本文转自:https://www.petenetlive.com/KB/Article/0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAALocal Users > AAA Server Groups.

ASDM Configuration AAA

2. In the Server group section > Add.

Cisco ASDM Remote Access VPN

3. Give the group a name and accept the defaults > OK.

AAA Server RADIUS

4. Now (with the group selected) > In the bottom (Server) section > Add.

Add AAA Server

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

RADIUS Cisco ASA Server

6. Apply.

ASDM Apply Changes

Configure AAA RADIUS from command line;

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

2008 Add Server Role

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

Network Policy and Access Server Role

9. Select ‘Network Policy Server’ > Next > Install.

2008 Network Policy Server

10. Close, when complete.

2008 Server Role Added

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

2008 Manage 2008 NPS

12. Register Server in Active Directory >OK > OK.

Register NPS in AD

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

2008 Add RADIUS Cllent

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

2008 RADIUS Client

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

NPS Connection Policy

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

RADIUS Friendly Name

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

Cisco ASA name

18. Change the attribute to User-Name > Next > Finish.

username attribute

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

2008 Network Policy

20. Add a condition > User Groups > Add.

NAP Windows 2008 R2

21. Add in the AD security group you want to allow access to > OK > Next > Next.

Allow AD Group RADIUS Dial In

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

PAP SPAP

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

Test AAA

24. Change the selection to Authentication > Enter your domain credentials > OK.

AD username Cisco ASA

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

RADIUS Test

To Test AAA RADIUS Authentication from Command Line

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

26. Finally, save the firewall changes > File > Save running configuration to flash.

Cisco ASA Save Changes

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication