ASA 8.x SSL VPN Multiple Group Policies using Microsoft Windows 2008 NPS Radius Authentication

Introduction Requirements Components Used Background Information Configure

o Network Diagram o Configurations o ASA VPN Configuration o Running Configuration o Windows 2008 NPS server configuration

Verify o Client Testing

Related Information  

IntroductionThis document describes how to configure SSL VPN with multiple user group policies using radius authentication on Microsoft Windows 2008 Network Policy Server. Configuring multiple VPN group policies and associating them to Active Directory Security Groups to allow specific access policies to be applied to each group. This example demonstrates how an Active Directory group named “Sales” can be given access only to a “Sales Data” server and a group named “Tech” can be given access only to a “Tech Data” server. 

RequirementsThis document assumes the ASA already has a minimal configuration to establish connectivity and provide basic services including DNS resolution and ASDM access. A Windows 2008 server capably of running the Network Policy Server role. 

Components UsedASA5500 with software version 8.2 or later with ASDM version 6.3 or laterMicrosoft Windows 2008 R2 Server

Background InformationThe Cisco Adaptive Security Appliance has the ability to define multiple VPN group policies which allows an administrator to define a unique set of access controls per user or group. You may need to provide remote access to an outside contractor for a specific purpose but also allow your IT staff access to all network resources for remote support capabilities. While Cisco ACS provides this capability and much more, some will choose to leverage the capabilities built into Microsoft Windows 2008 server. Network Policy Server replaces Internet Authentication Services in Windows 2003 and earlier.

Configure  

Network Diagram

 Configurations ASA VPN Configuration

First we will use the ASDM VPN wizard to create a new policy for Sales and Tech. Select Wizards-SSL VPN Wizard from the menu bar.

In this example we will use the AnyConnect client:

We will name this connection profile “Sales” and check the option to allow the drop down box on the SSL VPN page. This allows users to select the group to which they belong. Alternatively, you can provide a specific URL for each group.

The next page asks us how we want to authenticate VPN users. We will create a new AAA server group called NPS to connect to the Windows NPS service. Specify the IP address and radius shared secret to establish communication between the ASA and the NPS server. You will need this same shared secret for the NPS server configuration.

We will create a new group policy named “Sales”.

The next page ask for IP address pool information and AnyConnect client image location. We will create a dedicated IP subnet for this group and call the pool “SalesIP”.

At the bottom of the page we can select the AnyConnect image file on the flash file system or upload the file if needed. You can upload multiple images, we are just working with the Windows client here.

This wizard will not modify your NAT rules. In most scenarios you will need to create a NAT exemption rule for traffic from your inside network(s) to the address pool you just created.

Review the summary page and click Finish.

Now we will run the wizard a second time to create the “Tech” VPN connection profile and group. The process is the same with the exception of the profile and group names in step 2 and 4, and the creation of another IP pool.

 

 

When done your group policies should look like this:

We need to restrict users to specific groups so they can only access the resources for their group. We do this by editing each group policy and applying the “group lock” feature and specifying the connection profile that is allowed to use this policy.

By default the password sent to the radius server will be a clear text (PAP) password but the radius protocol will hash all communication with the shared secret you provided earlier. By default Windows 2008 servers do not accept PAP. To provide a higher level of security you can enable the use of MSCHAPv2 by editing the AnyConnect Connection Profile – Advanced – General settings to include “Enable password management”

To apply an ACL to the Sales group traffic, click “Manage” next to “IPv4Filter”. Create an ACL allowing the IP pool addresses (source) to access the desired IP address(es) (destination). This completes the ASA configuration.

Running Configuration

ASA Version 8.2(2) hostname ciscoasadomain-name localenable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesname 192.168.200.0 vpnsalesname 192.168.201.0 vpntechname 192.168.0.8 SalesServername 192.168.0.9 TechServerdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address 10.0.0.1 255.255.255.0 !interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 !interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 shutdown no nameif security-level 100 no ip address!boot system disk0:/asa822-k8.binftp mode passivedns domain-lookup outsidedns domain-lookup insidedns server-group DefaultDNS domain-name localsame-security-traffic permit intra-interfaceobject-group network DM_INLINE_NETWORK_1 network-object vpnsales 255.255.255.0 network-object vpntech 255.255.255.0access-list inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_1 access-list TechACL extended permit ip vpntech 255.255.255.0 host TechServer access-list SalesACL extended permit ip vpnsales 255.255.255.0 host SalesServer pager lines 24logging enable

logging monitor debugginglogging asdm informationalmtu outside 1500mtu inside 1500ip local pool SalesIP 192.168.200.1-192.168.200.254 mask 255.255.255.0ip local pool TechIP 192.168.201.1-192.168.201.254 mask 255.255.255.0no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-631.binno asdm history enablearp timeout 14400global (outside) 101 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 101 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server NPS protocol radiusaaa-server NPS (inside) host 192.168.0.5 timeout 5 key *****http server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet timeout 5ssh 192.168.0.0 255.255.255.0 insidessh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc image disk0:/anyconnect-win-2.5.0217-k9.pkg.zip 1 svc enable tunnel-group-list enablegroup-policy Tech internalgroup-policy Tech attributes vpn-tunnel-protocol svc group-lock value Techgroup-policy Sales internalgroup-policy Sales attributes vpn-filter value SalesACL vpn-tunnel-protocol svc group-lock value Salesusername admin password f3UhLvUj1QsXsuK7 encrypted privilege 15tunnel-group Sales type remote-accesstunnel-group Sales general-attributes address-pool SalesIP

authentication-server-group NPS default-group-policy Sales password-managementtunnel-group Sales webvpn-attributes group-alias Sales enable group-url https://10.0.0.1/Sales enabletunnel-group Tech type remote-accesstunnel-group Tech general-attributes address-pool TechIP authentication-server-group NPS default-group-policy Tech password-managementtunnel-group Tech webvpn-attributes group-alias Tech enable group-url https://10.0.0.1/Tech enable<cut>

Windows 2008 NPS server configuration

The Windows 2008 server we are using has the Active Directory role installed and the testlab.local domain already configured. This includes the following users and groups:

Group “Sales”o Users Bob and Rob

Group “Tech”o Users Jack and Josh

First we add the Network Policy and Access Services role to our Windows 2008 server, using the Add Roles Wizard.

We only need the Network Policy Server service.

Open the Network Policy Server MMC and right-click RADIUS Clients, then chose “New RADIUS Client”. Enter a friendly name and IP address of the ASA appliance then enter the same shared secret you configured the AAA server group.

Create a New Connection Request Profile.

Give it a name and optionally set the type.

Configure the “NAS IPv4 Address” to be the ASA IP address that will be the source of the radius traffic.

No request forwarding configuration.

Override the default network policy and select MS-CHAPv2.

No additional settings on the next screen are required. You will need to move the policy you created ahead of the default policy and it should look like this:

Now we will create the network policies for Sales and Tech. Right click the “Network Policies” object and select “New”. Then enter a name for the policy and hit next.

Then specify the following conditions for allowing access. The user must be a member of the “Sales” AD security group and the NAS IP address must be the IP address of your ASA.

Then select “Access granted”, optionally check the box to allow the User’s Dial-in properties to override the access.

Again configure the authentication method to be MS-CHAPv2.

No additional constraints necessary.

Then configure the “class” standard RADIUS attribute to match the name of the connection profile configured on your ASA, in this case “Sales”. If a user successfully authenticates to this network policy, then the radius server will return the value “Sales” via radius attribute 25 (aka class). The ASA will only allow the user to connect to the connection profile that matches this value.

Then complete the wizard.

Run the “New Network Policy” wizard again for the Tech group. Then sort your network policies in the correct order like this:

The policies will be evaluated in order, from top to bottom, until all the criteria match. If a user who is a member of the “Sales” AD group authenticates it will try to match the VPN-Tech policy and fail, then match the VPN-Sales policy and grant access. The radius server access-accept response will include “class=Sales” and the ASA will accept the login only if the user is attempting to connect to the connection profile named “Sales”.

Verify

Client Testing

Using a web browser connect to the outside address of the ASA using https://<IPaddress>. You will see an authentication page with a drop down box including Sales and Tech.

Authenticating with user Bob to the Sales group is successful, but attempting to authenticate with user Bob to the Tech group will fail. You can view connection attempts on the Windows 2008 server via the Server Manager MMC by selecting Roles-Network Policy and Access Service and viewing the events listed. As you can see by this example user Bob authenticated from the ASA IP address 192.168.0.1, using the Proxy Policy named “CiscoVPN”, with the Network Policy named “VPN-Sales” and using MS-CHAPv2 protocol.

If you enable radius debugging you can also verify the successful authentication from the ASA log file.

   

Related Information Cisco ASA 5500 Series Adaptive Security Appliances Support Page Cisco ASA 5500 Series Adaptive Security Appliances Command References Microsoft Network Policy Server Support Page