Introduction
- By default UDP/1812 will be used, but this is recommended to be changed to another UDP-port if NPS is installed on same machine as your Mideye-server. Open properties for NPS. If NPS and Mideye-server is installed on same server, change port.
- On the second one create a nas port and set the providers to the NPS server that was defined in the Remote Radius Server Now disable Virtual Private Network (VPN) Connections and Microsoft Routing and Remote Access Service Policy as you can see in the picture above.
By default, NPS sends and receives RADIUS traffic by using User Datagram Protocol (UDP) ports 1812, 1813, 1645, and 1646. Windows Firewall on the NPS server is automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.
![Ports Ports](/uploads/1/3/4/3/134328630/930190145.jpg)
This document describes the procedure of Remote Authentication Dial-In User Service (RADIUS) configuration on Cisco Wide Area Application Services (WAAS) and Windows 2008 R2 Network Policy Server (NPS). 625 sandwich stacker play free game.
Default WAAS configuration uses local authentication. Cisco WAAS supports RADIUS and Terminal Access Controller Access-Control System (TACACS+) also for Authentication, Authorization, and Accounting (AAA). This document covers the configuration for one device only. However, this also can be done under device group. All the configuration must be applied via WAAS CM GUI.
General WAAS AAA configuration is provided in the Cisco Wide Area Application Services Configuration Guide under chapter Configuring Administrative Login Authentication, Authorization, and Accounting.
Contributed by Hamilan Gnanabaskaran, Cisco TAC Engineer.
Mac os software must have. Edited by Sanaz Tayyar, Cisco TAC Engineer.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- WAAS 5.x or 6.x
- Windows NPS server
- AAA - RADIUS
Components Used
The information in this document is based on these software and hardware versions:
- Cisco WAAS - Virtual Central Manager (vCM)
- WAAS 6.2.3.b
- Windows 2008 NPS
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a default configuration. If your network is live, ensure that you understand the potential impact of any command.
Related Products
This document can also be applied with these hardware and software versions:
- vWAAS, ISR-WAAS and all the WAAS appliances
- WAAS 5.x or WAAS 6.x
- WAAS as Central Manager, Application Accelerator
Note: APPNAV-XE doesn't support this configuration. Router AAA pushes the configuration to APPNAV-XE.
Configuration Steps
These configuration need to be applied:
1. WAAS Central manager
1.1 AAA RADIUS configuration
1.2 AAA Authentication configuration
2. Windows 2008 R2 - NPS server configuration
2.1 RADIUS Clients Configuration
2.2 Network Policy Configuration
3. WAAS CM configuration for RADIUS User Accounts
1.1 AAA RADIUS configuration
1.2 AAA Authentication configuration
2. Windows 2008 R2 - NPS server configuration
2.1 RADIUS Clients Configuration
2.2 Network Policy Configuration
3. WAAS CM configuration for RADIUS User Accounts
1. WAAS Central Manager
1.1 In WAAS Central manager creates the RADIUS server under Configure>Security>AAA>RADIUS.
1.2 Configure Authentication method to reflect RADIUS under Configure>Security>AAA>Authentication Methods.
Primary Authentication method is chosen as RADIUS and secondary Authentication method is chosen as local. So, in the event of RADIUS failure customer can log in via local account.
2. Windows 2008 R2 -NPS Server Configuration
2.1 In the Windows 2008 R2 - NPS server, create the WAAS device IP as a RADIUS client.
2.2 In the Windows 2008 R2 - NPS server, create a network policy to match the WAAS devices and allow authentication. https://ninjaever412.weebly.com/blog/aol-mac-download-101.
In the LAB these parameters must be selected under NPS >Policies>Network Policy.
Condition can be matched with Radius Client Friendly Name. Other methods can be used such as IP address.
Authentication Methods as Unencrypted Authentication (PAP, SPAP).
Service-Type as Administrative.
Vendor Specific Attribute as Cisco-AV-Pair (Shell:priv-lvl=15).
Allow Full Network Access.
3. WAAS CM configuration for RADIUS User Accounts
Configure a user in RADIUS with privilege level 15 or 1, doesn't provide the access to WAAS CM GUI. The CMS database maintains a list of users, roles, and domains separate from the external AAA server.
After configuration of the external AAA server correctly to authenticate a user, the CM GUI must be configured to give that user the necessary roles and domains to work within the CM GUI.
If the RADIUS user is not in the CM under user, when log in to GUI with that user Your account does not have privileges to access any of the Central Manager Pages. Please Check with you Administrator about Provisioned roles and domains. This massage is displayed.
Configuration of local user name under WAAS CM without password.
Username must bind with right roles under Role Management for each user.
If the user needs to have read-only access or limited access, this can be configured under roles.
Verification
In the WAAS devices this configuration is pushed.
radius-server key ****
radius-server host 10.66.86.125 auth-port 1645
!
authentication login local enable secondary
authentication login radius enable primary
authentication configuration local enable secondary
authentication configuration radius enable primary
authentication fail-over server-unreachable
radius-server host 10.66.86.125 auth-port 1645
!
authentication login local enable secondary
authentication login radius enable primary
authentication configuration local enable secondary
authentication configuration radius enable primary
authentication fail-over server-unreachable
The Cisco CLI Analyzer (registered customers only) supports certain show commands. Use the Cisco CLI Analyzer in order to view an analysis of show command output.
- authentication- Configure Authentication
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
- Check the windows domain logs
- #debug aaa authorization from WAAS CM CLI
Related Information
Introduction
This document explains how to configure an Adaptive Security Appliance (ASA) to communicate with a Microsoft Windows 2008 Network Policy Server (NPS) with the RADIUS protocol so that the legacy Cisco VPN Client/AnyConnect/Clientless WebVPN users are authenticated against Active Directory. NPS is one of the server roles offered by Windows 2008 Server. It is equivalent to Windows 2003 Server, IAS (Internet Authentication Service), which is the implementation of a RADIUS server to provide remote dial-in user authentication. Similarly, in Windows 2008 Server, NPS is the implementation of a RADIUS server. Basically, the ASA is a RADIUS client to an NPS RADIUS server. ASA sends RADIUS authentication requests on behalf of VPN users and NPS authenticates them against Active Directory.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
- ASA that runs Version 9.1(4)
- Windows 2008 R2 Server with Active Directory services and NPS role installed
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
Network Diagram
Configurations
ASDM Configuration
- Choose the tunnel-group for which NPS authentication is required.
- Click Edit and choose Basic.
- In the Authentication section, click Manage.
- In the AAA Server Groups section, click Add.
- In the AAA Server Group field, enter the name of the server group (for example, NPS).
- From the Protocol drop-down list, choose RADIUS.
- Click OK.
- In the Servers in the Selected Group section, choose the AAA Server Group added and click Add.
- In the Server Name or IP Address field, enter the server IP address.
- In the Server Secret Key field, enter the secret key.
- Leave the Server Authentication Port and the Server Accounting Port fields at the default value unless the server listens on a different port.
- Click OK.
- Click OK.
- From the AAA Server Group drop-down list, choose the group (NPS in this example) added in the previous steps.
- Click OK.
Microsoft Nps Radius Ports 1
CLI Configuration
By default, the ASA uses the unencrypted Password Authentication Protocol (PAP) authentication type. This does not mean that the ASA sends the password in plain text when it sends the RADIUS REQUEST packet. Rather, the plaintext password is encrypted with the RADIUS shared secret.
If password management is enabled under the tunnel-group, then ASA uses the MSCHAP-v2 authentication type in order to encrypt the plaintext password. In such a case, ensure that the Microsoft CHAPv2 Capable check box is checked in the Edit AAA Server window configured in the ASDM configuration section.
Note: The test aaa-server authentication command always uses PAP. Only when a user initiates a connection to tunnel-group with password-management enabled does the ASA use MSCHAP-v2. Also, the 'password-management [password-expire-in-days days]' option is only supported with Lightweight Directory Access Protocol (LDAP). RADIUS does not provide this feature. You will see the password expire option when the password is already expired in Active Directory.
Windows 2008 Server with NPS Configuration
Microsoft Nps Radius
The NPS Server Role should be installed and running on the Windows 2008 server. If not, choose Start > Administrative Tools > Server Roles > Add Role Services. Choose the Network Policy Server and install the software. Once the NPS Server Role is installed, complete these steps in order to configure the NPS to accept and process RADIUS authentication requests from the ASA:
- Add the ASA as a RADIUS client in the NPS server.
- Choose Administrative Tools > Network Policy Server.
- Right-click RADIUS Clients and choose New.
- Enter a Friendly name, Address (IP or DNS), and Shared Secret configured on the ASA.
- Click the Advanced tab.
- From the Vendor name drop-down list, choose RADIUS Standard.
- Click OK.
- Create a new Connection Request Policy for VPN users. The purpose of the Connection Request Policy is to specify whether the requests from RADIUS clients are to be processed locally or forwarded to remote RADIUS servers.
- Under NPS > Policies, right-click Connection Request Policies and create a new policy.
- From the Type of network access server drop-down list, choose Unspecified.
- Click the Conditions tab.
- Click Add.
- Enter the ASA's IP address as a 'Client IPv4 Address' condition.
- Click the Settings tab.
- Under Forwarding Connection Request, choose Authentication. Ensure the Authenticate requests on this server radio button is chosen.
- Click OK.
- Add a Network Policy where you can specify which users are allowed to authenticate.For example, you can add Active Directory user groups as a condition. Only those users who belong to a specified Windows group are authenticated under this policy. https://europeanclever699.weebly.com/boron-physiology-pdf.html.
- Under NPS, choose Policies.
- Right-click Network Policy and create a new policy.
- Ensure the Grant access radio button is chosen.
- From the Type of network access server drop-down list, choose Unspecified.
- Click the Conditions tab.
- Click Add.
- Enter the ASA's IP address as a Client IPv4 Address condition.
- Enter the Active Directory user group which contains VPN users.
- Click the Constraints tab.
- Choose Authentication Methods.
- Ensure the Unencrypted authentication (PAP, SPAP) check box is checked.
- Click OK.
Pass Group-policy Attribute (Attribute 25) from the NPS RADIUS Server
If the group-policy needs to be assigned to the user dynamically with the NPS RADIUS server, the group-policy RADIUS attribute (attribute 25) can be used.
Complete these steps in order to send the RADIUS attribute 25 for dynamic assignment of a group-policy to the user.
- After the Network Policy is added, right -click the required Network Policy and click the Settings tab.
- Choose RADIUS Attributes > Standard. Click Add. Leave the Access type as All.
- In the Attributes box, choose Class and click Add. Enter the attribute value, that is, the name of the group-policy as a string. Remember that a group-policy with this name has to be configured in the ASA. This is so that the ASA assigns it to the VPN session after it receives this attribute in the RADIUS response.
Verify
Use this section to confirm that your configuration works properly.
Note: Refer to Important Information on Debug Commands before you use debug commands.
ASA Debugs
Enable debug radius all Do steam key generators actually work. on the ASA.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
- Ensure the connectivity between the ASA and the NPS server is good.Apply packet captures to ensure the authentication request leaves the ASA interface (from where the server is reachable). Confirm that the devices in the path do not block the UDP port 1645 (default RADIUS authentication port) in order to ensure it reaches the NPS server. More information on packet captures on the ASA can be found in ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example.
- If the authentication still fails, look in the event viewer on the windows NPS. Under Event Viewer > Windows Logs, choose Security. Look for events associated with NPS around the time of the authentication request.Once you open Event Properties, you should be able to see the reason for failure as shown in the example. In this example, PAP was not chosen as the authentication type under Network policy. Hence, the authentication request fails.