Integrating Microsoft NAP with Cisco ASA

Sleepw4lker · ‎07-22-2013

Hello everyone,

I'm quite new to the Cisco world. I wonder if and how it is possible to marry Cisco ASA with Microsoft NAP (in Terms of VPN Enforcement). Does anybody know some helpful documents? Is an ACS Server/Appliance necessary?

Thanks in advance and kind regards

Jatin Katyal · ‎07-22-2013

No, you don't need acs if you want to integrate asa with nps for vpn and adminiterative (telnet/ssh) access. With Microsoft nps you just can't configure Tacacs related features like command authorization and command accounting. I will try to post a document/link for your reference.

Sent from Cisco Technical Support Android App

~Jatin

Sleepw4lker · ‎07-22-2013

Hello Jatin,

thanks so much for your fast reply.

What is with Microsoft NAP (Network Access Protection), does this also work (Here are some Client-Components involved like System Health Validators and so on)?

Kind regards

Jatin Katyal · ‎07-22-2013

You just need NPS (Network Policy server) to act as a radius server.

http://technet.microsoft.com/library/cc732912.aspx

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Jatin Katyal · ‎07-22-2013

Please post here if you have any further queries.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Sleepw4lker · ‎07-24-2013

Hello Jatin,

thanks for your reply.

Microsoft states that authentication via PEAP is necessary for NAP to work:

"One security feature of PEAP is the transmission of Statement of Health (SoH) messages."

(see http://blogs.msdn.com/b/openspecification/archive/2009/06/05/peap-phase-2-encapsulation-examples-for-a-client-authenticating-with-ms-chapv2.aspx?Redirected=true)

However, I found this topic which states that PEAP auth. is not possible with the ASA: https://supportforums.cisco.com/thread/2028742

Is that true?