First, configure a aaa-server group with the radius protocol.
asa01(config)# aaa-server RADIUS protocol radius
asa01(config-aaa-server-group)# exit
asa01(config)#
Next, specify your NPS server and pre-shared-key.asa01(config)# aaa-server RADIUS (inside) host 10.24.12.2
asa01(config-aaa-server-host)# key pr3-shar3d-k3y
asa01(config-aaa-server-host)# exit
asa01(config)#
On your NPS server, launch NPS.Right click "RADIUS Clients" and choose "New."
Enter a "friendly name," the IP or hostname of the ASA, and your pre-shared-key.
Right click "Network Policies" and select "New."
Enter a name for your network policy, for example "AnyConnect VPN" and select "Next."
NPS can be configured to require a variety of conditions be met in order to authenticate a user. The following is a basic example that only requires a user to be a member of the "VPNUsers" security group. This security group has already been created and includes the users that we would like to authenticate.
Select "Add," "User Groups," "Add," then "Add Groups." Search for the security group "VPNUsers" and select "OK."
Select "Next" and choose "Access granted."
Select "Next" and click "No" at the help prompt. Then click "Next" twice, and then click "Finish."
Right click on the newly created policy and select "Move Up" to move the policy above the two default NPS policies.
We now have a very basic RADIUS configuration in place. To make sure it is configured properly, we can use the "test" command on the ASA:
asa01# test aaa-server authentication RADIUS host 10.24.12.2 username vpntestuser password P@ssw0rd
INFO: Attempting Authentication test to IP address <10.24.12.2> (timeout: 12 seconds)
INFO: Authentication Successful
asa01#
Finally, we can configure our webvpn tunnel-group to use our radius server for authentication.asa01(config)# tunnel-group DefaultWEBVPNGroup general-attributes
asa01(config-tunnel-general)# authentication-server-group RADIUS
asa01(config-tunnel-general)# exit
asa01(config)#
You should now be able to connect to your AnyConnect VPN with Active Directory credentials.
No comments:
Post a Comment