SBS 2011 Radius Authentication Setup for Cisco ASA

I read through several articles for server 2008 and 2008r2 and they all seemed to have bits of the configuration needed for the SBS 2011 server to authenticate but not all of the settings. I have managed to get both mac and windows clients authenticated using the method below:

  1. Install Network Policy server by going into server manager and selecting Add Roles. Then select Network Policy and Access server. Under that role just select network policy server and finish the installation
  2. Once NPS is installed open it by going into the Administrative Tools Network Policy Server Link

Create new RADIUS Client

 

  1. Expand the RADIUS Clients and Servers folder and right click on RADIUS Clients select the new option to add a client
  2. In the new radius client window the only fields that you need to change are the Friendly Name, Address and the shared secret as shown below. Once these fields are complete, click ok to exit. (You can get all of this information from the cisco firewall apart from the Friendly name which you choose and will need later).

radi

Create a network request policy.

  1. Expand the policies folder and right click the Connection request policy folder and choose new.
  2. Enter a policy name that has meaning as you may need to create additional policies in the future. Leave the Type of network access server as Unspecified and click next

radi

  1. Add a condition and under condition type choose client friendly name. Click the add button and enter the name that you chose in the add client step. Click ok and then click next

radi

  1. Leave all of the settings in this section and click next.
  2. Click next again.
  3. Under attribute choose User-Name and under the vendor specific option click add. In the vendor list choose cisco and select add. Click add again and enter shell:priv-lvl=15. Click OK, then OK, then Close. Click next to continue.

radiradi

  1. You should now be presented with a screen that looks like this

radi

Create a network Policy

  1. Right click the network policies folder and choose New
  2. Once again enter a policy name that has meaning as you may need to create additional policies in the future. Leave the Type of network access server as Unspecified and click next

radi

  1. Click the add button and this time choose Windows Groups. Select a group that is going to have access to vpn through the cisco and click ok. Click the add button again and scroll down to client friendly name. Enter the name that you called your radius client connection. Finally add another condition and choose NAS port type at the bottom of the list. In this screen choose the option 4th down Virtual (VPN) and click OK. Your list should look similar to this

radi

  1. Make sure that access granted is selected and click next
  2. Deselect all authentication methods and then tick the unencrypted authentication option (PAP, SPAP) and click next. Select no in the popup on the screen.

radi

  1. Leave the settings on this screen and click next
  2. Under standard remove Framed-Protocol and Service-Type. Under vendor specific enter the same settings that you used in vendor specific when you created the connection request. Click next
  3. You completing network policy screen should look similar to this

radi

And that is it. You should now be able to authenticate your cisco vpn client against active directory users.