ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
hinklejoe
New Member
Posts:
2
Joined:
Tue May 15, 2012 3:34 pm

ASA 5505 - Server 2008 NPS Issues

Tue May 15, 2012 3:48 pm

Over the past few years I've configured several ASA's to authenticate against a Microsoft Network Policy Server using the WebVPN SVC and a aaa server group. I'm doing another one now and the CLI has changed a bit which is where I think my problems are at. The Cisco device looks good and will work fine with a local login as long as I don't try to apply my aaa server group to it's authentication. The windows server registers that the user has successfully logged in but the Cisco says it's failed. This happens when I try to login from the web vpn page and from the test button in the ASDM aaa server groups.

I'm breaking down my configurations for easier reading and leaving full copy of my configs below. If you have any questions please let me know.

To get started here is the commands I'm running to apply the aaa server group to the WebVPN.
Code: Select all
aaa-server WindowsNPS protocol radius
aaa-server WindowsNPS (Inside) host 192.168.3.2
 key <shared key>
 radius-common-pw <shared key>

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group WindowsNPS
 authentication-server-group (Inside) WindowsNPS



Here is the complete configuration for the ASA.

Code: Select all
: Saved
:
ASA Version 8.2(5)
!
hostname gpp-ottoville
enable password tKJbEIgCZm99ZwQy encrypted
passwd V5b6dEoKXi0Te.Oc encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.173.160.6 255.255.255.252
!
tp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 209.143.0.10
access-list encrypt_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list encrypt_acl extended permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool OttovilleWebVPN 10.1.1.1-10.1.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list encrypt_acl
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 209.173.160.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsNPS protocol radius
aaa-server WindowsNPS (inside) host 192.168.3.2
 key *****
 radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 24.142.189.90
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh <removed> outside
ssh <removed> outside
ssh timeout 20
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
 svc image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 4
 svc enable
 tunnel-group-list enable
group-policy WebVPNGP internal
group-policy WebVPNGP attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable
username admin password EgKPvOx4ihakjqv3 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool OttovilleWebVPN
 authentication-server-group WindowsNPS
 authentication-server-group (inside) WindowsNPS
 default-group-policy WebVPNGP
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6900769e9038bc714fb711a6321d462a
: end


The Windows Server 2008 R2 server registers the incoming authentication and records it in the following order. Note that I'm breaking down each log into a individual entry and that all of this occurs one right after the other.

Code: Select all
1:
The computer attempted to validate the credentials for an account.

Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:   jhinkle
Source Workstation:   
Error Code:   0x0

2:
A logon was attempted using explicit credentials.

Subject:
   Security ID:      SYSTEM
   Account Name:      BALDER$
   Account Domain:      KRIEGEL
   Logon ID:      0x3e7
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
   Account Name:      jhinkle
   Account Domain:      KRIEGEL
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Target Server:
   Target Server Name:   localhost
   Additional Information:   localhost

Process Information:
   Process ID:      0x398
   Process Name:      C:\Windows\System32\svchost.exe

Network Information:
   Network Address:   -
   Port:         -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

3:
An account was successfully logged on. -- [color=#FF0000]This line right here is what confuses me because everything looks to be reporting a good authentication[/color]

Subject:
   Security ID:      SYSTEM
   Account Name:      BALDER$
   Account Domain:      KRIEGEL
   Logon ID:      0x3e7

Logon Type:         3

New Logon:
   Security ID:      KRIEGEL\jhinkle
   Account Name:      jhinkle
   Account Domain:      KRIEGEL
   Logon ID:      0xc59a2a
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x398
   Process Name:      C:\Windows\System32\svchost.exe

Network Information:
   Workstation Name:   
   Source Network Address:   -
   Source Port:      -

Detailed Authentication Information:
   Logon Process:      IAS
   Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.

4:
Special privileges assigned to new logon.

Subject:
   Security ID:      KRIEGEL\jhinkle
   Account Name:      jhinkle
   Account Domain:      KRIEGEL
   Logon ID:      0xc59a2a

Privileges:      SeSecurityPrivilege
         SeTakeOwnershipPrivilege
         SeLoadDriverPrivilege
         SeBackupPrivilege
         SeRestorePrivilege
         SeDebugPrivilege
         SeSystemEnvironmentPrivilege
         SeEnableDelegationPrivilege
         SeImpersonatePrivilege

5:
An account was logged off.

Subject:
   Security ID:      KRIEGEL\jhinkle
   Account Name:      jhinkle
   Account Domain:      KRIEGEL
   Logon ID:      0xc59a2a

Logon Type:         3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

hinklejoe
New Member
Posts:
2
Joined:
Tue May 15, 2012 3:34 pm

Re: ASA 5505 - Server 2008 NPS Issues

Wed May 16, 2012 7:47 am

I spent some more time working on this problem and found my issue. First I'll add a few comments for anyone else who needs it.

You can get better data out of the ASA by using the show aaa-server command. At minimum it shows you the number of requests sent and rejected. If you want to debug the message further you can use the debug aaa authentication and debug radius all commands to see the packet data. In this output I found a reject statement even though the Windows logs showed it authenticated correctly. I went through NPS and found that the default network policies where causing the reject. I switched the priority of the policy I created and it worked.

You can use the test aaa-server authentication <aaa group name> host <ip> command to test the connection from the CLI.

'

Return to Cisco Security

Who is online

Users browsing this forum: Google [Bot] and 17 guests