Authenticate Cisco ASA to Windows 2008 domain
See this article for more information. I think you will need to modify your Network Policy to allow the use of PAP and SPAP. I haven't found a way to change the authentication protocol the ASA uses. Hope that helps.
user10699
Updated on September 17, 2022Comments
-
user10699 almost 2 years
My office has replaced its Windows 2003 domain and domain controllers with Windows 2008.
I have a Cisco ASA 5510 which handles VPN connectivity for our remote users, still integrated with one of the old Windows 2003 DCs running RADIUS.
I need to migrate the ASA from the 2003 domain to the 2008 domain. How do I configure NPS under Windows 2008?
ASA config:
aaa-server NEWDC protocol radius aaa-server NEWDC host x.x.x.x key ********
ASA configuration test command:
test aaa-server authentication NEWDC host x.x.x.x
This always returns immediately with a bad user/pass error, for any username. The users exist in AD, are enabled, and the passwords are correct. The key is the same in both Windows and the ASA.
Windows 2008 NPS Radius Client config:
Enabled Vendor name: RADIUS Standard or Cisco (neither works) Manual shared secret: ******** (unchecked) Access-Request messages must contain the Message-Authenticator attribute (unchecked) RADIUS client is NAP-capable
Windows 2008 NPS Connection Request Policy:
Enabled Processing Order 2 (following Use Windows auth for all users) Source unspecified Auth Provider: Local Computer Auth Method: MS-CHAP v1 or MS-CHAP v2 or Allow unauthenticated Override Auth: Enabled Class: OU=Admin; Framed-Protocol: PPP Service-Type: Framed
Windows 2008 Network Policy:
Enabled Processing Order 3 (highest) Condition Windows Group = DOMAIN\VPN Ignore User Dial-In Properties: False Access Permission: Grant Access Auth method: MS-CHAP v1 or MS-CHAP v2 NAP Enforcement: Allow full network access Update Noncompliant clients: True Framed Protocol: PPP Service-Type: Framed
-
Atulmaharaj over 12 yearsThe newer ASA firmware versions (such as 8.2) support MS-CHAPv2 and others. I was able to turn of PAP and SPAP. Note that the ASA's radius connection 'test' method still uses PAP, and will fail if you've disabled PAP. For authentication however, you don't need the unencrypted protocols anymore.