I am currently having issues with being able to authenticate with RADIUS from our Cisco devices…it seems to partially work but I’m missing something apparently, hoping some experts can point me in the right direction. I have an ASA 5510 and VPN configured on it. I have Windows Server 2008 R2 setup with the NPS role acting as the RADIUS server (only, not using NAP, etc, just setup for RADIUS). I setup VPN recently and it seems to be working fine, but now I’m trying to configure it so that I can use my AD credentials to login to our switches as well, but I can’t get it to divide the two…for instance, all Domain Users can use VPN, but only the NetworkGroup should be able to access the other Cisco devices.
Under RADIUS Clients I have created a client named VPN, it has the IP address of our inside interface on the ASA, Device Manufacturer as Cisco and Enabled. I have a client named Switch with the IP address of the switch I’m testing on, Cisco as Device Manufacturer and Enabled.
Under Policies > Connection Request Policies there is the default “Use Windows authentication for all users” which only has a Day/Time restriction as a condition but allows access anytime, under settings it has Authentication Provider – Local Computer and Override Authentication Disabled. I’ve added one called VPN (with open time restrictions and IPv4 address condition) and one called Switch (with open time restrictions and IPv4 address condition) here as well, thinking that’s what was needed, but during testing I find that I can disable them and it works just fine…but from reading I read there must be at least one policy in effect. I can disable the default one, but when I setup one of the others with the same credentials it doesn’t seem to take, I can’t login from the switch, I get error “Access denied – Using keyboard-interactive authentication.” If I enable the default CR Policy, it works again right away…basically it seems that it doesn’t care if I have or don’t have a policy in there for each device (and maybe I shouldn’t ?).
Under Policies > Network Policies I’ve added two policies as well, one called Switch and one called VPN.
The Switch policy is set with the condition of User Groups-Domain\NetworkGroup. Under settings I have:
Cisco-AV-Pair with a value of shell:priv-lvl=15.
Extended State with a value of blank.
Access Permission with a value of Grant Access.
Authentication Method with a value of Unencrypted authentication (PAP, SPAP).
Nap Enforcement with a value of Allow full network access.
Update Noncompliant Clients with a value of True.
Service-Type with a value of Login.
BAP percentage of Capacity with a value of Reduce Multilink if server reaches 50% for 2 minutes.
Some of these settings I set in testing, others were there by default.
The VPN policy is set with a condition of User Groups-Domain\DomainUsers. Under settings I have:
Ignore User Dial-In Properties with a value of True.
Access Permission with a value of Grant Access.
Authentication Method with a value of Unencrypted authentication (PAP, SPAP) or MS-CHAP v1 OR MS-CHAP v1, OR MS-CHAPV2.
Nap Enforcement with a value of Allow full network access.
Update Noncompliant Clients with a value of True.
Framed-Protocol with a value of PPP.
Service-Type with a value of Framed.
Some of these settings aren’t the same because I’ve been going back and forth for a couple of days trying different scenarios, so I’m honestly not sure if some of them are necessary… I do know that if I disable that one default policy under CR-Policy, I can’t login to the switch… if I disable the RADIUS client, I can’t login to the switch (makes sense), but if I disable the Switch Network Policy it still lets me login…assuming it’s just rolling down and taking the credentials from the VPN Network Policy which allows DomainUsers to login, and I’m in that group as well…
So the outcome I’m striving for (sorry for such a long question, but trying to be as informative as possible!) is that I would like any of our end users in the DomainUsers AD group to be able to use VPN and dial up successfully, but not allow them to be able to remote into our switches and login the same way. I want only the NetworkGroup AD account to be able to login to those. How can I give access to both, securely? Sounds simple enough, and it looks simple on top but for the life of me it’s not working…if I take away the Switch Policy it still lets an end user (testing with an end user test account) login to my switch with the normal AD login (getting allowed by the VPN policy I assume). Please feel free to ask any questions or clarification, and thanks in advance for any help you can give!
Best Answer
You're going to want to stick with creating/ordering Network Policies to do what you're trying to do. Just use the one default Connection Request Policy that is wide open, and then secure via the NPs.
You can "divide the two" as you say, by limiting each Network Policy you've created with sufficient conditions, such that in combination, multiple conditions together achieve your objectives. It looks like you've specified only one condition on each policy - network group membership. As you've discovered, this won't work. When your RADIUS-enabled device asks your RADIUS server to authenticate your user, the RADIUS server forwards the users' credentials to AD, which successfully matches the credentials (cause they're vague at this point), and returns a positive to the RADIUS server, which in turn tells the device to allow the authentication. I'm forgetting all the proper RADIUS lingo here - but basically that's what's happening.
So, stack another condition (or more) onto your policy to get what you want. Sounds like you want the switch policy to work with users in the Domain\NetworkGroup, and only on your switches (these requests should never come from your ASA's IP, or some printer or user workstation or whatever). Under conditions, look under the RADIUS client section - ClientFriendlyName, or ClientIPv4Address, for example. If the conditions include that the request is coming only from one of your predefined switch IPs or names, it won't "authenticate" requests coming from your ASA IP.
Do the same for your vpn policy too. You should be good from there. You may want to start with clean Network Policies though. I don't think you're going to be able to use the settings to update non-compliant clients without some more work (and whole other policy type too).
Also, you can look at your RADIUS logs if you want more info on what its actually doing. I believe they're under system32\logfiles. You may have to enable it on your NPS server, if its not already. You can google for tools to help you read the log files, as they're not really user friendly. In a pinch, MS has an article that lists all the fields, in order. Look for the tools though (IASlogviewer? or something like that?).