Microsoft NPS, Authenticating user for VPN and device Management


In this document I will not be going over how to install Microsoft’s Network Policy Server, I have found too many of them around and all are great in helping install it. Instead this doc is going to focus on authenticating users to login into VPN and administering devices with in a cisco networking environment. In this LAB I have a cisco 5505, Cisco 3750, Cisco 1841, Cisco 2801, Cisco 2501 Wireless LAN Controller. I have yet to work with the controller to authenticate wireless users so that will not be a part of this document.
In some one of my recent my tasks for a customer, I was been asked to find a way to use Microsoft's NPS to authenticate users for both VPN and device management. Making sure users that users that can VPN cannot access the devices at the console/SSH/Telnet unless they are a member of a certain security group in AD.  After countless hours of searching I couldn't find a good doc on how to set up authentication for this certain scenario.
First situation I ran into was how I can authenticate VPN users and force them to specific VPN profiles, while at the same time insure they are unable to access the devices via CLI, ASDM, and Web interface.
First I will set the environment for you, See image below.




                I created a group called NO_ACCESS_VPN this group was here to test and make sure I deny VPN and device management to a group if needed.
                The first Policy I created on the NPS was to deny if you are a member of NO_ACCESS_VPN. As you can see below in the output from the even log on the NPS this was accomplished. This was the administrator account trying to VPN in. The screen shots have been omitted because this should be an easy task.

*****************OUTPUT FROM NPS EVENT LOG***************************
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
                Security ID:                                            MOTHERSBAUGHCOM\Administrator
                Account Name:                                     administrator
                Account Domain:                                 MOTHERSBAUGHCOM
                Fully Qualified Account Name:          MOTHERSBAUGHCOM\administrator

Client Machine:
                Security ID:                                            NULL SID
                Account Name:                                     -
                Fully Qualified Account Name:          -
                OS-Version:                                           -
                Called Station Identifier:                      173.49.212.67      ßoutside ip address assigned from ISP
                Calling Station Identifier:                     70.192.129.231

NAS:
                NAS IPv4 Address:                                10.10.1.10
                NAS IPv6 Address:                                -
                NAS Identifier:                                       -
                NAS Port-Type:                                     Virtual
                NAS Port:                                               86016

RADIUS Client:
                Client Friendly Name:                           fw.mothersbaugh.com
                Client IP Address:                                  10.10.1.10

Authentication Details:
                Connection Request Policy Name:     Use Windows authentication for all users
                Network Policy Name:                         VPN_AUTH_NO_VPN
                Authentication Provider:                     Windows
                Authentication Server:                         service.mothersbaugh.com
                Authentication Type:                           PAP
                EAP Type:                                               -
                Account Session Identifier:                 -
                Logging Results:                                   Accounting information was written to the local log file.
                Reason Code:                                        65
                Reason:                                                  The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

***************END OF OUTPUT FROM NPS EVENT LOG*************************

*****************OUTPUT FROM LOGGING ON ASA****************************

AAA user authentication Rejected : reason = AAA failure : server = 10.10.10.7 : user = administrator

**************END OF OUTPUT FROM LOGGING ON ASA***********************

SUCCESS…. Well failed and that's want we want to see.


The next policy I created was to authenticate VPN users. Below are the screenshots of each of the configuration panel.

Overview Panel



Conditions Panel
Here we set the CALLED STATION ID and the group in which the members must be a member of to be able to authenticate to the ASA for VPN access. The CALLED STATION ID is the external ip address of the asa, this is the ip address that the users enter into the thick client or the ssl/ipsec client to start the connection (even if is a hostname it still needs to be the ip address.)




Constraints Panel P1
I have found the only authentication methods that works is unencrypted authentication





Constraints Panel P2
We set the NAS port type to Virtual (VPN)



Settings Panel
Here is where we force users to use the vpn connection policy with the alias of VPN. We also set the Service-type to Outbound. This denies users access to administer network device.



TESTING
*******************OUTPUT FROM NPS EVENT LOG***************************
Network Policy Server granted access to a user.

User:
                Security ID:                                            MOTHERSBAUGHCOM\vpntest
                Account Name:                                     vpntest
                Account Domain:                                 MOTHERSBAUGHCOM
                Fully Qualified Account Name:          MOTHERSBAUGHCOM\vpntest

Client Machine:
                Security ID:                                            NULL SID
                Account Name:                                     -
                Fully Qualified Account Name:          -
                OS-Version:                                           -
                Called Station Identifier:                      173.49.212.67      ß outside ip address
                Calling Station Identifier:                     70.192.129.231

NAS:
                NAS IPv4 Address:                                10.10.1.10
                NAS IPv6 Address:                                -
                NAS Identifier:                                       -
                NAS Port-Type:                                     Virtual
                NAS Port:                                               106496

RADIUS Client:
                Client Friendly Name:                           fw.mothersbaugh.com
                Client IP Address:                                  10.10.1.10

Authentication Details:
                Connection Request Policy Name:     Use Windows authentication for all users
                Network Policy Name:                         VPN_AUTH_PCs
                Authentication Provider:                     Windows
                Authentication Server:                         service.mothersbaugh.com
                Authentication Type:                           PAP
                EAP Type:                                               -
                Account Session Identifier:                 -
                Logging Results:                                   Accounting information was written to the local log file.

Quarantine Information:
                Result:                                                    Full Access
                Session Identifier:                                 -
***************END OF OUTPUT FROM NPS EVENT LOG**********************


*****************OUTPUT FROM LOGGING ON ASA***************************

AAA retrieved user specific group policy (VPN) for user = vpntest

****************END OF OUTPUT FROM LOGGING ON ASA********************

TESTING
We see below although user vpntest uses radius to authenticate for the VPN it still doesn’t aloow him access to the adsm or the SSH console. This is because his/her user account is not in the networkadmins group and the called station is not the external ip address (now if you allow people to administer the firewall from the outside address, which is a bad idea) you will allow all users even in VPN group to access and configure the asa.





TESTING






******************OUTPUT FROM NPS EVENT LOG*************************
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
                Security ID:                                            MOTHERSBAUGHCOM\vpntest
                Account Name:                                     vpntest
                Account Domain:                                 MOTHERSBAUGHCOM
                Fully Qualified Account Name:          MOTHERSBAUGHCOM\vpntest

Client Machine:
                Security ID:                                            NULL SID
                Account Name:                                     -
                Fully Qualified Account Name:          -
                OS-Version:                                           -
                Called Station Identifier:                      -
                Calling Station Identifier:                     ip:source-ip=10.10.100.10

NAS:
                NAS IPv4 Address:                                10.10.1.10
                NAS IPv6 Address:                                -
                NAS Identifier:                                       -
                NAS Port-Type:                                     Virtual
                NAS Port:                                               7

RADIUS Client:
                Client Friendly Name:                           fw.mothersbaugh.com
                Client IP Address:                                  10.10.1.10

Authentication Details:
                Connection Request Policy Name:     Use Windows authentication for all users
                Network Policy Name:                         -
                Authentication Provider:                     Windows
                Authentication Server:                         service.mothersbaugh.com
                Authentication Type:                           PAP
                EAP Type:                                               -
                Account Session Identifier:                 -
                Logging Results:                                   Accounting information was written to the local log file.
                Reason Code:                                        48
                Reason:                                                  The connection request did not match any configured network policy.
*****************END OF OUTPUT FROM NPS EVENT LOG***********************

So now we are ready to configure the administrative piece of the asa and all other devices using radius to manage the devices.
Overview Panel



Conditions Panel
We set the usergroup to Network_Admins and proceed to the next page.


Constraints Panel P1
We set the authentication to PAP,SPAP, again these are the only methods I found to work.




Settings Panel
Now we are setting the privilege level of those users that are in the group NETWORK_ADMINS. At this point if you have other groups to allow a lower level of access you would set that in a different policy and set it above the level 15 policy. Also we are setting the service type to login.




TESTING
Below is the output from NPS showing that the user netadmin who is a member of the network admins passed authentication, for VPN access.


*******************OUTPUT FROM NPS EVENT LOG**************************
Network Policy Server granted access to a user.

User:
                Security ID:                                            MOTHERSBAUGHCOM\netadmin
                Account Name:                                     netadmin
                Account Domain:                                 MOTHERSBAUGHCOM
                Fully Qualified Account Name:          MOTHERSBAUGHCOM\netadmin

Client Machine:
                Security ID:                                            NULL SID
                Account Name:                                     -
                Fully Qualified Account Name:          -
                OS-Version:                                           -
                Called Station Identifier:                      173.49.212.67
                Calling Station Identifier:                     70.192.129.231

NAS:
                NAS IPv4 Address:                                10.10.1.10
                NAS IPv6 Address:                                -
                NAS Identifier:                                       -
                NAS Port-Type:                                     Virtual
                NAS Port:                                               118784

RADIUS Client:
                Client Friendly Name:                           fw.mothersbaugh.com
                Client IP Address:                                  10.10.1.10

Authentication Details:
                Connection Request Policy Name:     Use Windows authentication for all users
                Network Policy Name:                         DEVICES
                Authentication Provider:                     Windows
                Authentication Server:                         service.mothersbaugh.com
                Authentication Type:                           PAP
                EAP Type:                                               -
                Account Session Identifier:                 -
                Logging Results:                                   Accounting information was written to the local log file.

Quarantine Information:
                Result:                                                    Full Access
                Session Identifier:                                 -

**************END OF OUTPUT FROM NPS EVENT LOG***********************

TESTING



The user netadmin logs into ASDM and from the ASA’s cli we see the logs showing he was granted level 15 access.

******************OUTPUT FROM LOGGING ON ASA*************************

%ASA-5-502103: User priv level changed: Uname: netadmin From: 1 To: 15
%ASA-5-111008: User 'netadmin' executed the 'enable' command.
%ASA-5-111008: User 'netadmin' executed the 'perfmon interval 10' command.
%ASA-5-111008: User 'netadmin' executed the 'dir disk0:/dap.xml' command.
%ASA-5-111010: User 'netadmin', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'

**************END OF OUTPUT FROM LOGGING ON ASA***********************
  


                Well in short it was a long time to figure this out due to the lack of information I found on the web, but I was finally able to get it working. I wrote this doc because I got very frustrated with people giving answers like run another NPS server, use LDAP from the ASA. I know these are solutions but I felt there had to be a way to work both means of authentication and still run only one box. I really hope this helps someone else, and if you have any questions comments or concern please feel free to email me at rmothersbaugh@anexinet.com.


Labels: , , , ,