Anda di halaman 1dari 9

TASK: Using Windows Server2008 as a radius server for a cisco ASA firewall.

Scenario: Need to get Cisco ASA to use a RADIUS Server on server 2008 to authenticate
A.D users for VPN access.
VPN (Virtual Private Network):
A virtual private network (VPN) is a computer network that uses a public
telecommunication infrastructure such as the Internet to provide remote offices or
individual users with secure access to their organization's network. It aims to avoid an
expensive system of owned or leased lines that can be used by only one organization.
How To Manage VPN:
Typically, a dial-in platform comprises a bank of modems tied into the existing corporate
LAN infrastructure. User authentication may include strong methods, such as SecureID ,
which provide additional challenge-response security before passing the client logon
request to the corporate LAN. A Microsoft Windows NT, Novell NetWare or UNIX
security database then validates the request.
There are several methods to validate the authentication of the client attempting to access
the network. One is to use the internal client database on the VPN. This approach will
usually take the least effort to implement. However, as your VPN grows into multiple
switches to handle increased load and provide backup capability, you will need to
consider either copying the database to the other VPN switches or employing another
method of client validation.
To ease this issue we use Radius which is one method to centralize client administration
for either single or multiple VPN switches. RADIUS coordinates authentication and
authorization information between a network access server (VPN switch) and a central
authentication and authorization server RADIUS server.
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that
provides centralized Authentication, Authorization, and Accounting (AAA) management
for computers to connect and use a network service.
RADIUS is a client/server protocol. The Remote Access Server, the Virtual Private
Network server, the Network switch with port-based authentication, and the Network
Access Server (NAS), are all gateways that control access to the network, and all have a
RADIUS client component that communicates with the RADIUS server. The RADIUS
server is usually a background process.
RADIUS serves three functions:
• to authenticate users or devices before granting them access to a network,
• to authorize those users or devices for certain network services and
• to account for usage of those services.
How RADIUS Works:
The user or machine sends a request to a Remote Access Server (RAS) to gain access to a
particular network resource using access credentials. The credentials are passed to the
RAS Server via the link-layer protocol.
In turn, the RAS sends a RADIUS Access Request message to the RADIUS server, this
request includes access credentials, typically in the form of username and password or
security certificate provided by the user. Additionally, the request may contain other
information which the RAS knows about the user, such as its network address or phone
number, and information regarding the user's physical point of attachment to the RAS.
What Is RAS (Remote access Server):
A server that is dedicated to handling users that are not on a LAN but need remote
access to it. The remote access server allows users to gain access to files and print
services on the LAN from a remote location. For example, a user who dials into a
network from home using a broadband modem or an ISDN connection will dial into a
remote access server. Once the user is authenticated he can access shared drives and
printers as if he were physically connected to the office LAN. In Windows Server 2003
and onwards this functionality is performed for cooperate level by RRAS (Routing and
Remote Access Services).RRAS, a Microsoft API that makes it possible to create
applications to administer the routing and remote access service capabilities of the
operating system. RRAS makes it possible for a computer to function as a network router,
and developers can also use RRAS to implement routing protocols. The RRAS server
functionality follows and builds upon the Remote Access Service (RAS).
While Routing and Remote Access (RRAS) security is sufficient for small networks,
larger companies often need a dedicated infrastructure for authentication. RADIUS is a
standard for dedicated authentication servers.
What Is NPS (Network Policy Server):
Network Policy Server (NPS) can be used as a RADIUS server to perform authentication,
authorization, and accounting for RADIUS clients. A RADIUS client can be either a
network access server or a RADIUS proxy. When NPS is used as a RADIUS server, it
provides a central authentication and authorization service for all access requests and a
central accounting service for all accounting requests that are sent by RADIUS clients.
Windows Server 2008 includes the Network Policy Server (NPS), an implementation of
RADIUS server. NPS supports authentication for Windows-based clients, as well as for
third-party clients that adhere to the RADIUS standard. NPS stores its authentication
information in Active Directory, and can be managed with Remote Access Policies.
While NPS requires the use of an additional server component, it provides a number of
advantages over the standard methods of RRAS authentication. These advantages include
centralized authentication for users, auditing and accounting features, scalability, and
seamless integration with the existing features of RRAS.
Function of NPS:
• Routing of LAN and WAN traffic.
• Allow access to local resources through VPN or dial-up connections.
• Creating and enforcing network access through VPN or dial-up connections.
• VPN Services
• Dial-up Services
• 802.11 protected access
• Routing & Remote Access (RRAS)
• Offer Authentication through Windows Active Directory
• Control network access with policies

What is Cisco ASA:

Adaptive Security Appliance (ASA) is a new generation of network security hardware of
Cisco. ASA hardware acts as a firewall, in other security roles, and in a combination of
roles. The Cisco ASA includes the following components:
Anti-x: Anti-x includes whole class of security tools such as Anti-virus, Anti-spyware,
Anti-spam, etc.
Intrusion Detection and Prevention: Intrusion Detection and Prevention includes tools
such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) for
sophisticated kinds of attacks.
The end user is connected through a VPN Client from Cisco.
The primary purpose of this data is for statistical purposes and for general network
Cisco VPN Client:
The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is
software that runs on a Microsoft® Windows®-based PC. The VPN Client on a remote
PC, communicating with a Cisco Easy VPN server on an enterprise network or with a
service provider, creates a secure connection over the Internet. Through this connection
you can access a private network as if you were an on-site user. Thus you have a Virtual
Private Network (VPN). The server verifies that incoming connections have up-to-date
policies in place before establishing them.
As a remote user (low speed or high speed), you first connect to the Internet. Then you
use the VPN Client to securely access private enterprise networks through a Cisco VPN
server that supports the VPN Clients.
Uses of Cisco VPN Client are as follows:
• Can be preconfigured for mass deployments
• Requires little user intervention for initial logins
• Supports Cisco Easy VPN capabilities, decreasing network security policy
configuration at the remote location
• Complements the Cisco Any Connect Secure Mobility Client

Why should we use the VPN (Virtual Private Network) Client?

The VPN Client software allows you to connect to the Ai-net from an offsite computer
anywhere on the Internet and be automatically recognized as an Ai-Media affiliate when
your data reaches the Ai-Media network. It also provides extra security by encrypting
data to and from your computer, in effect creating a private tunnel through the Internet for
your communication. Once your data reaches the Ai-net, it is then unencrypted by the
Configuring the Cisco ASA and Windows Server 2008

• Server:
• Windows Server 2008 R2 Enterprise
• Also the domain controller
• IP:
• Name:
• CiscoASA:
• ASA 5520
• IP:
• Name: EQX-SY1-PRE-FW1

Cisco Configuration

Launch ASDM and connecting to the ASA, and go to the Configuration view.

Create an IP Name object for the target

• Under the Firewall section, expand the Objects link and select the IP Names.
• Click the Add button at the top.
• Enter a descriptive name, the IP address and a description of the server. For this
server I used
• Name: INT-AD1
• IP:
• Description: AD / RADIUS
• Click OK and then Apply

Create a new AAA Server Group

Click the Remote Access VPN section.
Expand AAA Setup and select AAA Server Groups.
Click the Add button to the right of the AAA Server Groups section.
Give the server group a name, like TEST-AD, and make sure the RADIUS protocol is
Accept the default for the other settings. And click OK

Add the RADIUS server to the Server Group.

Select the server group created in the step above.
Click the Add button to the right of Servers in the Select Group.
Under the Interface Name select the interface on the ASA that will have access to the
RADIUS server, most likely inside.
Under Server Name or IP Address enter the IP Name you created for the RADIUS
server above.
Skip to the Server Secret Key field and create a complex password. Make sure you
document this as it is required when configuring the RADIUS server. Re-enter the
secret in the Common Password field.
Leave the rest of the settings at the defaults and click Ok.

Setting Up RADIUS on Windows Server 2008

To perform the below steps you need Administrator permissions to the server that will
host the RADIUS server. You also will need permissions to “Register” the server in AD.

Add the Network Policy Server function.

Connect to the Windows Server 2008 server and launch Server Manager.
Click the Roles object and then click the Add Roles link on the right.
Click Next on the Before You Begin page.
Select the Network Policy and Access Services role and click Next.
Under Role Service select only the Network Policy Server service and click Next.
Click Install.

After the role finishes installing you will need to set up the server using the Network
Policy Server (NPS) management tool found under Administrative Tools.

Registering the server.

After launching the NPS tool right-click on the entry NPS(Local) and click theRegister
Server in Active Directory.
Follow the default prompts.

Create a RADIUS client entry for the ASA.

Expand the RADIUS Clients and Servers folder.
Right-click on RADIUS Clients and select New RADIUS Client.
Create a Friendly Name for the ASA device. Make sure you document the Friendly
Name used as it will be used later in some of the policies created.
Enter the Server Secret Key specified on during the ASA configuration in the Shared
secret and Confirm shared secret field.
Leave the default values for the other settings and click OK
Create a Connection Request Policy.
Expand the Policies folder.
Right-click on the Connection Request Policies and click New.
Set the Policy Name to something meaningful. E.g.: CiscoASA because this policy is
geared specifically for that RADIUS client. Leave the Type of network access
server as Unspecified and click Next.
Under Conditions click Add. Scroll down and select the Client Friendly
Name condition and click Add…
Specify the friendly name that you used when creating the RADIUS Client above.
Click OK and Next.
On the next two pages leave the default settings and click Next.
Under the Specify a Realm Name select the Attribute option on the left. From the drop
down menu next to Attribute: on the right select User-Name. Click Next again.
Review the settings on the next page and click Finish.

Create a Network Policy.

Right-click the Network Policy folder and click New.
Set the Policy Name to something meaningful. Leave the Type of network access
server as Unspecified and click Next.
Under Conditions click Add.
Add a UsersGroup condition to limit access to a specific AD user group. You can use a
generic group like Domain Users or create a group specifically to restrict access.
Add a Client Friendly Name condition and again specify the Friendly Name you used
for your RADIUS client.
Click Next. Leave Access granted selected and click Next again.
(Important Step) On the authentication methods leave the default selection and
add Unencrypted authentication (PAP, SPAP). Can also use other Encrypted
Authentication Protocols.
Accept the default Constraints and click Next.
Check the’ Ignore user account dial-in properties’
Accept the default Radius Settings and click Next. Review the settings and click Finish.

Restart the Network Policy Server service.

This may not be necessary, but we cannot be certain the above steps work without
restarting the service.

Test Your RADIUS Authentication

The ASDM utility includes functionality to test RADIUS Authentication.

If necessary re-launch the ASDM utility.

Return to Configuration -> Remote Access VPN -> AAA Setup -> AAA Server Groups.
Select the new Server Group you created.
From the Servers in the Selected Group section highlight the server you created. Click
the Test button on the right.
Select the Authentication radio button. Enter the Username and Password of a user that
meets the conditions specified in the Network Policy created above and have to click
Add, leave the fields blank and then click OK.
A Pop up box should display with the message “ Authentication to the host successful”