finally Install
9) After installation click Close
10) Then from “Server Manager” select “NPAS”
11) Within SERVERS panel right click on just installed server and select “Network Policy Server”
12) Right click on the NPS (Local) and select “Register server in Active Directory”
13) From the Left menu expand “RADIUS Clients and Servers”
14) Right click on the RADIUS Client and select “New”
15) Setup a new radius client, which means:

– Check “Enable this RADIUS client”
– within “Friendly name” specify the name for ASA client, in my case for example cisco-asa
– within “Address” specify IP address of ASA box or its DNS name (if is configured)
– select “Manual” at the bootom and specify Shared secret (the one previously confiugred on ASA box)
– Confirm secret
– Click OK
16) then expand Policies and make the right click on “Connection Request Policies” where select “New”
17) Specify the name within Policy Name
18) Within “Specify condition” add a condition, where select “Client Friendly Name”‘ and click Add

19) Specify the name for the condition, for example the same as was done above (cisco-asa)
20) Then Next/Next and after “Specify Authentication Methods” step within “Configure Settings” select the “User-Name” attribute and Finish
21) Now right click on Network Policies and select New
22) Specify the name within “Policy-name” form and go Next
23) then Specify conditons where we need to select “User Groups”
24) Add users group which we wish to allows access. The list is taken frm the active deirectory server, I selected for example Domain Users, then click Next
25) Select Access granted and go Next
26) Select “Unencrypted Authentication PAP SPAP” and go Next.
27) Then select No when asking for Connection Request Polcy and go Next
28) Go Next and finish



Test the authentication. We may use for it tha ASA ASDM, where on the same page as we added servers is a Test button where we may specify the name and password ad check if the authentication was sucesfull.

Rate this post

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *