Saturday, December 27, 2014

HOWTO: Cisco ASA AnyConnect RADIUS Authentication with NPS

Following up on my previous AnyConnect how-to, this post shows how to configure a Cisco ASA to authenticate against a Windows Network Policy Server (NPS) using RADIUS.

First, configure a aaa-server group with the radius protocol.
asa01(config)# aaa-server RADIUS protocol radius
asa01(config-aaa-server-group)# exit
Next, specify your NPS server and pre-shared-key.
asa01(config)# aaa-server RADIUS (inside) host
asa01(config-aaa-server-host)# key pr3-shar3d-k3y
asa01(config-aaa-server-host)# exit
On your NPS server, launch NPS.

Right click "RADIUS Clients" and choose "New."

Enter a "friendly name," the IP or hostname of the ASA, and your pre-shared-key.

Right click "Network Policies" and select "New."

Enter a name for your network policy, for example "AnyConnect VPN" and select "Next."

NPS can be configured to require a variety of conditions be met in order to authenticate a user.  The following is a basic example that only requires a user to be a member of the "VPNUsers" security group.  This security group has already been created and includes the users that we would like to authenticate.

Select "Add," "User Groups," "Add," then "Add Groups."  Search for the security group "VPNUsers" and select "OK."

Select "Next" and choose "Access granted."

Selext "Next" and then check "Unencrypted authentication (PAP, SPAP)."

Select "Next" and click "No" at the help prompt.  Then click "Next" twice, and then click "Finish."

Right click on the newly created policy and select "Move Up" to move the policy above the two default NPS policies.

We now have a very basic RADIUS configuration in place.  To make sure it is configured properly, we can use the "test" command on the ASA:
asa01# test aaa-server authentication RADIUS host username vpntestuser password P@ssw0rd
INFO: Attempting Authentication test to IP address <> (timeout: 12 seconds)
INFO: Authentication Successful
Finally, we can configure our webvpn tunnel-group to use our radius server for authentication.
asa01(config)# tunnel-group DefaultWEBVPNGroup general-attributes
asa01(config-tunnel-general)# authentication-server-group RADIUS
asa01(config-tunnel-general)# exit
You should now be able to connect to your AnyConnect VPN with Active Directory credentials.

No comments:

Post a Comment