The document explains how to configure an ASA to authenticate VPN users against a Windows 2008 NPS server using RADIUS. The ASA is configured as a RADIUS client to the NPS server. VPN users are authenticated against Active Directory. Configuration steps include adding the ASA as a RADIUS client in NPS, creating a connection request policy in NPS, and adding a network policy in NPS to grant access to specified users. The ASA configuration includes defining a RADIUS server group and assigning it to the tunnel group.
This document summarizes the purpose and contents of several DHCP and DHCPv6 message types:
- DHCPREQUEST messages are used by clients to renew or request an IP address lease from a server
- DHCP SOLICIT messages allow clients to locate DHCP servers on the network to obtain an IP address
- DHCP REQUEST, RENEW, RELEASE, REBIND, and DECLINE messages are used in the DHCPv6 address assignment process
- INFORMATION-REQUEST messages allow clients or servers to obtain configuration parameters without a lease
Each message type description includes the message purpose, typical options included, and normal message exchange sequence.
This document provides instructions for setting up WiFi authentication and accounting using FreeRADIUS on CentOS 5. It involves generating digital certificates using OpenSSL, installing and configuring FreeRADIUS, and setting up a wireless access point and client devices to use the RADIUS server for WPA1/2 enterprise authentication via EAP/PEAP/TTLS. Key steps include generating server and client certificates signed by a certificate authority, configuring FreeRADIUS configuration files, adding a RADIUS client for the access point, and setting the access point and client devices to point to the RADIUS IP for authentication.
The document describes DHCP snooping Option 82 configuration examples. It provides an overview of Option 82, which allows DHCP servers to assign IP addresses based on location information added to client requests. It then gives an example configuration where a DHCP snooping device adds unique Option 82 information to requests from three client groups, allowing the DHCP server to assign each group a separate address range from the 192.168.10.0/24 network. The DHCP snooping device and server are configured to implement this address assignment based on Option 82.
The document provides instructions for configuring a DHCP server and client. It describes adding the DHCP server role to Dcsrv1, including configuring network bindings and scope options. It also covers configuring the Boston computer as a DHCP client for IPv4. Additional topics covered include creating exclusions ranges, reservations, adjusting lease durations, and configuring scope options.
Virtual circuits are connections over packet-switched networks that appear as dedicated physical links between devices. They are established through configuration and allow higher-level protocols to avoid dealing with packetization of data. While virtual circuits resemble circuit switching, factors like queue lengths and load can cause variable performance unlike dedicated circuits. Examples of protocols that provide virtual circuits include TCP, X.25, Frame Relay, and ATM. Virtual circuits can be either switched, established on demand, or permanent, preconfigured for repeated use.
This document provides an overview of CSS (Cascading Style Sheets) including its history, basic syntax and structure, common properties that can be styled, and different methods for applying styles. Key points covered include using CSS to style fonts, colors, links, and page layout with properties like padding, margin, and floats. The document also demonstrates how to select elements with IDs, classes, and other selectors to style them.
The document contains summaries of 3 proposed real estate development projects including a 4-story Vishal Manaloto condominium in Vista Verde Executive Village in Cainta Rizal owned by Mr. and Mrs. Elmer Dela Cruz, a 4-unit Maranan apartment in San Pascual, Batangas City owned by Mr. and Mrs. Bernie Maranan, and a 4-unit Marayag apartment in Concepcion, Marikina City.
This document summarizes the purpose and contents of several DHCP and DHCPv6 message types:
- DHCPREQUEST messages are used by clients to renew or request an IP address lease from a server
- DHCP SOLICIT messages allow clients to locate DHCP servers on the network to obtain an IP address
- DHCP REQUEST, RENEW, RELEASE, REBIND, and DECLINE messages are used in the DHCPv6 address assignment process
- INFORMATION-REQUEST messages allow clients or servers to obtain configuration parameters without a lease
Each message type description includes the message purpose, typical options included, and normal message exchange sequence.
This document provides instructions for setting up WiFi authentication and accounting using FreeRADIUS on CentOS 5. It involves generating digital certificates using OpenSSL, installing and configuring FreeRADIUS, and setting up a wireless access point and client devices to use the RADIUS server for WPA1/2 enterprise authentication via EAP/PEAP/TTLS. Key steps include generating server and client certificates signed by a certificate authority, configuring FreeRADIUS configuration files, adding a RADIUS client for the access point, and setting the access point and client devices to point to the RADIUS IP for authentication.
The document describes DHCP snooping Option 82 configuration examples. It provides an overview of Option 82, which allows DHCP servers to assign IP addresses based on location information added to client requests. It then gives an example configuration where a DHCP snooping device adds unique Option 82 information to requests from three client groups, allowing the DHCP server to assign each group a separate address range from the 192.168.10.0/24 network. The DHCP snooping device and server are configured to implement this address assignment based on Option 82.
The document provides instructions for configuring a DHCP server and client. It describes adding the DHCP server role to Dcsrv1, including configuring network bindings and scope options. It also covers configuring the Boston computer as a DHCP client for IPv4. Additional topics covered include creating exclusions ranges, reservations, adjusting lease durations, and configuring scope options.
Virtual circuits are connections over packet-switched networks that appear as dedicated physical links between devices. They are established through configuration and allow higher-level protocols to avoid dealing with packetization of data. While virtual circuits resemble circuit switching, factors like queue lengths and load can cause variable performance unlike dedicated circuits. Examples of protocols that provide virtual circuits include TCP, X.25, Frame Relay, and ATM. Virtual circuits can be either switched, established on demand, or permanent, preconfigured for repeated use.
This document provides an overview of CSS (Cascading Style Sheets) including its history, basic syntax and structure, common properties that can be styled, and different methods for applying styles. Key points covered include using CSS to style fonts, colors, links, and page layout with properties like padding, margin, and floats. The document also demonstrates how to select elements with IDs, classes, and other selectors to style them.
The document contains summaries of 3 proposed real estate development projects including a 4-story Vishal Manaloto condominium in Vista Verde Executive Village in Cainta Rizal owned by Mr. and Mrs. Elmer Dela Cruz, a 4-unit Maranan apartment in San Pascual, Batangas City owned by Mr. and Mrs. Bernie Maranan, and a 4-unit Marayag apartment in Concepcion, Marikina City.
The iSetBox-Home is a multimedia device that allows users to watch both digital and analog TV, listen to radio, browse the internet, read flash cards, and record content to an optional internal hard drive, providing an all-in-one home entertainment solution controlled through an intuitive remote interface.
This short document promotes creating presentations using Haiku Deck on SlideShare. It encourages the reader to get started making their own Haiku Deck presentation by providing a button to click to begin the process. The document is advertising the creation of presentations on Haiku Deck and SlideShare.
Soumya V has over 12 years of experience in management roles in the BPO industry. She has extensive experience managing large operations teams, meeting SLAs, and improving customer satisfaction metrics. Her most recent role is Deputy General Manager at Firstsource Solutions where she manages a team of 1200 employees and is responsible for end-to-end operations, financial performance, and people management. Prior to this, she held senior operations roles at Magus Customer Dialog and worked as a customer care consultant for AOL and iSeva India.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
This document provides tips on preventing hair loss through diet and supplements. It recommends including foods rich in omega-3 fatty acids, vitamin A, and vitamin E in one's diet to nourish hair follicles and increase blood circulation in the scalp. Specific supplements mentioned are Viviscal to improve hair growth, biotin which prevents thinning without side effects, vitamin D which supports the hair cycle, and vitamin A as an antioxidant for hair growth if taken as recommended. The overall message is that maintaining a healthy diet and lifestyle can help prevent abnormal or excessive hair loss.
This document discusses the design and testing of sensor and LED boards. It provides the specifications for the sensor board including its dimensions and the use of a camera. It also provides the schematic design, layout, and testing details for an LED board with dimensions of 25 x 10 x 0.4 mm that uses 450nm and 375nm LEDs requiring a total current of 500mA and is intended to be powered at 5V and 4V respectively.
This document provides instructions for configuring a Cisco ASA firewall for remote access VPN using Windows 2003 Active Directory authentication. It involves installing Internet Authentication Services on a domain controller, registering the server in Active Directory, adding a RADIUS client for the ASA, configuring an access policy with authentication methods and encryption levels, verifying RADIUS ports, and configuring AAA on the ASA to authenticate with the IAS server using a shared secret. Finally, the configuration can be tested and troubleshooting steps are provided.
The document provides a guide for deploying and configuring Cisco Secure Access Control Server (ACS) 5.2. It outlines scenarios for installing ACS as a virtual appliance, setting up a backup server for high availability, integrating ACS with Active Directory and LDAP, and configuring AAA authentication and authorization for devices and VPNs using TACACS and RADIUS. Configuration steps are provided for assigning privilege levels to users on routers and firewalls via AAA with shell profiles.
This document provides a summary of the RADIUS client configuration in RouterOS, including supported RADIUS attributes. Key points include:
- The RADIUS client can authenticate connections for services like HotSpot, PPP, PPoE, PPTP, L2TP and ISDN. It supports common RADIUS attributes.
- Configuration includes specifying RADIUS servers via IP/secret and services to use each server. Attributes from RADIUS can override defaults.
- Supported authentication methods are PAP, CHAP, MS-CHAPv1, and MS-CHAPv2. Accounting information can also be sent to RADIUS servers.
- RouterOS supports disconnect messages from RADIUS servers
This document provides a summary of the RouterOS built-in RADIUS client configuration including supported RADIUS attributes and recommendations for RADIUS servers. It describes the RADIUS client setup menu in RouterOS which allows configuration of RADIUS servers for authentication of services like Hotspot, PPP, and wireless clients. Key RADIUS attributes sent in access requests and responses are outlined including attributes for IP address allocation, authentication methods, encryption, and traffic shaping.
The document discusses different methods for assigning IP addresses to VPN clients, including configuring local IP address pools, AAA addressing which retrieves addresses from an external authentication server, and DHCP addressing which obtains addresses from a DHCP server. It provides configuration examples for setting the address assignment method and defining local pools, AAA server groups, and DHCP servers for specific tunnel groups.
This document provides instructions for configuring split-tunneling on a Cisco wireless controller to allow remote access points (RAPs) to forward some traffic over an IPSec VPN tunnel to the controller while sending other traffic locally. The key steps are:
1. Define an internal network destination that specifies the IP ranges that should be tunneled.
2. Create a RAP user policy that tunnels traffic to the internal destination over the VPN but sources locally any other traffic.
3. Configure a RAP user role and AAA profile to authenticate and authorize RAP users.
4. Set up a virtual AP profile for the RAPs with the AAA profile and split-tunnel forwarding mode.
Authentication is configured locally on the router using AAA (Authentication, Authorization, and Accounting). The router authenticates users against the local database. Authentication methods include passwords stored locally or using a protocol like RADIUS or TACACS+. The document discusses configuring local authentication, adding usernames/passwords, and troubleshooting authentication.
This chapter discusses network management topics including AAA (authentication, authorization, and accounting), 802.1X identity-based networking, NTP (Network Time Protocol), and SNMP (Simple Network Management Protocol). It provides details on configuring AAA using RADIUS and TACACS+ as well as 802.1X authentication. It also explains the need for accurate timekeeping via NTP and how to manually configure the system clock and implement daylight saving time adjustments.
This document discusses AAA (authentication, authorization, and accounting) services. It defines each component and provides examples. AAA uses RADIUS or TACACS+ protocols to communicate between network devices and AAA servers. There are several options to implement AAA servers including local databases or external servers like Cisco Secure ACS. The document compares RADIUS and TACACS+, noting TACACS+ is more secure but RADIUS has more extensive accounting support and is an open standard. It concludes AAA provides privileged network access control and record keeping through authentication, authorization, and accounting processes.
Short overview of AAA and the RADIUS protocol.
The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources.
AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user).
AAA is typically employed at network ingress points to control user's access to the network and resources.
The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count).
RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.
Authentication is configured locally on the router using usernames and passwords stored in the local database. The authentication process authenticates users trying to access the router using the local username/password database. Logging into interfaces like VTY lines use the authentication method list which specify authentication is done using the local database by default. Failed login attempts are tracked and accounts can be locked out if too many failed attempts occur.
The iSetBox-Home is a multimedia device that allows users to watch both digital and analog TV, listen to radio, browse the internet, read flash cards, and record content to an optional internal hard drive, providing an all-in-one home entertainment solution controlled through an intuitive remote interface.
This short document promotes creating presentations using Haiku Deck on SlideShare. It encourages the reader to get started making their own Haiku Deck presentation by providing a button to click to begin the process. The document is advertising the creation of presentations on Haiku Deck and SlideShare.
Soumya V has over 12 years of experience in management roles in the BPO industry. She has extensive experience managing large operations teams, meeting SLAs, and improving customer satisfaction metrics. Her most recent role is Deputy General Manager at Firstsource Solutions where she manages a team of 1200 employees and is responsible for end-to-end operations, financial performance, and people management. Prior to this, she held senior operations roles at Magus Customer Dialog and worked as a customer care consultant for AOL and iSeva India.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
This document provides tips on preventing hair loss through diet and supplements. It recommends including foods rich in omega-3 fatty acids, vitamin A, and vitamin E in one's diet to nourish hair follicles and increase blood circulation in the scalp. Specific supplements mentioned are Viviscal to improve hair growth, biotin which prevents thinning without side effects, vitamin D which supports the hair cycle, and vitamin A as an antioxidant for hair growth if taken as recommended. The overall message is that maintaining a healthy diet and lifestyle can help prevent abnormal or excessive hair loss.
This document discusses the design and testing of sensor and LED boards. It provides the specifications for the sensor board including its dimensions and the use of a camera. It also provides the schematic design, layout, and testing details for an LED board with dimensions of 25 x 10 x 0.4 mm that uses 450nm and 375nm LEDs requiring a total current of 500mA and is intended to be powered at 5V and 4V respectively.
This document provides instructions for configuring a Cisco ASA firewall for remote access VPN using Windows 2003 Active Directory authentication. It involves installing Internet Authentication Services on a domain controller, registering the server in Active Directory, adding a RADIUS client for the ASA, configuring an access policy with authentication methods and encryption levels, verifying RADIUS ports, and configuring AAA on the ASA to authenticate with the IAS server using a shared secret. Finally, the configuration can be tested and troubleshooting steps are provided.
The document provides a guide for deploying and configuring Cisco Secure Access Control Server (ACS) 5.2. It outlines scenarios for installing ACS as a virtual appliance, setting up a backup server for high availability, integrating ACS with Active Directory and LDAP, and configuring AAA authentication and authorization for devices and VPNs using TACACS and RADIUS. Configuration steps are provided for assigning privilege levels to users on routers and firewalls via AAA with shell profiles.
This document provides a summary of the RADIUS client configuration in RouterOS, including supported RADIUS attributes. Key points include:
- The RADIUS client can authenticate connections for services like HotSpot, PPP, PPoE, PPTP, L2TP and ISDN. It supports common RADIUS attributes.
- Configuration includes specifying RADIUS servers via IP/secret and services to use each server. Attributes from RADIUS can override defaults.
- Supported authentication methods are PAP, CHAP, MS-CHAPv1, and MS-CHAPv2. Accounting information can also be sent to RADIUS servers.
- RouterOS supports disconnect messages from RADIUS servers
This document provides a summary of the RouterOS built-in RADIUS client configuration including supported RADIUS attributes and recommendations for RADIUS servers. It describes the RADIUS client setup menu in RouterOS which allows configuration of RADIUS servers for authentication of services like Hotspot, PPP, and wireless clients. Key RADIUS attributes sent in access requests and responses are outlined including attributes for IP address allocation, authentication methods, encryption, and traffic shaping.
The document discusses different methods for assigning IP addresses to VPN clients, including configuring local IP address pools, AAA addressing which retrieves addresses from an external authentication server, and DHCP addressing which obtains addresses from a DHCP server. It provides configuration examples for setting the address assignment method and defining local pools, AAA server groups, and DHCP servers for specific tunnel groups.
This document provides instructions for configuring split-tunneling on a Cisco wireless controller to allow remote access points (RAPs) to forward some traffic over an IPSec VPN tunnel to the controller while sending other traffic locally. The key steps are:
1. Define an internal network destination that specifies the IP ranges that should be tunneled.
2. Create a RAP user policy that tunnels traffic to the internal destination over the VPN but sources locally any other traffic.
3. Configure a RAP user role and AAA profile to authenticate and authorize RAP users.
4. Set up a virtual AP profile for the RAPs with the AAA profile and split-tunnel forwarding mode.
Authentication is configured locally on the router using AAA (Authentication, Authorization, and Accounting). The router authenticates users against the local database. Authentication methods include passwords stored locally or using a protocol like RADIUS or TACACS+. The document discusses configuring local authentication, adding usernames/passwords, and troubleshooting authentication.
This chapter discusses network management topics including AAA (authentication, authorization, and accounting), 802.1X identity-based networking, NTP (Network Time Protocol), and SNMP (Simple Network Management Protocol). It provides details on configuring AAA using RADIUS and TACACS+ as well as 802.1X authentication. It also explains the need for accurate timekeeping via NTP and how to manually configure the system clock and implement daylight saving time adjustments.
This document discusses AAA (authentication, authorization, and accounting) services. It defines each component and provides examples. AAA uses RADIUS or TACACS+ protocols to communicate between network devices and AAA servers. There are several options to implement AAA servers including local databases or external servers like Cisco Secure ACS. The document compares RADIUS and TACACS+, noting TACACS+ is more secure but RADIUS has more extensive accounting support and is an open standard. It concludes AAA provides privileged network access control and record keeping through authentication, authorization, and accounting processes.
Short overview of AAA and the RADIUS protocol.
The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources.
AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user).
AAA is typically employed at network ingress points to control user's access to the network and resources.
The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count).
RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.
Authentication is configured locally on the router using usernames and passwords stored in the local database. The authentication process authenticates users trying to access the router using the local username/password database. Logging into interfaces like VTY lines use the authentication method list which specify authentication is done using the local database by default. Failed login attempts are tracked and accounts can be locked out if too many failed attempts occur.
The document provides best practices for Cisco Identity Services Engine (ISE) configurations. It discusses recommendations for wired and wireless dot1x configurations, redirected flows, upgrading to ISE 2.0, and configuring mobile device management (MDM) authorization policies across different ISE versions. Key recommendations include enabling radius server dead detection, using policy sets to optimize policy lookups, and configuring separate authorization policies for MDM redirection and registered devices.
This document provides instructions for configuring Cisco Secure Access Control Server (ACS), including deploying ACS servers, configuring new features in ACS 4.2, using RDBMS synchronization, setting password policies, configuring agentless host support, PEAP/EAP-TLS authentication, syslog logging, and network access control. It describes factors to consider for deployment and provides step-by-step examples for common configuration scenarios. The document is intended for security administrators who configure and maintain network and application security using ACS.
The document discusses authentication methods for Palo Alto Networks firewalls, including PAP, CHAP, MS-CHAP, EAP, SAML, and RADIUS VSA. It provides details on configuring two-factor authentication for GlobalProtect using Duo Security, including creating a RADIUS server, authentication profile, and selecting the profile for GlobalProtect portal and gateway. The document concludes with notes on a live demo of the 2FA configuration.
Updated, extended presentation how to deploy EAP-TLS based certificate authentication and authorisation solution within organisation or enterprise. In addition to EAP-TLS in general, the presentation also covers some features of Radiator RADIUS server software, which are particularly useful when used with certificates and EAP-TLS. The presentation was originally presented in the JISC govroam stakeholder's meeting 23rd of October 2019 in London, United Kingdom.
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Netgear Italia
The document introduces the WAC720 and WAC730 dual band 802.11ac wireless access points from NETGEAR. The WAC730 supports up to 1.7Gbps throughput and the WAC720 supports up to 867Mbps. They are designed for small to medium enterprises, schools, hospitals, and retail stores. The access points support features like beamforming, band steering, Bonjour, and captive portal. They can also be managed as part of an "Ensemble" which allows centralized management of up to 10 access points without a separate wireless controller.
Net scaler installation and configurationbimalkishore4
The document provides step-by-step instructions for installing and configuring NetScaler ADC VPX 10.1, including uploading the VPX to XenServer, configuring the NetScaler, installing an SSL certificate, setting up the NetScaler Gateway virtual server, installing the Web Interface on NetScaler, and configuring the NetScaler to redirect to the Web Interface. Key steps include downloading the NetScaler VPX and Web Interface components, configuring networking settings on the NetScaler, uploading and installing an SSL certificate from a CA, creating an LDAP server and policy for authentication, and customizing the Web Interface site appearance.
Palo Alto Networks Next-Gen Firewall PANOS 5.0 integration guide with Cisco SecureACS 4 using VSA attributes.
the second section talks about how to integrate Yubikey with Palo Alto Networks firewall
The document discusses TACACS+ configuration for different network devices including Juniper, Cisco IOS XR, and Cisco ISE. It provides details about predefined login classes and user groups, configuration steps to integrate TACACS+ servers, and how Cisco ISE manages network devices and profiles for TACACS+ authentication.
MariaDB MaxScale is a database proxy that provides scalability, high availability, and data streaming capabilities for MariaDB and MySQL databases. It acts as a load balancer and router to distribute queries across database servers. MaxScale supports services like read/write splitting, query caching, and security features like selective data masking. It can monitor replication lag and route queries accordingly. MaxScale uses a plugin architecture and its core remains stateless to provide flexibility and high performance.
1. ASA VPN User Authentication against Windows
2008 NPS Server (Active Directory) with RADIUS
Configuration Example
Document ID: 117641
Contributed by Sunil Kumar S and Raja Periyasamy, Cisco TAC
Engineers.
Jun 10, 2014
Contents
Introduction
Prerequisites
Requirements
Components Used
Configure
Network Diagram
Configurations
ASDM Configuration
CLI Configuration
Windows 2008 Server with NPS Configuration
Verify
ASA Debugs
Troubleshoot
Introduction
This document explains how to configure an Adaptive Security Appliance (ASA) to communicate with a
Microsoft Windows 2008 Network Policy Server (NPS) with the RADIUS protocol so that the legacy Cisco
VPN Client/AnyConnect/Clientless WebVPN users are authenticated against Active Directory. NPS is one of
the server roles offered by Windows 2008 Server. It is equivalent to Windows 2003 Server, IAS (Internet
Authentication Service), which is the implementation of a RADIUS server to provide remote dial−in user
authentication. Similarly, in Windows 2008 Server, NPS is the implementation of a RADIUS server.
Basically, the ASA is a RADIUS client to an NPS RADIUS server. ASA sends RADIUS authentication
requests on behalf of VPN users and NPS authenticates them against Active Directory.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
ASA that runs Version 9.1(4)•
2. Windows 2008 R2 Server with Active Directory services and NPS role installed•
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Configure
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the
commands used in this section.
Network Diagram
Configurations
ASDM Configuration
Choose the tunnel−group for which NPS authentication is required.1.
Click Edit and choose Basic.2.
In the Authentication section, click Manage.3.
3. In the AAA Server Groups section, click Add.4.
In the AAA Server Group field, enter the name of the server group (for example, NPS).5.
From the Protocol drop−down list, choose RADIUS.6.
Click OK.7.
4. In the Servers in the Selected Group section, choose the AAA Server Group added and click Add.8.
In the Server Name or IP Address field, enter the server IP address.9.
In the Server Secret Key field, enter the secret key.10.
Leave the Server Authentication Port and the Server Accounting Port fields at the default value unless
the server listens on a different port.
11.
Click OK.12.
Click OK.13.
From the AAA Server Group drop−down list, choose the group (NPS in this example) added in the
previous steps.
14.
Click OK.15.
5. CLI Configuration
aaa−server NPS protocol radius
aaa−server NPS (inside) host 10.105.130.51
key *****
tunnel−group TEST type remote−access
tunnel−group TEST general−attributes
address−pool test
authentication−server−group (inside) NPS
tunnel−group TEST webvpn−attributes
group−alias TEST enable
ip local pool test 192.168.1.1−192.168.1.10 mask 255.255.255.0
By default, the ASA uses the unencrypted Password Authentication Protocol (PAP) authentication type. This
does not mean that the ASA sends the password in plain text when it sends the RADIUS REQUEST packet.
Rather, the plaintext password is encrypted with the RADIUS shared secret.
If password management is enabled under the tunnel−group, then ASA uses the MSCHAP−v2 authentication
type in order to encrypt the plaintext password. In such a case, ensure that the Microsoft CHAPv2 Capable
check box is checked in the Edit AAA Server window configured in the ASDM configuration section.
6. tunnel−group TEST general−attributes
address−pool test
authentication−server−group (inside) NPS
password−management
Note: The test aaa−server authentication command always uses PAP. Only when a user initiates a
connection to tunnel−group with password−management enabled does the ASA use MSCHAP−v2. Also, the
'password−management [password−expire−in−days days]' option is only supported with Lightweight
Directory Access Protocol (LDAP). RADIUS does not provide this feature. You will see the password expire
option when the password is already expired in Active Directory.
Windows 2008 Server with NPS Configuration
The NPS Server Role should be installed and running on the Windows 2008 server. If not, choose Start >
Administrative Tools > Server Roles > Add Role Services. Choose the Network Policy Server and install the
software. Once the NPS Server Role is installed, complete these steps in order to configure the NPS to accept
and process RADIUS authentication requests from the ASA:
Add the ASA as a RADIUS client in the NPS server.
Choose Administrative Tools > Network Policy Server.a.
Right−click RADIUS Clients and choose New.b.
Enter a Friendly name, Address (IP or DNS), and Shared Secret configured on the ASA.c.
1.
7. Click the Advanced tab.d.
From the Vendor name drop−down list, choose RADIUS Standard.e.
Click OK.f.
8. Create a new Connection Request Policy for VPN users. The purpose of the Connection Request
Policy is to specify whether the requests from RADIUS clients are to be processed locally or
forwarded to remote RADIUS servers.
Under NPS > Policies, right−click Connection Request Policies and create a new policy.a.
From the Type of network access server drop−down list, choose Unspecified.b.
2.
9. Click the Conditions tab.c.
Click Add.d.
Enter the ASA's IP address as a 'Client IPv4 Address' condition.e.
10. Click the Settings tab.f.
Under Forwarding Connection Request, choose Authentication. Ensure the Authenticate
requests on this server radio button is chosen.
g.
Click OK.h.
11. Add a Network Policy where you can specify which users are allowed to authenticate.
For example, you can add Active Directory user groups as a condition. Only those users who belong
to a specified Windows group are authenticated under this policy.
Under NPS, choose Policies.a.
Right−click Network Policy and create a new policy.b.
Ensure the Grant access radio button is chosen.c.
From the Type of network access server drop−down list, choose Unspecified.d.
3.
12. Click the Conditions tab.e.
Click Add.f.
Enter the ASA's IP address as a Client IPv4 Address condition.g.
Enter the Active Directory user group which contains VPN users.h.
13. Click the Constraints tab.i.
Choose Authentication Methods.j.
Ensure the Unencrypted authentication (PAP, SPAP) check box is checked.k.
Click OK.l.
14. Pass Group−policy Attribute (Attribute 25) from the NPS RADIUS Server
If the group−policy needs to be assigned to the user dynamically with the NPS RADIUS server, the
group−policy RADIUS attribute (attribute 25) can be used.
Complete these steps in order to send the RADIUS attribute 25 for dynamic assignment of a group−policy to
the user.
After the Network Policy is added, right −click the required Network Policy and click the Settings
tab.
1.
15. Choose RADIUS Attributes > Standard. Click Add. Leave the Access type as All.2.
In the Attributes box, choose Class and click Add. Enter the attribute value, that is, the name of the
group−policy as a string. Remember that a group−policy with this name has to be configured in the
ASA. This is so that the ASA assigns it to the VPN session after it receives this attribute in the
RADIUS response.
3.
16. Verify
Use this section to confirm that your configuration works properly.
Note: Refer to Important Information on Debug Commands before you use debug commands.
17. ASA Debugs
Enable debug radius all on the ASA.
ciscoasa# test aaa−server authentication NPS host 10.105.130.51 username vpnuser password
INFO: Attempting Authentication test to IP address <10.105.130.51> (timeout: 12 seconds)
radius mkreq: 0x80000001
alloc_rip 0x787a6424
new request 0x80000001 −−> 8 (0x787a6424)
got user 'vpnuser'
got password
add_req 0x787a6424 session 0x80000001 id 8
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Raw packet data (length = 65).....
01 08 00 41 c4 1b ab 1a e3 7e 6d 12 da 87 6f 7f | ...A.....~m...
40 50 a8 36 01 09 76 70 6e 75 73 65 72 02 12 28 | @P.6..vpnuser..(
c3 68 fb 88 ad 1d f2 c3 b9 9a a9 5a fa 6f 43 04 | .h.........Z.oC.
06 0a 69 82 de 05 06 00 00 00 00 3d 06 00 00 00 | ..i........=....
05 | .
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 8 (0x08)
Radius: Length = 65 (0x0041)
Radius: Vector: C41BAB1AE37E6D12DA876F7F4050A836
Radius: Type = 1 (0x01) User−Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
76 70 6e 75 73 65 72 | vpnuser
Radius: Type = 2 (0x02) User−Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
28 c3 68 fb 88 ad 1d f2 c3 b9 9a a9 5a fa 6f 43 | (.h.........Z.oC
Radius: Type = 4 (0x04) NAS−IP−Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.105.130.52 (0x0A6982DE)
Radius: Type = 5 (0x05) NAS−Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x0
Radius: Type = 61 (0x3D) NAS−Port−Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.105.130.51/1645
rip 0x787a6424 state 7 id 8
rad_vrfy() : response message verified
rip 0x787a6424
: chall_state ''
: state 0x7
: reqauth:
c4 1b ab 1a e3 7e 6d 12 da 87 6f 7f 40 50 a8 36
: info 0x787a655c
session_id 0x80000001
request_id 0x8
user 'vpnuser'
response '***'
app 0
reason 0
skey 'cisco'
sip 10.105.130.51
type 1
18. RADIUS packet decode (response)
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Raw packet data (length = 78).....
02 08 00 4e e8 88 4b 76 20 b6 aa d3 0d 2b 94 37 | ...N..Kv ....+.7
bf 9a 6c 4c 07 06 00 00 00 01 06 06 00 00 00 02 | ..lL............
19 2e 9a 08 07 ad 00 00 01 37 00 01 02 00 0a 6a | .........7.....j
2c bf 00 00 00 00 3c 84 0f 6e f5 95 d3 40 01 cf | ,.....<..n...@..
1e 3a 18 6f 05 81 00 00 00 00 00 00 00 03 | .:.o..........
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 8 (0x08)
Radius: Length = 78 (0x004E)
Radius: Vector: E8884B7620B6AAD30D2B9437BF9A6C4C
Radius: Type = 7 (0x07) Framed−Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 6 (0x06) Service−Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 25 (0x19) Class
Radius: Length = 46 (0x2E)
Radius: Value (String) =
9a 08 07 ad 00 00 01 37 00 01 02 00 0a 6a 2c bf | .......7.....j,.
00 00 00 00 3c 84 0f 6e f5 95 d3 40 01 cf 1e 3a | ....<..n...@...:
18 6f 05 81 00 00 00 00 00 00 00 03 | .o..........
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x787a6424 session 0x80000001 id 8
free_rip 0x787a6424
radius: send queue empty
INFO: Authentication Successful
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Ensure the connectivity between the ASA and the NPS server is good.
Apply packet captures to ensure the authentication request leaves the ASA interface (from where the
server is reachable). Confirm that the devices in the path do not block the UDP port 1645 (default
RADIUS authentication port) in order to ensure it reaches the NPS server. More information on
packet captures on the ASA can be found in ASA/PIX/FWSM: Packet Capturing using CLI and
ASDM Configuration Example.
•
If the authentication still fails, look in the event viewer on the windows NPS. Under Event Viewer >
Windows Logs, choose Security. Look for events associated with NPS around the time of the
authentication request.
•
19. Once you open Event Properties, you should be able to see the reason for failure as shown in the
example. In this example, PAP was not chosen as the authentication type under Network policy.
Hence, the authentication request fails.
Log Name: Security
Source: Microsoft−Windows−Security−Auditing
Date: 2/10/2014 1:35:47 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: win2k8.skp.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: SKPvpnuser
Account Name: vpnuser
Account Domain: SKP
Fully Qualified Account Name: skp.com/Users/vpnuser
Client Machine:
Security ID: NULL SID
Account Name: −
Fully Qualified Account Name: −
OS−Version: −
Called Station Identifier: −
Calling Station Identifier: −
NAS:
NAS IPv4 Address: 10.105.130.69
NAS IPv6 Address: −
NAS Identifier: −
NAS Port−Type: Virtual
NAS Port: 0
RADIUS Client:
Client Friendly Name: vpn
20. Client IP Address: 10.105.130.69
Authentication Details:
Connection Request Policy Name: vpn
Network Policy Name: vpn
Authentication Provider: Windows
Authentication Server: win2k8.skp.com
Authentication Type: PAP
EAP Type: −
Account Session Identifier: −
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is
not enabled on the matching network policy.
Updated: Jun 10, 2014 Document ID: 117641