本文转自:https://www.petenetlive.com/KB/Article/0000685
Problem
Note: The procedure is the same for Server 2016 and 2019
This week I was configuring some 2008 R2 RADIUS authentication, so I thought I’d take a look at how Microsoft have changed the process for 2012. The whole thing was surprisingly painless.
I will say that Kerberos Authentication is a LOT easier to configure, but I’ve yet to test that with 2012, (watch this space).
Solution
Step 1 Configure the ASA for AAA RADIUS Authentication
1. Connect to your ASDM, > Configuration.
![ASDM Configuration](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
2. Remote Access VPN.
![Cisco ASDM Remote Access VPN](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
3. AAA Local Users > AAA Server Groups.
![AAA Server](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
4. In the Server group section > Add.
![Add AAA Server Group](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
5. Give the group a name and accept the defaults > OK.
![RADIUS Cisco ASA](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
6. Now (with the group selected) > In the bottom (Server) section > Add.
![Add AAA Server](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
7. Specify the IP address, and a shared secret that the ASA will use with the 2012 Server performing RADIUS > OK.
![RADIUS shared Secret](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
8. Apply.
![Apply Firewall Changes](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
Configure AAA RADIUS from command line;
aaa-server PNL-RADIUS protocol radius aaa-server PNL-RADIUS (inside) host 172.16.254.223 key 123456 radius-common-pw 123456 exit
Step 2 Configure Windows 2012 Server to allow RADIUS
9. On the Windows 2012 Server > Launch Server Manager > Local Server.
![2012 Server Manager](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
10. Manage > Add Roles and Features.
![2012 Add Server Role](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
11. If you get an initial welcome page, tick the box to ‘skip’ > Next > Accept the ‘Role based or feature based installation’ > Next.
![Role or Feature Install 2012](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
12. We are installing locally > Next.
![Local Server Install](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
13. Add ‘Network Policy and Access Server’ > Next.
![2012 Network Policy and Access Server](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
14. Add Features.
![Role Features 2012](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
15. Next.
![Additional Features Server 2012](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
16. Next.
![2012 NAP](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
17. Next.
![Windows Server 2012 Network Policy Server](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
18. Install.
![Install Roles and Features](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
19. When complete > Close.
![Server 2012 Role Installation](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
20. Select NPAS (Server 2016), or NAP (Server 2012).
![NAP NPAS Windows Server](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
21. Right click the server > Network Policy Server.
![Network Policy Server](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
22. Right click NPS > Register server in Active Directory.
![Register NPS in AD Server 2012](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
23. Expand RADIUS > right click RADIUS clients > New.
![New RADIUS Client](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
24. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 7) > OK.
![2012 RADIUS Shared Secret](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
25. Expand policies > right click ‘Connection Request Policies’ > New.
![Conenction Request Policy](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
26. Give the policy a name > Next.
![Connection Policy Name](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
27. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.
![Client Friendly Name](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
28. Specify the name you set up above (number 24) > OK > Next.
![ASA RADIUS Name](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
29. Next.
![Request Forwarding](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
30. Next.
![Authentication Methods](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
31. Change the attribute to ‘User-Name’ > Next.
![User Name RADIUS](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
32. Finish.
![NPS wizard](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
33. Now right click ‘Network Policies’ > New.
![2012 NPS Network Policy](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
34. Give the policy a name> Next.
![Network Policy Name](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
35. Add a condition > User Groups.
![User Group Condition](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
36. Add in the AD security group you want to allow access to > OK > Next.
![Allow Domain Users VPN](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
37. Next.
![Network Conditions](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
38. Access Granted > Next.
![NPS Access Permission](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
39. Select ‘Unencrypted Authentication PAP SPAP” > Next.
![ASA RADIUS Authentication Types PAP SPAP](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
40. Select No.
![NPS Warning](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
41. Next.
![NPS Constraints](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
42. Next.
![Policy Settings NPS NAP](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
43. Finish.
![Completing Network Policy](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
Step 3 Test RADIUS Authentication
44. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.
![Test RADIUS](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
45. Change the selection to Authentication > Enter your domain credentials > OK.
![Test ASA RADIUS Authentication](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
46. You are looking for a successful outcome.
Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.
![RADIUS Successful](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
To Test AAA RADIUS Authentication from Command Line
test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123
47. Finally, save the firewall changes > File > Save running configuration to flash.
![Cisco ASA Save Changes](http://www.tllswa.com/wp-content/plugins/jquery-image-lazy-loading/images/grey.gif)
Related Articles, References, Credits, or External Links
Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication
Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication
评论