Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1799
Views
5
Helpful
5
Replies

Integrating Microsoft NAP with Cisco ASA

Sleepw4lker
Level 1
Level 1

‎07-22-2013 05:07 AM - edited ‎03-10-2019 08:40 PM

Hello everyone,

I'm quite new to the Cisco world. I wonder if and how it is possible to marry Cisco ASA with Microsoft NAP (in Terms of VPN Enforcement). Does anybody know some helpful documents? Is an ACS Server/Appliance necessary?

Thanks in advance and kind regards

Labels:
0 Helpful
5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

‎07-22-2013 05:33 AM

No, you don't need acs if you want to integrate asa with nps for vpn and adminiterative (telnet/ssh) access. With Microsoft nps you just can't configure Tacacs related features like command authorization and command accounting. I will try to post a document/link for your reference.


Sent from Cisco Technical Support Android App

~Jatin
0 Helpful

Sleepw4lker
Level 1
Level 1
In response to Jatin Katyal

‎07-22-2013 06:48 AM

Hello Jatin,

thanks so much for your fast reply.

What is with Microsoft NAP (Network Access Protection), does this also work (Here are some Client-Components involved like System Health Validators and so on)?

Kind regards

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Sleepw4lker

‎07-22-2013 06:52 AM

You just need NPS (Network Policy server) to act as a radius server.

http://technet.microsoft.com/library/cc732912.aspx

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎07-22-2013 11:51 AM

Please post here if you have any further queries.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Sleepw4lker
Level 1
Level 1
In response to Jatin Katyal

‎07-24-2013 03:41 AM

Hello Jatin,

thanks for your reply.

Microsoft states that authentication via PEAP is necessary for NAP to work:

"One security feature of PEAP is the transmission of Statement of Health (SoH) messages."

(see http://blogs.msdn.com/b/openspecification/archive/2009/06/05/peap-phase-2-encapsulation-examples-for-a-client-authenticating-with-ms-chapv2.aspx?Redirected=true)

However, I found this topic which states that PEAP auth. is not possible with the ASA: https://supportforums.cisco.com/thread/2028742

Is that true?

0 Helpful
Top