Howto - Configure Windows Server 2008 R2 Radius for Cisco ASA firewall VPN authentication

This article is focused on the Windows Server 2008 R2 part to properly setup a Radius server for Cisco ASA firewall VPN authentication.


1. Install necessary roles and features to Windows Server 2008 R2

The role and role services needed to be installed are: 


2. Make sure the port 1645 (Radius authentication) port is allowed in Windows firewall

By default adding roles will open the respective ports in Windows firewall automatically.

3. Configure Radius client and policies using NPS management console

I am only listing the settings that needs attention here, if anything not listed, use default values for them.


1) Add Radius client

Friendly name:Put whatever you like, I used "Cisco ASA 5505"

Address:IP address of the ASA firewall

Share Secret:manual (put whatever secret you like and confirm it)


Vendor:Radius Standard


2) Add a connection request policy, make the policy processing order to be "2"

Policy name:Give it a name

Conditions:You can either use "Client IPv4 Address" with the ASA's IP address, or use the "Client Friendly Name" with the name you configured in the "Add Radius client" section


3) Add a network policy

Policy name:give it a name

Access Permission:Grant access

Conditions:Use the same condition you used in the "connection request policy"


Authentication Methods:Apart from the MS-CHAP-2 and MS-CHAP, add "PAP, SPAP"


4. Test

Once Radius is setup on Windows server, you can test it from Cisco ASDM or using the command:

Using command prompt:

ASA# test aaa-server authentication group1 username user password passwd
Server IP Address or name:
INFO: Attempting Authentication test to IP address <> (timeout: 12 seconds)
INFO: Authentication Successful


Using the ASDM:

  1. Goto "Configuration" -> "Remote Access VPN"
  2. Select the correct AAA server group
  3. in the "Servers in the Selected Group", select the Windows Server 2008 R2 server you want to test
  4. On the right of the Windows, select "Test" button
  5. In the popped up test interface, select "authentication" and enter a pair of correct username and password

Document first created on [文档创建时间]: 30 Sep 2011 Friday

Document last modified on [文档更新时间]: 12 Nov 2011 Saturday