RADIUS Server on Windows 2008 R2 to Cisco

Yesterday I posted about setting up remote access VPN on a Cisco ASA 5505 with extended authentication to a RADIUS server. Today’s post will be about setting up Windows 2008 R2 NPS to work with the Cisco client.
Open up Server Manager and add a new role.


Select Network Policy and Access Services. Click next and you only need to have the Network Policy Server selected to hit next again and install.
After the installation is completed. Open the Network Policy server and expand Policies, Network Policies and create a new network Policy.
Create a name for the Policy and leave the access server to unspecified click next.



Add some conditions for access like Windows user groups or something



Click add groups and then type in the Group name, I went ahead and added Domain users just for testing. I also added the RADIUS client settings under the condition and specified the name of my ASA



After you are done adding the conditions, click next and select access granted and next again


Put a check make on Unencrypted authentication (PAP, SPAP).




Click next, and select No when it ask you to view the help file.



It will ask for setting additional constraints, we don’t need any, click next.




Under standard RADIUS attributes, deleted PPP and Framed and add a new one.



Access type will be all and attribute is service-type



The attribute value will be Others, then choose Login the drop down box and click OK, then Close.
Specify the vendor under RADIUS Attributes by adding select Vendor Specific.



With Vendor set to “All”, select Vendor-Specific for the attribute and click Add to add in the attribute information.

For the attribute information select “Select from list” and choose Cisco from the menu. Then select “Yes. It conforms” and click Configure Attribute.

For the Vendor-assigned attribute number enter 1, for Attribute format choose String, and in Attribute value type:
shell:priv-lvl=15
Then click OK.


Click OK, Close, Next, then finally click Finish.

Now specify the Cisco router as a RADIUS client in Network Policy Server by highlighting RADIUS Clients and Servers, and then right click RADIUS Clients and choose New.
Fill in the friendly name that you specified earlier and enter the IP address for the device and enter the shared secret RADIUS key.



Activated in Active Directory. Right click the NPS tree root on the left pane, and choose “Register server in Active Directory”. (If it is shaded out do not worry about it.)

Restart the NPS services which might take a few seconds and then everything should be complete now.

Remote Access VPN on Cisco ASA 5505

One of my favorite things to do with new equipment is test the maximum throughput of the device. The Cisco ASA 5505 is a nice firewall appliance but the ASA does not support BGP so be weary if you are purchasing one to study for your CCNA.

In this post I will attempt to explain how to setup IPsec VPN on the ASA (ver. 7.2) for remote users and authenticate with RADIUS using CLI. There are a ton of guides on how to setup and configure the Cisco ASA 5505 so I will just run through the basic stuff I assume you already have configured on your ASA.

Basic stuff:

Setup the host name, interface names, IP address, assign VLAN, and NAT and the default route on the firewall. Enable of disable DHCP on the inside interface.

Delete the existing keys
crypto key zeroize rsa

Configure your domain name
domain-name domain.com

Generate the keys
crypto key generate rsa general-keys modulus 1024 sh crypto key mypubkey rsa wr mem

Allow traffic to go both ways
same-security-traffic permit intra-interface

Create the rules for what goes in and out and stuff
access-list noNAT extended permit ip 192.168.150.0 255.255.255.0 192.168.57.0 255.255.255.0

192.168.57.X is the IP subnet that is assigned to the virtual adapters for VPN clients and 192.168.150.X is the local subnet of my network

Create the range of the IP address that the virtual adapters from VPN connection will receive
ip local pool IPPoolforVPN 192.168.57.15-192.168.57.90 mask 255.255.255.0

Assigned the access list created to allow communication between VPN clients and local network
nat (inside) 0 access-list noNAT

Define the authentication server and type
aaa-server WindowsServer protocol radius aaa-server WindowsServer max-failed-attempts 3 aaa-server WindowsServer deadtime 10 aaa-server WindowsServer (inside) host 192.168.150.11 shadowkey timeout 5

Create and name policy for the VPN group
group-policy ShadowVPN internal group-policy ShadowVPN attributes dns-server value 8.8.8.8 4.2.2.2 vpn-idle-timeout 240 vpn-session-timeout 720 ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified default-domain value domain.com split-dns value domain.com exit

Allow all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists
sysopt connection permit-vpn

Create encryption profile types
crypto ipsec transform-set RemoteAccess esp-aes esp-sha-hmac crypto dynamic-map dyn1 1 set transform-set RemoteAccess crypto map VPN 99 ipsec-isakmp dynamic dyn1 crypto map VPN interface outside crypto isakmp enable outside crypto isakmp identity address crypto isakmp nat-traversal 3600 crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 43200 exit

Assign attributes to the tunnel group you created earlier
tunnel-group ShadowVPN type ipsec-ra

Specify the address pool you made earlier
tunnel-group ShadowVPN general-attributes address-pool IPPoolforVPN

Specify the RADIUS server
authentication-server-group WindowsServer default-group-policy ShadowVPN exit tunnel-group ShadowVPN ipsec-attributes pre-shared-key Hard.2.Guess.Key exit wr mem

Some commands to help troubleshoot issues
show crypto isakmp sa show crypto ipsec sa show crypto engine connection active debug crypto isakmp debug crypto ipsec

If the VPN connection is established but no traffic is encrypted or decrypted, check your ACL

Interface Rates on Linux Firewalls

I was working with the Cisco SRP541w and noticed something strange when remote users connected to the VPN. Once a VPN connection was established and remote users attempted to download something from the office, the firewall would reboot itself. After a little bit if research the problem seems to be directly related to the QOS bandwidth control under network setup.

It does not matter what this is set to, if it is enabled on any of the interface the problem will still occur when IPsec VPN users connect.

The Cisco SRP541w is running a GNU/Linux OS and I have seen issues similar to this on other variant Linux operating systems. The Zentyal will suffer the same consequence when rates under traffic shaping is enabled.

Enabling this on the WAN interface will cause the OpenVPN users to crash the outside interface after establishing a connection. I have not tested the stability of the connection over PPTP VPN but I suspect it will do the same thing since the issue is related to the uplink on the WAN connection and is present in IPsec and OpenVPN.

First Attempt

Using this blog to keep track of my projects and help my organization skills.
As of today, my current rig includes a

Cisco ASA 5505
Juniper Netscreen 50
Cisco WS-C2950-24
Cisco WS-C2924-X
Netgear GS724T
Cisco 1760 Router
SuperMicro X7DCA-L
Cisco 2651 Router
ZyXEL ZyWALL USG20
FreeNas box with 13 terabytes of data
Dell PowerEdge 2900 with 2 dual core Xeon processors, 21 gigs of RAM, running 2008 R2 Hyper-V, 8 Intel gigabit adapters and 2 Broadcom gigabit adapters.



Not included in this picture is a Asus RTN16 mounted on the wall and used only as an access point and a Netgear GS108T upstairs right next to the ONT.


I currently have Verizon FiOS with 150mbps download speeds and 65mbps upload speeds. Since none of my equipment was capable of 150mbps SPI throughput, I have Zenytal running as a virtual machine in Hyper-V which acts as my firewall.


This blog is not intended educate, inform, or entertain anyone but myself.