{"id":683,"date":"2016-12-19T08:55:13","date_gmt":"2016-12-19T07:55:13","guid":{"rendered":""},"modified":"2019-04-30T08:57:26","modified_gmt":"2019-04-30T06:57:26","slug":"asa-aaa-authentication-against-windows-2016-server-ad","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/asa-aaa-authentication-against-windows-2016-server-ad\/","title":{"rendered":"ASA AAA authentication against Windows 2016 server (AD)"},"content":{"rendered":"

The article describes configuration of the AAA service on Cisco ASA against a Network policy server running on Windows 2016 server. The implementation of Network policy server on Windows is de-facto Microsoft implementation of RADIUS server.<\/p>\n

Configuration of AAA radius server on Cisco ASA<\/h1>\n

ASDM<\/h2>\n

1) Connect to your ASA using ASDM
\n2) From the menu select „Configuration“
\n3) From the left panel select „Remote Access VPN“
\n4) Within of the „Remote Access VPN“ select AAA\/Local Users
\n5) Then select „AAA Server Group“
\n6) On the right two panels appears, the „AAA Server Group“ and the „Servers in the Selected Group“
\n7) Add a new server within the Server Group
\n– choose the name for the server group
\n– select RADIUS as the protocol
\n– other options we may leave default
\n8) Now choose just created server group and within of the second half of panel (the bottom one) add the new server
\n– select the ASA interface where the server will operate
\n– specify the IP address of the server
\n– specify the „Server Secret Key“
\n– check the „MS CHAPv2 Capable“ option
\n9) Ok and APPLY<\/p>\n

Command line<\/h2>\n

The configuration in general is:<\/p>\n

aaa-server NAME protocol radius\naaa-server NAME (INTERFACE) host IP_ADDRESS\n key *****<\/pre>\n
<\/div>\n
where in my case it is<\/div>\n
\n
aaa-server KIS-DC protocol radius\naaa-server KIS-DC (vlan200) host 192.168.200.2\n key *****<\/pre>\n
Configuration of Windows 2016 Server – configuration of the Network police server<\/h1>\n
1) Login to your windows server
\n2) Open „Server Manager“
\n3) From the Dashboard select „Add roles and features“ (or through Manage > Add roles and features)
\n4) Go through welcome page selecting Next
\n5) Select „Role-based or feature-based installation“ and go Next
\n6) Select your server then Next
\n7) We are on the „Server roles“ step, where we select „Network Policy and Access Services“, then click Next
\n8) Click „Add features“ and then Next\/Next and finally Install
\n9) Once the installation finish click Close
\n10) Then from the „Server Manager“ select „NPAS“
\n11) In SERVERS panel right click on just installed server and select „Network Policy Server“
\n12) Right click on NPS (Local) and select „Register server in Active Directory“
\n13) From the Left menu expand „RADIUS Clients and Servers“
\n14) Right click on the RADIUS Client and select „New“
\n15) Setup a new radius client, which means:<\/p>\n
– Check „Enable this RADIUS client“
\n– in „Friendly name“ specify the name for an ASA client, in my case (for example) „cisco-asa<\/em>“
\n– In „Address“ specify th eIP address of your ASA box or its DNS name (if it is configured)
\n– select „Manual“ at the bottom and specify Shared secret (the one previously configured previously on the ASA box)
\n– Confirm secret
\n– Click OK
\n16) then expand Policies and do the right click on „Connection Request Policies“ where select „New“
\n17) Specify the name within the Policy Name
\n18) In „Specify condition“ add a condition, where select „Client Friendly Name“‚ and click Add<\/p>\n<\/div>\n
19) Specify the name for the condition, for example the same as was done above (cisco-asa)
\n20) Then Next\/Next and after „Specify Authentication Methods“ step within „Configure Settings“ select the „User-Name“ attribute and Finish
\n21) Now right click on the Network Policies and select New
\n22) Specify the name within the „Policy-name“ form and go Next
\n23) then Specify conditions where we need to select „User Groups“
\n24) Add users group which we wish to allows access. The list is taken from the active directory server, I selected for example Domain Users, then click Next
\n25) Select Access granted and go Next
\n26)\u00a0Select „Unencrypted Authentication PAP SPAP“ and go Next.
\n27) Then select No when asking for Connection Request Policy and go Next
\n28) Go Next and finish<\/p>\n
Testing<\/h1>\n
Test the authentication. We may use for it the ASA ASDM, where on the same page as we have added servers there is the Test button where we may specify the name and password ad check if the authentication was successful.<\/p>","protected":false},"excerpt":{"rendered":"
\n\tThe article describes the configuration of AAA service on Cisco ASA against Network policy server running on Windows 2016 server. The implementation of Network policy server on Windows is defacto the MS implementaion of RADIUS server.<\/p>\n
\n\tConfiguration of AAA radius server on Cisco ASA<\/h1>\n
\n\tASDM<\/h2>\n
\n\t1) Connect to your ASA using ASDM<\/p>\n
\n\t2) Select "Configuration" from the menu<\/p>\n
\n\t3) From the left panel select "Remote Access VPN"<\/p>\n
\n\t4) Within of the "Remote Access VPN" select AAA\/Local Users<\/p>","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[851],"tags":[],"class_list":["post-683","post","type-post","status-publish","format-standard","hentry","category-windows-2016-server"],"taxonomy_info":{"category":[{"value":851,"label":"Windows 2016 server"}]},"featured_image_src_large":false,"author_info":{"display_name":"admin","author_link":"https:\/\/nil.uniza.sk\/en\/author\/admin\/"},"comment_info":12,"category_info":[{"term_id":851,"name":"Windows 2016 server","slug":"windows-2016-server","term_group":0,"term_taxonomy_id":849,"taxonomy":"category","description":"","parent":845,"count":2,"filter":"raw","cat_ID":851,"category_count":2,"category_description":"","cat_name":"Windows 2016 server","category_nicename":"windows-2016-server","category_parent":845}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=683"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/683\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}