Howto - Configure Windows Server 2008 R2 Radius for Cisco ASA firewall VPN authentication
This article is focused on the Windows Server 2008 R2 part to properly setup a Radius server for Cisco ASA firewall VPN authentication.
1. Install necessary roles and features to Windows Server 2008 R2
The role and role services needed to be installed are:
- Network Policy and Access Services
- Network Policy Server
2. Make sure the port 1645 (Radius authentication) port is allowed in Windows firewall
By default adding roles will open the respective ports in Windows firewall automatically.
3. Configure Radius client and policies using NPS management console
I am only listing the settings that needs attention here, if anything not listed, use default values for them.
1) Add Radius client
Friendly name:Put whatever you like, I used "Cisco ASA 5505"
Address:IP address of the ASA firewall
Share Secret:manual (put whatever secret you like and confirm it)
2) Add a connection request policy, make the policy processing order to be "2"
Policy name:Give it a name
Conditions:You can either use "Client IPv4 Address" with the ASA's IP address, or use the "Client Friendly Name" with the name you configured in the "Add Radius client" section
3) Add a network policy
Policy name:give it a name
Access Permission:Grant access
Conditions:Use the same condition you used in the "connection request policy"
Authentication Methods:Apart from the MS-CHAP-2 and MS-CHAP, add "PAP, SPAP"
Once Radius is setup on Windows server, you can test it from Cisco ASDM or using the command:
Using command prompt:
ASA# test aaa-server authentication group1 username user password passwd Server IP Address or name: 192.168.1.2 INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds) INFO: Authentication Successful
Using the ASDM:
- Goto "Configuration" -> "Remote Access VPN"
- Select the correct AAA server group
- in the "Servers in the Selected Group", select the Windows Server 2008 R2 server you want to test
- On the right of the Windows, select "Test" button
- In the popped up test interface, select "authentication" and enter a pair of correct username and password
Document first created on [文档创建时间]: 30 Sep 2011 Friday
Document last modified on [文档更新时间]: 12 Nov 2011 Saturday