Over the past few years I've configured several ASA's to authenticate against a Microsoft Network Policy Server using the WebVPN SVC and a aaa server group. I'm doing another one now and the CLI has changed a bit which is where I think my problems are at. The Cisco device looks good and will work fine with a local login as long as I don't try to apply my aaa server group to it's authentication. The windows server registers that the user has successfully logged in but the Cisco says it's failed. This happens when I try to login from the web vpn page and from the test button in the ASDM aaa server groups.
I'm breaking down my configurations for easier reading and leaving full copy of my configs below. If you have any questions please let me know.
To get started here is the commands I'm running to apply the aaa server group to the WebVPN.
Code:
aaa-server WindowsNPS protocol radius
aaa-server WindowsNPS (Inside) host 192.168.3.2
key <shared key>
radius-common-pw <shared key>
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group WindowsNPS
authentication-server-group (Inside) WindowsNPS
Here is the complete configuration for the ASA.
Code:
: Saved
:
ASA Version 8.2(5)
!
hostname gpp-ottoville
enable password tKJbEIgCZm99ZwQy encrypted
passwd V5b6dEoKXi0Te.Oc encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.173.160.6 255.255.255.252
!
tp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 209.143.0.10
access-list encrypt_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list encrypt_acl extended permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool OttovilleWebVPN 10.1.1.1-10.1.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list encrypt_acl
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 209.173.160.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsNPS protocol radius
aaa-server WindowsNPS (inside) host 192.168.3.2
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 24.142.189.90
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh <removed> outside
ssh <removed> outside
ssh timeout 20
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
svc image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 4
svc enable
tunnel-group-list enable
group-policy WebVPNGP internal
group-policy WebVPNGP attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable
username admin password EgKPvOx4ihakjqv3 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OttovilleWebVPN
authentication-server-group WindowsNPS
authentication-server-group (inside) WindowsNPS
default-group-policy WebVPNGP
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6900769e9038bc714fb711a6321d462a
: end
The Windows Server 2008 R2 server registers the incoming authentication and records it in the following order. Note that I'm breaking down each log into a individual entry and that all of this occurs one right after the other.
Code:
1:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: jhinkle
Source Workstation:
Error Code: 0x0
2:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: BALDER$
Account Domain: KRIEGEL
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: jhinkle
Account Domain: KRIEGEL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x398
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
3:
An account was successfully logged on. -- [color=#FF0000]This line right here is what confuses me because everything looks to be reporting a good authentication[/color]
Subject:
Security ID: SYSTEM
Account Name: BALDER$
Account Domain: KRIEGEL
Logon ID: 0x3e7
Logon Type: 3
New Logon:
Security ID: KRIEGEL\jhinkle
Account Name: jhinkle
Account Domain: KRIEGEL
Logon ID: 0xc59a2a
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x398
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
4:
Special privileges assigned to new logon.
Subject:
Security ID: KRIEGEL\jhinkle
Account Name: jhinkle
Account Domain: KRIEGEL
Logon ID: 0xc59a2a
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeEnableDelegationPrivilege
SeImpersonatePrivilege
5:
An account was logged off.
Subject:
Security ID: KRIEGEL\jhinkle
Account Name: jhinkle
Account Domain: KRIEGEL
Logon ID: 0xc59a2a
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Register
Search 
Login
