topic Windows Server 2008 R2 RADIUS Authentication in Network Access Control

Windows Server 2008 R2 RADIUS Authentication

Ashley Sahonta — Mon, 11 Mar 2019 01:32:11 GMT

Hi,

I have implemented RADIUS so that users in a windows group are able to login to a Cisco device using their windows login. The issue I have is that users in this group are also able to authenticate through radius for the remote access vpn (on a ASA5510). I have setup a seperate windows group for VPN users. When I created a policy for the VPN, the VPN users were also able to authenticate and login to the cisco network devices.

My aim is to have two seperate groups - one for administrating the cisco devices and one for VPN access only. This is so that a regular user is not able to login to a cisco device.

The setup -

Windows Server 2008 R2 Enterprise x64

NPS Policy - service-type - login (have also used administrative), vendor-specific - Cisco-AV-pair - shell:priv-lvl=15 (have used RADIUS also), encryption setting - basic, strong and strongest, authentication method - PAP + SPAP.

The authentication works fine (VPN + Login) and has worked with the various other settings (above) I have tried.

If anyone has been able to lock the RADIUS down so that it only does what it says on the tin, I would greatly appreciate your help.

Thanks,

Ash

Windows Server 2008 R2 RADIUS Authentication

IT Services — Tue, 04 Sep 2012 17:18:07 GMT

This is all over the Cisco forums and no real clear answers. I am also having this conundrum. The only way I was able to get this to work is having 2 separate NPS servers, not ideal.

Re: Windows Server 2008 R2 RADIUS Authentication

Jagdeep Gambhir — Tue, 04 Sep 2012 18:30:35 GMT

Hi ,

You need to add the Windows_Group condition in the network policies of NPS. See attachment

No need to have two NPS.

Regards,

~JG

Do rate helpful posts

Windows Server 2008 R2 RADIUS Authentication

IT Services — Tue, 04 Sep 2012 20:22:59 GMT

That does not resolve the issue. You cannot have a policy that points to 2 different AD Groups because the Device managment authentication and VPN authencation use the same NPS server, which would then give the VPN authenticated users access to the device managment.

Re: Windows Server 2008 R2 RADIUS Authentication

Jagdeep Gambhir — Tue, 04 Sep 2012 23:18:54 GMT

You need to setup TWO policies with the Condition of Windows group. NPS will check all the policies and access will be granted as per the policy it matched. If none matched, access would be denied.

Eg,

If requested comes from > Admin Device (Router & Switches) and user does NOT belong to Admin AD group -----> Deny Access

If requested comes from > VPN server and User have successfully authenticated -----> Permit Access.

With this, only Specific AD group will be able to login to Admin Devices and all AD user's would get VPN access.

Hope that helps,

Regards,

-JG

Do rate helpful posts

Windows Server 2008 R2 RADIUS Authentication

IT Services — Wed, 05 Sep 2012 12:30:37 GMT

I have tried this and still does not have the desired results. The Policy setup with the VPN users group allows them to authenticate and manage the Cisco ASA. Please test your configuration and let me know your results. Thanks.

Windows Server 2008 R2 RADIUS Authentication

Rodney Mothersbaugh — Wed, 05 Sep 2012 15:31:48 GMT

IT serverices. I am not at home but as soon as i get there ill post the answer. I spent about 3 hours trying to get it work. FINALLY.

Off the top of my head you have to set up a value in condistions. Like Login and a service-type. and results on VPN will be service-type-outbound. that is the best i can remember off the top off my head.

Windows Server 2008 R2 RADIUS Authentication

IT Services — Wed, 05 Sep 2012 15:39:31 GMT

Great. Thanks for the response Rodney, I look forward to seeing the configuration. I beleive I tried the Service-Type configuration but didn't get it to work. I wonder if I have the wrong combination.

Re: Windows Server 2008 R2 RADIUS Authentication

Rodney Mothersbaugh — Wed, 05 Sep 2012 19:58:48 GMT

Part 1 of 2

This is the first device policy and it is for the management of the network devices. I am leaving work now and will provide part 2 of 2

NPS -> Policies -> network Policies

Policy Name Devices

Overview

policy enabled = True

Grant access -

blah blah blah

Ignore dialin stuff

Conditions

User Groups = NetworkAdmins

Constraints

Unencrypted auth (PAP,SPAP)

Settings

Standard

class shell=Priv-15

Service-Type Login

Sent from Cisco Technical Support iPad App

Re: Windows Server 2008 R2 RADIUS Authentication

IT Services — Wed, 05 Sep 2012 20:26:42 GMT

Ok I have followed exactly this configuration but the VPN users still have access to administrative functions on the ASA. This does not happen on a cisco switch though.

Re: Windows Server 2008 R2 RADIUS Authentication

Rodney Mothersbaugh — Wed, 05 Sep 2012 20:59:02 GMT

wont be as pretty

under conditions i used two things.

usergroup and Called station id

usergroup was my vpn group

for called station id use the external ip address (i have only tested this with using my ipad so i use ip address this may need to be the hostname)

last page using service type select outbound this stops them from accessing the devices for managment

***************CHANGEFROM****************

i put devices first in my list and vpn auth second

***************CHANGETO****************

I changed the list to put VPN auth on top this way i can push them to a VPN profile. With it the other way around the it was hitting the device policy first fro users that are in both VPN_USERS and NetworkAdmins

Sent from Cisco Technical Support iPad App

Re: Windows Server 2008 R2 RADIUS Authentication

Rodney Mothersbaugh — Wed, 05 Sep 2012 21:09:24 GMT

if you are still having issues we can set up a webex and you can look at my configurations

Sent from Cisco Technical Support iPad App

Re: Windows Server 2008 R2 RADIUS Authentication

Rodney Mothersbaugh — Thu, 06 Sep 2012 04:29:55 GMT

Ok last post for the night. IT Services I have loads of screen shots. I will post the link to the setup stuff tomorrow or friday. But if you are having issues from now until then please dont hesitate to ask. Ill be more then happy to let yo take a look around and even test it yourself. I have two accounts one with device admin rights and one without and you can VPN in and test for yourself if you are still having issues.

Windows Server 2008 R2 RADIUS Authentication

IT Services — Thu, 06 Sep 2012 13:08:40 GMT

Thanks for your help your last suggestion did the trick. Thanks for your help.