This action might not be possible to undo. Are you sure you want to continue?
Scenario: Need to get Cisco ASA to use a RADIUS Server on server 2008 to authenticate A.D users for VPN access. VPN (Virtual Private Network): A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization. How To Manage VPN: Typically, a dial-in platform comprises a bank of modems tied into the existing corporate LAN infrastructure. User authentication may include strong methods, such as SecureID , which provide additional challenge-response security before passing the client logon request to the corporate LAN. A Microsoft Windows NT, Novell NetWare or UNIX security database then validates the request. There are several methods to validate the authentication of the client attempting to access the network. One is to use the internal client database on the VPN. This approach will usually take the least effort to implement. However, as your VPN grows into multiple switches to handle increased load and provide backup capability, you will need to consider either copying the database to the other VPN switches or employing another method of client validation. To ease this issue we use Radius which is one method to centralize client administration for either single or multiple VPN switches. RADIUS coordinates authentication and authorization information between a network access server (VPN switch) and a central authentication and authorization server RADIUS server. RADIUS: Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. RADIUS is a client/server protocol. The Remote Access Server, the Virtual Private Network server, the Network switch with port-based authentication, and the Network Access Server (NAS), are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server. The RADIUS server is usually a background process.
and information regarding the user's physical point of attachment to the RAS. Once the user is authenticated he can access shared drives and printers as if he were physically connected to the office LAN. as well as for third-party clients that adhere to the RADIUS standard. The RRAS server functionality follows and builds upon the Remote Access Service (RAS). In Windows Server 2003 and onwards this functionality is performed for cooperate level by RRAS (Routing and Remote Access Services). What Is RAS (Remote access Server): A server that is dedicated to handling users that are not on a LAN but need remote access to it. the request may contain other information which the RAS knows about the user. Additionally. • to authorize those users or devices for certain network services and • to account for usage of those services. While Routing and Remote Access (RRAS) security is sufficient for small networks. and accounting for RADIUS clients. larger companies often need a dedicated infrastructure for authentication. it provides a central authentication and authorization service for all access requests and a central accounting service for all accounting requests that are sent by RADIUS clients. RRAS makes it possible for a computer to function as a network router. NPS stores its authentication . RADIUS is a standard for dedicated authentication servers.RRAS. In turn. the RAS sends a RADIUS Access Request message to the RADIUS server. such as its network address or phone number. a user who dials into a network from home using a broadband modem or an ISDN connection will dial into a remote access server. a Microsoft API that makes it possible to create applications to administer the routing and remote access service capabilities of the operating system. this request includes access credentials. For example. an implementation of RADIUS server. The remote access server allows users to gain access to files and print services on the LAN from a remote location.RADIUS serves three functions: • to authenticate users or devices before granting them access to a network. NPS supports authentication for Windows-based clients. A RADIUS client can be either a network access server or a RADIUS proxy. The credentials are passed to the RAS Server via the link-layer protocol. typically in the form of username and password or security certificate provided by the user. What Is NPS (Network Policy Server): Network Policy Server (NPS) can be used as a RADIUS server to perform authentication. Windows Server 2008 includes the Network Policy Server (NPS). and developers can also use RRAS to implement routing protocols. How RADIUS Works: The user or machine sends a request to a Remote Access Server (RAS) to gain access to a particular network resource using access credentials. authorization. When NPS is used as a RADIUS server.
• Creating and enforcing network access through VPN or dial-up connections. ASA hardware acts as a firewall. The end user is connected through a VPN Client from Cisco. While NPS requires the use of an additional server component. These advantages include centralized authentication for users. scalability. etc. • VPN Services • Dial-up Services • 802. Intrusion Detection and Prevention: Intrusion Detection and Prevention includes tools such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) for sophisticated kinds of attacks. auditing and accounting features. it provides a number of advantages over the standard methods of RRAS authentication. • Allow access to local resources through VPN or dial-up connections. . and can be managed with Remote Access Policies. Function of NPS: • Routing of LAN and WAN traffic. and in a combination of roles. The Cisco ASA includes the following components: Anti-x: Anti-x includes whole class of security tools such as Anti-virus. in other security roles. Anti-spam. and seamless integration with the existing features of RRAS. The primary purpose of this data is for statistical purposes and for general network monitoring.information in Active Directory. Anti-spyware.11 protected access • Routing & Remote Access (RRAS) • Offer Authentication through Windows Active Directory • Control network access with policies What is Cisco ASA: Adaptive Security Appliance (ASA) is a new generation of network security hardware of Cisco.
Thus you have a Virtual Private Network (VPN). in effect creating a private tunnel through the Internet for your communication. As a remote user (low speed or high speed). Then you use the VPN Client to securely access private enterprise networks through a Cisco VPN server that supports the VPN Clients.Cisco VPN Client: The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is software that runs on a Microsoft® Windows®-based PC. Through this connection you can access a private network as if you were an on-site user. The server verifies that incoming connections have up-to-date policies in place before establishing them. creates a secure connection over the Internet. communicating with a Cisco Easy VPN server on an enterprise network or with a service provider. The VPN Client on a remote PC. Once your data reaches the Ai-net. Uses of Cisco VPN Client are as follows: • Can be preconfigured for mass deployments • Requires little user intervention for initial logins • Supports Cisco Easy VPN capabilities. you first connect to the Internet. It also provides extra security by encrypting data to and from your computer. decreasing network security policy configuration at the remote location • Complements the Cisco Any Connect Secure Mobility Client Why should we use the VPN (Virtual Private Network) Client? The VPN Client software allows you to connect to the Ai-net from an offsite computer anywhere on the Internet and be automatically recognized as an Ai-Media affiliate when your data reaches the Ai-Media network. it is then unencrypted by the software .
Accept the default for the other settings. Click the Add button to the right of Servers in the Select Group.0. and make sure the RADIUS protocol is selected.100.1. • Enter a descriptive name. expand the Objects link and select the IP Names. Click the Add button to the right of the AAA Server Groups section.100.25 • Name: EQX-SY1-PRE-FW1 Cisco Configuration Launch ASDM and connecting to the ASA. And click OK Add the RADIUS server to the Server Group.ai-media. the IP address and a description of the server. Under the Interface Name select the interface on the ASA that will have access to the RADIUS server. Create an IP Name object for the target • Under the Firewall section. like TEST-AD. Under Server Name or IP Address enter the IP Name you created for the RADIUS . Expand AAA Setup and select AAA Server Groups. most likely inside.1.100 • Name: pdc. Select the server group created in the step above.Configuring the Cisco ASA and Windows Server 2008 Components • Server: • Windows Server 2008 R2 Enterprise • Also the domain controller • IP: 10.100 • Description: AD / RADIUS • Click OK and then Apply Create a new AAA Server Group Click the Remote Access VPN section. For this server I used • Name: INT-AD1 • IP: 10. • Click the Add button at the top.100. Give the server group a name. and go to the Configuration view.com • CiscoASA: • ASA 5520 • IP: 10.
Leave the rest of the settings at the defaults and click Ok.server above. Add the Network Policy Server function. Click Install. Connect to the Windows Server 2008 server and launch Server Manager. You also will need permissions to “Register” the server in AD. Leave the default values for the other settings and click OK . Right-click on RADIUS Clients and select New RADIUS Client. Under Role Service select only the Network Policy Server service and click Next. Make sure you document the Friendly Name used as it will be used later in some of the policies created. Setting Up RADIUS on Windows Server 2008 To perform the below steps you need Administrator permissions to the server that will host the RADIUS server. Expand the RADIUS Clients and Servers folder. Re-enter the secret in the Common Password field. Make sure you document this as it is required when configuring the RADIUS server. After the role finishes installing you will need to set up the server using the Network Policy Server (NPS) management tool found under Administrative Tools. Skip to the Server Secret Key field and create a complex password. Select the Network Policy and Access Services role and click Next. Create a Friendly Name for the ASA device. Create a RADIUS client entry for the ASA. Enter the Server Secret Key specified on during the ASA configuration in the Shared secret and Confirm shared secret field. Registering the server. Follow the default prompts. After launching the NPS tool right-click on the entry NPS(Local) and click theRegister Server in Active Directory. Click the Roles object and then click the Add Roles link on the right. Click Next on the Before You Begin page.
This may not be necessary. SPAP). Under the Specify a Realm Name select the Attribute option on the left.Create a Connection Request Policy. Create a Network Policy. Click Next. Under Conditions click Add. From the drop down menu next to Attribute: on the right select User-Name. (Important Step) On the authentication methods leave the default selection and add Unencrypted authentication (PAP. Test Your RADIUS Authentication .: CiscoASA because this policy is geared specifically for that RADIUS client. Add a Client Friendly Name condition and again specify the Friendly Name you used for your RADIUS client. Review the settings on the next page and click Finish. Leave the Type of network access server as Unspecified and click Next. Set the Policy Name to something meaningful. Leave Access granted selected and click Next again. E.g. Click OK and Next. Can also use other Encrypted Authentication Protocols. Click Next again. On the next two pages leave the default settings and click Next. You can use a generic group like Domain Users or create a group specifically to restrict access. Expand the Policies folder. Under Conditions click Add. Review the settings and click Finish. Leave the Type of network access server as Unspecified and click Next. Restart the Network Policy Server service. Set the Policy Name to something meaningful. Accept the default Constraints and click Next. Scroll down and select the Client Friendly Name condition and click Add… Specify the friendly name that you used when creating the RADIUS Client above. Check the’ Ignore user account dial-in properties’ Accept the default Radius Settings and click Next. Right-click the Network Policy folder and click New. but we cannot be certain the above steps work without restarting the service. Right-click on the Connection Request Policies and click New. Add a UsersGroup condition to limit access to a specific AD user group.
Enter the Username and Password of a user that meets the conditions specified in the Network Policy created above and have to click Add. Select the Authentication radio button. Return to Configuration -> Remote Access VPN -> AAA Setup -> AAA Server Groups. If necessary re-launch the ASDM utility. A Pop up box should display with the message “ Authentication to the host successful” .The ASDM utility includes functionality to test RADIUS Authentication. leave the fields blank and then click OK. From the Servers in the Selected Group section highlight the server you created. Click the Test button on the right. Select the new Server Group you created.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.