Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

W2k8 NPS as a RADIUS server for a Cisco router

Cisco Router, Firewall, VPN, SDM, ASA and Switch

W2k8 NPS as a RADIUS server for a Cisco router

Postby blin » Fri Dec 02, 2011 9:39 pm

I currently have W2k3 IAS configured as a RADIUS server for our VPN clients connecting to a Cisco 2811 router. That works fine but I can't get it to work for the Authentication Proxy feature on the same router. I thought I'd try the new NPS on W2k8 since Cisco and MS are now cooperating on RADIUS. I can't get NPS to respond to the Auth-Proxy or even the VPN requests so I seem to be going backwards!



I have searched and searched but cannot find anything useful on how to configure NPS for RADIUS, though I have found a mountain of literature on NAP (interesting but something for the future). One problem could be that I have passed authentication off to our existing IAS server since it is a DC and auths the current VPN well, if a little slowly. I can't even get the NPS to log the fact that a RADIUS request is coming into it, either in the Event Log or in the basic log file configured under the NPS interface. I have opened all four standard UDP ports in the W2k8 firewall



Can anybody suggest any tips or refer me to any documentation on the NPS RADIUS configuration please. I don't expect help here on the Cisco hardware but also don't want to pay a small fortune for Cisco ACS RADIUS when it has a terrible reputation anyway
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: W2k8 NPS as a RADIUS server for a Cisco router

Postby blin » Fri Dec 02, 2011 9:39 pm

If IAS is mostly working for you, then you should be able to at least get this same level of support from NPS. I don't know what kind of authentication method you are using with the Cisco 2811, but I assume you configure the router as a RADIUS client in NPS and set up a RADIUS server group on the router with the IP address, port numbers, and shared secret for NPS.



Set up connection request policy the same as you did in IAS, and your remote access policies are now called "network policies". Since you say that NPS isn't recognizing the RADIUS messages from your router, I would check that you are using 1812 as the authentication port. Another commonly used port is 1645, but to use this you will need to add it to the list of firewall exceptions on NPS.



Documentation for configuring NPS that is currently available can be found at www.microsoft.com/nps. As you said, this is mostly about configuring NPS for NAP but the steps will show you how to configure conditions and settings. There is also a wizard in the nps console that may be helpful to you.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: W2k8 NPS as a RADIUS server for a Cisco router

Postby blin » Fri Dec 02, 2011 9:39 pm

I have the exact same problem. There is lots of information abut "features and capabilities" of the new NPS and but no reall instructions of how to really do anything.


I have a Cisco 2821. I would like to use NPS Radius server to authenticate VPN users but I cannot get it to happen.


On windows server 2008, I have added the router as a client:

Address: Internal Interface of router
Vendor name: Radius Standard
Manual shared key



Under Network Policies: I have tried everything but nothing works:

Here is what I keep getting: RADIUS: Response (32) failed decrypt


I have been to the end of the internet and back but I can't find anything. Please help
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: W2k8 NPS as a RADIUS server for a Cisco router

Postby blin » Fri Dec 02, 2011 9:40 pm

Not sure if it is of any help but I have achieved something similar with Remote access VPN users on a PIX and SSH logins on other Cisco devices. What you need to do is follows;

1 Create a RADIUS Client on the NPS

2 Create a network Policy as follows;

a. Right click network policies and click new

b. Type a policy name accept the defaults and click next

c. Add a condition (I used a windows group with my users in it), click next

d. Make sure the access granted radio button is selected and hit next

e. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest

f. Select NO on the annoying help box

g. Finally select next then next and finish to complete.

3 Configure your Cisco device for RADIUS as you would have with 2k3.



Please bear in mind this is not a finished config and as such will allow any RADIUS Client to authenticate with unencrypted details. I am working on sorting that out ATM.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: W2k8 NPS as a RADIUS server for a Cisco router

Postby blin » Fri Dec 02, 2011 9:40 pm

My goal was to be able to use my Cisco 1800 series router as a VPN server and allow it to provide RADIUS authentication for end users using the Cisco 5.x VPN client on Windows XP machines.

I followed the walk-through above: http://filedb.experts-exchange.com/inco ... -for-C.pdf

The only variations I did from the walkthrough above were:

- I did not use the vender specific attribute shell string

- I didn’t use the wildcard for client friendly name, I simply used the name as I had it in the Radius client config

- Someone above mentioned to use “user groups” rather than “windows groups”

o I didn’t notice a difference

- I didn’t follow any of the Cisco walk through part as mentioned above. I used the following commands on my router:

config t

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

radius-server host a.b.c.d key xxx

To add to the walkthrough above:

- Create a new "Connection Request Policy"

- I only added the condition of a "client friendly name"

- Everything else was defaults:

o Enable the policy

o Didn’t specify a network connection method: unspecified

o No special vpn selections or anything

o Under the settings tab, I override the network policy and selected to only use PAP

I spent a ton of time Googling this, I hope this was helpful for others.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: W2k8 NPS as a RADIUS server for a Cisco router

Postby blin » Fri Dec 02, 2011 9:41 pm

Hi, I have changed my VPN user to use EAP and worked. Unlike IAS, NPS is no longer support PAP. Microsoft claimed that they drop PAP on purpose and there is a procedure to enable PAP. http://technet.microsoft.com/en-us/libr ... 2393(WS.10).aspx. However this procedure does not work for me. No luck to get PAP working. I end up to give up PAP and use EAP instead. Still interested in to get PAP work with NPS.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: W2k8 NPS as a RADIUS server for a Cisco router

Postby blin » Fri Dec 02, 2011 9:41 pm

Recently I have setup my VPN in a suimilar way, using Server 2008 as a RADIUS and ASA.

Step by Step guide for ASA and server 2008 setup can be found here: Setup-windows-server-2008-r2-as-radius-server-for-cisco-asa

Hope this will work.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA


Return to Cisco

Your Ad Here

Who is online

Users browsing this forum: No registered users and 2 guests