In this document I will not be
going over how to install Microsoft’s Network Policy Server, I have found too
many of them around and all are great in helping install it. Instead this doc
is going to focus on authenticating users to login into VPN and administering
devices with in a cisco networking environment. In this LAB I have a cisco
5505, Cisco 3750, Cisco 1841, Cisco 2801, Cisco 2501 Wireless LAN Controller. I
have yet to work with the controller to authenticate wireless users so that
will not be a part of this document.
In some one of my recent my tasks for a customer, I
was been asked to find a way to use Microsoft's NPS to authenticate
users for both VPN and device management. Making sure users that users that can VPN cannot access the devices at the console/SSH/Telnet unless they are a member of a certain security group in AD. After countless hours of searching I couldn't find a good doc on how to
set up authentication for this certain scenario.
First situation I ran into was how
I can authenticate VPN users and force them to specific VPN profiles, while at
the same time insure they are unable to access the devices via CLI, ASDM, and
Web interface.
First I will set the environment
for you, See image below.
I
created a group called NO_ACCESS_VPN this group was here to test and make sure
I deny VPN and device management to a group if needed.
The
first Policy I created on the NPS was to deny if you are a member of
NO_ACCESS_VPN. As you can see below in the output from the even log on the NPS
this was accomplished. This was the administrator account trying to VPN in. The screen shots have been omitted because this should be an easy task.
*****************OUTPUT FROM NPS EVENT
LOG***************************
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security
ID: MOTHERSBAUGHCOM\Administrator
Account
Name: administrator
Account
Domain: MOTHERSBAUGHCOM
Fully
Qualified Account Name: MOTHERSBAUGHCOM\administrator
Client Machine:
Security
ID: NULL
SID
Account
Name: -
Fully
Qualified Account Name: -
OS-Version: -
Called
Station Identifier: 173.49.212.67 ßoutside ip address
assigned from ISP
Calling
Station Identifier: 70.192.129.231
NAS:
NAS
IPv4 Address: 10.10.1.10
NAS
IPv6 Address: -
NAS
Identifier: -
NAS
Port-Type: Virtual
NAS
Port: 86016
RADIUS Client:
Client
Friendly Name: fw.mothersbaugh.com
Client
IP Address: 10.10.1.10
Authentication Details:
Connection
Request Policy Name: Use Windows
authentication for all users
Network
Policy Name: VPN_AUTH_NO_VPN
Authentication
Provider: Windows
Authentication
Server: service.mothersbaugh.com
Authentication
Type: PAP
EAP
Type: -
Account
Session Identifier: -
Logging
Results: Accounting
information was written to the local log file.
Reason
Code: 65
Reason: The
Network Access Permission setting in the dial-in properties of the user account
in Active Directory is set to Deny access to the user. To change the Network
Access Permission setting to either Allow access or Control access through NPS
Network Policy, obtain the properties of the user account in Active Directory
Users and Computers, click the Dial-in tab, and change Network Access
Permission.
***************END OF OUTPUT FROM NPS EVENT
LOG*************************
*****************OUTPUT FROM LOGGING ON
ASA****************************
|
AAA user authentication Rejected :
reason = AAA failure : server = 10.10.10.7 : user = administrator
|
**************END OF OUTPUT FROM LOGGING ON
ASA***********************
SUCCESS…. Well failed and that's want we want to see.
The next policy I created was to authenticate VPN users. Below
are the screenshots of each of the configuration panel.
Overview Panel
Conditions
Panel
Here we set the CALLED STATION ID and the group in which the members
must be a member of to be able to authenticate to the ASA for VPN access. The
CALLED STATION ID is the external ip address of the asa, this is the ip address that the users enter
into the thick client or the ssl/ipsec client to start the connection (even if is a hostname it
still needs to be the ip address.)
Constraints
Panel P1
I have found the only authentication methods that works is
unencrypted authentication
Constraints
Panel P2
We set the NAS port type to Virtual (VPN)
Settings
Panel
Here is where we force users to use the vpn connection
policy with the alias of VPN. We also set the Service-type to Outbound. This
denies users access to administer network device.
TESTING
*******************OUTPUT FROM NPS EVENT
LOG***************************
Network Policy Server granted access
to a user.
User:
Security
ID: MOTHERSBAUGHCOM\vpntest
Account
Name: vpntest
Account
Domain: MOTHERSBAUGHCOM
Fully
Qualified Account Name: MOTHERSBAUGHCOM\vpntest
Client Machine:
Security
ID: NULL
SID
Account
Name: -
Fully
Qualified Account Name: -
OS-Version: -
Called
Station Identifier: 173.49.212.67 ß outside ip address
Calling
Station Identifier: 70.192.129.231
NAS:
NAS
IPv4 Address: 10.10.1.10
NAS
IPv6 Address: -
NAS
Identifier: -
NAS
Port-Type: Virtual
NAS
Port: 106496
RADIUS Client:
Client
Friendly Name: fw.mothersbaugh.com
Client
IP Address: 10.10.1.10
Authentication Details:
Connection
Request Policy Name: Use Windows
authentication for all users
Network
Policy Name: VPN_AUTH_PCs
Authentication
Provider: Windows
Authentication
Server: service.mothersbaugh.com
Authentication
Type: PAP
EAP
Type: -
Account
Session Identifier: -
Logging
Results: Accounting
information was written to the local log file.
Quarantine Information:
Result: Full
Access
Session
Identifier: -
***************END OF OUTPUT FROM NPS EVENT
LOG**********************
*****************OUTPUT FROM LOGGING ON
ASA***************************
AAA retrieved user specific group policy (VPN) for user =
vpntest
****************END OF OUTPUT FROM LOGGING ON
ASA********************
TESTING
We see below although user vpntest uses radius to
authenticate for the VPN it still doesn’t aloow him access to the adsm or the
SSH console. This is because his/her user account is not in the networkadmins group
and the called station is not the external ip address (now if you allow people
to administer the firewall from the outside address, which is a bad idea) you
will allow all users even in VPN group to access and configure the asa.
TESTING
******************OUTPUT FROM NPS EVENT LOG*************************
Network Policy Server denied access
to a user.
Contact the Network Policy Server
administrator for more information.
User:
Security
ID: MOTHERSBAUGHCOM\vpntest
Account
Name: vpntest
Account
Domain: MOTHERSBAUGHCOM
Fully
Qualified Account Name: MOTHERSBAUGHCOM\vpntest
Client Machine:
Security
ID: NULL
SID
Account
Name: -
Fully
Qualified Account Name: -
OS-Version: -
Called
Station Identifier: -
Calling
Station Identifier: ip:source-ip=10.10.100.10
NAS:
NAS
IPv4 Address: 10.10.1.10
NAS
IPv6 Address: -
NAS
Identifier: -
NAS
Port-Type: Virtual
NAS
Port: 7
RADIUS Client:
Client
Friendly Name: fw.mothersbaugh.com
Client
IP Address: 10.10.1.10
Authentication Details:
Connection
Request Policy Name: Use Windows
authentication for all users
Network
Policy Name: -
Authentication
Provider: Windows
Authentication
Server: service.mothersbaugh.com
Authentication
Type: PAP
EAP
Type: -
Account
Session Identifier: -
Logging
Results: Accounting
information was written to the local log file.
Reason
Code: 48
Reason: The
connection request did not match any configured network policy.
*****************END OF OUTPUT FROM NPS EVENT
LOG***********************
So now we are ready to configure the administrative piece of
the asa and all other devices using radius to manage the devices.
Overview Panel
Conditions Panel
We set the usergroup to Network_Admins and proceed to the next page.
Constraints Panel P1
We set the authentication to PAP,SPAP, again these are the
only methods I found to work.
Settings
Panel
Now we are setting the privilege level of those users that
are in the group NETWORK_ADMINS. At this point if you have other groups to
allow a lower level of access you would set that in a different policy and set
it above the level 15 policy. Also we are setting the service type to login.
TESTING
Below is the output from NPS showing that the user netadmin
who is a member of the network admins passed authentication, for VPN access.
*******************OUTPUT FROM NPS EVENT
LOG**************************
Network Policy Server granted access
to a user.
User:
Security
ID: MOTHERSBAUGHCOM\netadmin
Account
Name: netadmin
Account
Domain: MOTHERSBAUGHCOM
Fully
Qualified Account Name: MOTHERSBAUGHCOM\netadmin
Client Machine:
Security
ID: NULL
SID
Account
Name: -
Fully
Qualified Account Name: -
OS-Version: -
Called
Station Identifier: 173.49.212.67
Calling
Station Identifier: 70.192.129.231
NAS:
NAS
IPv4 Address: 10.10.1.10
NAS
IPv6 Address: -
NAS
Identifier: -
NAS
Port-Type: Virtual
NAS
Port: 118784
RADIUS Client:
Client
Friendly Name: fw.mothersbaugh.com
Client
IP Address: 10.10.1.10
Authentication Details:
Connection
Request Policy Name: Use Windows
authentication for all users
Network
Policy Name: DEVICES
Authentication
Provider: Windows
Authentication
Server: service.mothersbaugh.com
Authentication
Type: PAP
EAP
Type: -
Account
Session Identifier: -
Logging
Results: Accounting
information was written to the local log file.
Quarantine Information:
Result: Full
Access
Session
Identifier: -
**************END OF OUTPUT FROM NPS EVENT
LOG***********************
TESTING
The user netadmin logs into ASDM and from the ASA’s cli we see the logs
showing he was granted level 15 access.
******************OUTPUT FROM LOGGING ON
ASA*************************
%ASA-5-502103: User priv level changed: Uname: netadmin
From: 1 To: 15
%ASA-5-111008: User 'netadmin' executed the 'enable'
command.
%ASA-5-111008: User 'netadmin' executed the 'perfmon
interval 10' command.
%ASA-5-111008: User 'netadmin' executed the 'dir
disk0:/dap.xml' command.
%ASA-5-111010: User 'netadmin', running 'CLI' from IP
0.0.0.0, executed 'dir disk0:/dap.xml'
**************END OF OUTPUT FROM LOGGING ON
ASA***********************
Well in
short it was a long time to figure this out due to the lack of information I
found on the web, but I was finally able to get it working. I wrote this doc
because I got very frustrated with people giving answers like run another NPS
server, use LDAP from the ASA. I know these are solutions but I felt there had
to be a way to work both means of authentication and still run only one box. I
really hope this helps someone else, and if you have any questions comments or
concern please feel free to email me at
rmothersbaugh@anexinet.com.
Labels: AD integration, Cisco ASA, Microsoft, NPS, VPN