Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Similar documents
How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Configuring Global Protect SSL VPN with a user-defined port

Authenticating users of Cisco NCS or Cisco Prime Infrastructure against Microsoft NPS (RADIUS)

IIS, FTP Server and Windows

Clientless SSL VPN Users

Active Directory integration with CloudByte ElastiStor

GoldKey and Cisco AnyConnect

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

Using Internet or Windows Explorer to Upload Your Site

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

WHITE PAPER Citrix Secure Gateway Startup Guide

eadvantage Certificate Enrollment Procedures

Configuring a Windows 2003 Server for IAS

ADFS Integration Guidelines

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

How to Configure Web Authentication on a ProCurve Switch

How to configure MAC authentication on a ProCurve switch

CA Nimsoft Service Desk

Installing and Configuring vcenter Support Assistant

Management Authentication using Windows IAS as a Radius Server

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Configure your firewall for administrative access via RADIUS authentication

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Scenario: IPsec Remote-Access VPN Configuration

MultiSite Manager. Setup Guide

F-Secure Messaging Security Gateway. Deployment Guide

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

ECA IIS Instructions. January 2005

If you have questions or find errors in the guide, please, contact us under the following address:

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

Secure IIS Web Server with SSL

Configuring Outlook for Windows to use your Exchange

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

How to set up Outlook Anywhere on your home system

Installation Guide. SafeNet Authentication Service

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

How to Logon with Domain Credentials to a Server in a Workgroup

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

The safer, easier way to help you pass any IT exams. Exam : Administering Windows Server Title : Version : V16.

MultiSite Manager. Setup Guide

HOTPin Integration Guide: DirectAccess

Browser-based Support Console

How to Connect SSTP VPN from Windows Server 2008/Vista to Vigor2950

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Check Point FW-1/VPN-1 NG/FP3

Microsoft IAS Configuration for RADIUS Authorization

Citrix Access on SonicWALL SSL VPN

Juniper SSL VPN Authentication QUICKStart Guide

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

Releasing blocked in Data Security

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Sophos Mobile Control Installation guide

Configuring Internet Authentication Service on Microsoft Windows 2003 Server

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Using Remote Desktop with the Cisco AnyConnect VPN Client in Windows Vista

AVG Business SSO Connecting to Active Directory

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Setting Up SSL on IIS6 for MEGA Advisor

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

App Orchestration 2.5

Basic Exchange Setup Guide

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Introduction to Mobile Access Gateway Installation

Using Microsoft Expression Web to Upload Your Site

CA VPN Client. User Guide for Windows

Juniper Networks SSL VPN Implementation Guide

Preparing for GO!Enterprise MDM On-Demand Service

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Using Microsoft s CA Server with SonicWALL Devices

User's Guide. Product Version: Publication Date: 7/25/2011

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Remote Access Technical Guide To Setting up RADIUS

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

etoken Enterprise For: SSL SSL with etoken

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

How to install and use the File Sharing Outlook Plugin

Sophos UTM. Remote Access via PPTP Configuring Remote Client

How-to: HTTP-Proxy and Radius Authentication and Windows IAS Server settings. Securepoint Security System Version 2007nx

MadCap Software. Upgrading Guide. Pulse

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Defender 5.7. Remote Access User Guide

Strong Authentication for Juniper Networks SSL VPN

Managing Software and Configurations

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6.

How do I set up a branch office VPN tunnel with the Management Server?

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

RoomWizard Synchronization Software Manual Installation Instructions

Transcription:

Cox Managed CPE Services RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft] September, 2015

2015 by Cox Communications. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Cox Communications.

Table of Contents Contents RADIUS AUTHENTICATION FOR ANYCONNECT VPN... 1 INSTALL THE NPS AND RADIUS ROLES ON WINDOWS SERVER 2008... 3 STEP 1: INSTALL NETWORK POLICY AND ACCESS SERVICES... 3 STEP 2: ADD CISCO ROUTER AS CLIENT ON NPS SERVER... 9 STEP 3: DEFINE POLICY ON NPS SERVER... 12 INSTALL THE NPS AND RADIUS ROLES ON WINDOWS SERVER 2012... 25 STEP 1: INSTALL NETWORK POLICY AND ACCESS SERVICES... 25 STEP 2: ADD CISCO ROUTER AS A CLIENT ON THE NPS SERVER... 31 STEP 3: DEFINE POLICY ON NPS SERVER... 33 ANYCONNECT VPN WITH CERTIFICATE AUTHORITY... 39 PRIVATE CA... 39 Generating CA Certificate for managed device... 39 Generating Identity Certificate for managed device... 42 Installing Certificate on Managed Device (To be performed by support team)... 46 GLOBAL CA... 49 SAMPLE CONFIGURATION ON CLIENT... 50 CONFIGURATION EXAMPLE ON ISR ROUTER WITH RADIUS AUTHENTICATION FOR CISCO ANYCONNECT VPN... 50 i

Introduction RADIUS Authentication for AnyConnect VPN Introduction This document details the configuration tasks needed in order to have a managed services device use a Microsoft Windows Server 2008 or Microsoft Windows 2012 R2 server with the RADIUS protocol to authenticate AnyConnect VPN users against Active Directory. Network Policy Service (NPS) is one of the server roles offered by Windows Server 2008 and Windows Server 2012 R2. It is similar to the Internet Authentication Service (IAS) found in Windows 2003 Server, which itself is an implementation of a RADIUS server to provide remote dial-in user authentication. In this configuration, the Cox managed router is a RADIUS client to an NPS RADIUS server. The router sends RADIUS authentication requests on behalf of VPN users and NPS authenticates them against Active Directory. Assumption This document only covers the installation of a RADIUS and Network Policy Server role on a server already configured for Active Directory on Windows Server 2008 and Windows Server 2012 R2. Installation and configuration of Active Directory and DNS are beyond the scope of this document. Reference guides for installing the Active Directory role on Windows Server 2008 and Windows Server 2012 are located at the following URLs, respectively: http://www.rackspace.com/knowledge_center/article/installing-active-directory-domainservices-on-windows-server-2008-r2-enterprise-64-bit http://www.rackspace.com/knowledge_center/article/installing-active-directory-on-windowsserver-2012 Note: The DNS role is automatically installed when Active Directory is installed. Requirements for Setting Up Router in Active Directory LAN IP Address of Cisco ISR Router: This IP Address is the default gateway address of Cox managed router device. RADIUS shared secret: This is configured on a Cisco router - < TBD >. VPN Users Group: This group was defined in the Active Directory server and will be referenced while setting up the RADIUS role. RADIUS Authentication for AnyConnect VPN 1

Installing the NPS and RADIUS Roles on Windows Server 2008 Install the NPS and RADIUS Roles on Windows Server 2008 Prerequisites Before you begin, ensure the following tasks are completed: Active Directory and DNS server are installed and working (required) Organization Unit and User accounts in Active Directory are created (optional) Step 1: Install Network Policy and Access Services How to Install the Network Policy and Access Services Use the following steps to install the network policy and access services. Step Action 1. In the Add Roles Wizard, select the Server Roles option. Result: The list of Roles appears. 2. Check the Network Policy and Access Services box and click the Next button. Figure 1. Select Server Roles screen Continued on next page RADIUS Authentication for AnyConnect VPN 3

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Install the Network Policy and Access Services, continued Step Action 3. Check the Network Policy Server option and click the Next button. A. Select the Role Services menu option on the left navigation bar. B. Check Routing and Remote Access Services, Remote Access Service, and Routing. Figure 2. Select Role Services screen 4. Click the Next button and continue to click through the confirmation screen. Continued on next page 4 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 Error! No text of specified style in document., Continued How to Install the Network Policy and Access Services, continued Step Action 5. Click the Install button. Figure 3. Confirm Installation Selections screen Figure 4. Installation Progress screen RADIUS Authentication for AnyConnect VPN 5

Installing the NPS and RADIUS Roles on Windows Server 2008 Figure 5. Installation Results screen 6. When the role is installed, set up the server using the Network Policy Server (NPS) management tool. You can find the tool under Administrative Tools. 7. When you launch the NPS tool, right-click the entry NPS (Local) and click the Register Server in Active Directory. 8. Follow the prompts and keep the default values. Figure 6. NPS (Local) 6 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 Figures 7 and 8. Network Policy Server and Network Proxy Server RADIUS Authentication for AnyConnect VPN 7

Installing the NPS and RADIUS Roles on Windows Server 2008 Step 2: Add Cisco Router as Client on NPS Server Overview The second phase of the Installation process is to add the Cisco Router as a client on the NPS server. How to Add a Cisco Router as a Client on the NPS Server Use the following steps to add the Cisco router. The first step of this second phase requires you to add the ISR as a RADIUS client in the NPS server. Step Action 1. Go to Administrative Tools and select Network Policy Server. Right-click RADIUS Clients and select the New menu option. Figure 9. RADIUS Clients RADIUS Authentication for AnyConnect VPN 9

Installing the NPS and RADIUS Roles on Windows Server 2008 2. When you expand the RADIUS Clients and Servers folder, the RADIUS Clients option appears. 1. Click the RADIUS Clients option. Result: The New RADIUS Client dialog box appears. 2. Check the Settings tab and enter a Friendly name, Address (IP or DNS), and select the Shared Secret template configured on the Cisco Router from the drop-down menu. Figure 10. New RADIUS Client Settings tab Continued on next page 10 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Add a Cisco Router as a Client on the NPS Server, continued Step 3. Click the Advanced tab. Action 4. From the Vendor name drop-down list, choose RADIUS Standard. Figure 11. New RADIUS Client Advanced tab 5. Click the OK button. RADIUS Authentication for AnyConnect VPN 11

Installing the NPS and RADIUS Roles on Windows Server 2008 Step 3: Define Policy on NPS Server Overview In this phase, you will create a new Connection Request Policy for VPN users. The purpose of the Connection Request Policy is to specify whether the requests from RADIUS clients are to be processed locally or forwarded to remote RADIUS servers. How to Create a New Connection Request Policy for VPN Users Use the following steps to create a new Connection Request Policy for VPN users. Step Action 1. Expand the Network Policy and Access Services menu in the left navigation bar. Figure 12. Server Manager left navigation bar 2. Expand the NPS (Local) option in the left navigation bar. Continued on next page 12 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 3. Expand the Policies folder in the left navigation bar. 4. Right-click Connection Request Policies. Result: The New Connection Request Policy dialog box appears. Figure 12. New Connect Request Policy dialog box 5. Enter a description for the policy in the Policy name field. 6. Select the Type of network access server radio button and click the arrow on the drop-down menu. 7. Select the Unspecified option. Continued on next page RADIUS Authentication for AnyConnect VPN 13

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 8. Click the Next button. Result: The Specify Conditions dialog appears. Figure 13. Specify Conditions dialog box 9. From the Select Condition section, click the Client Friendly Name option and then click the Add button. Result: The Client Friendly Name dialog box appears. Continued on next page 14 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 10. Enter the friendly name that you used when creating the RADIUS Client. See Error! Not a valid result for table.. Figure 14. Client Friendly Name dialog box 11. Click the OK button and the Next button. Result: The Specify Connect Request Forwarding dialog box appears. Figure 15. Specify Connection Request Forwarding dialog box 12. Check that the Authenticate requests on this server radio button is selected. Continued on next page RADIUS Authentication for AnyConnect VPN 15

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 13. Click the Next button. Result: The Specify Authentication Methods dialog box appears. Figure 16. Authentication Methods dialog box 14. Check the Override network policy authentication settings box. 15. From the Less secure authentication methods section, check the Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) box and the User can change password after it has expired box. Continued on next page 16 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 16. Click the Next button. Result: The Configure Settings dialog box appears. Figure 17. Configure Settings dialog box 17. From the left navigation bar, select the Attribute option and then select the User Name from the drop down menu. 18. Click the Next button. Result: The Completing Connection Request Policy Wizard dialog box appears. Figure 18. Completing Connection Request Policy Wizard dialog box RADIUS Authentication for AnyConnect VPN 17

Installing the NPS and RADIUS Roles on Windows Server 2008 19. Click the Finish button. Overview Once you have created a New Request Connect Policy for VPN users, you need to create a Network Policy. Here, you can specify which users are allowed to authenticate. For example, you can add Active Directory user groups as a condition. Note: this policy. Only those users who belong to a specified Windows group are authenticated under How to Create a Network Policy Use the following steps to create a network policy. Step Action 1. From the left navigation bar, expand the Network Policy and Access Services option. 2. Expand the NPS (Local) option. 3. Right-click Network Policies under the Policies option to create a new policy. Result: The Specify Network Policy Name and Connection Type dialog box appears. Figure 19. Specify Network Policy Name and Connect Type dialog box 18 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 4. Check that the Grant access radio button is selected. 5. From the Type of network access server drop-down menu, select the Unspecified option. 6. Click the Next button. Result: The Specify Conditions dialog box appears. Figure 20. Specify Conditions dialog box 7. Highlight User Groups and click the Add button. Result: The Select Group dialog box appears. Figure 21. Select Group dialog box 8. Click the Object Types button and make your selection. 9. Click the Locations button and make your select. 10. Click the Check Names button to add a users group condition to a specific AD user group. (Note: You can use a generic group like Domain Users or create a group specifically to restrict access.) Continued on next page RADIUS Authentication for AnyConnect VPN 19

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 11. Click the OK button. Result: The Specify Conditions dialog box appears. Figure 22. Specify Conditions dialog box 12. Click the Next button. Result: The Specify Access Permissions dialog box appears. Figure 23. Specify Access Permissions dialog box 20 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 13. Click the Next button and keep the Access granted radio button selected. 14. Click the Next button. Result: The Configure Authentication Methods dialog box appears. Figure 24. Configure Authentication Methods dialog box 15. Leave the default selections under the Less secure authentication methods section. 16. Check the Unencrypted authentication (PAP, SPAP) box. 17. Click the Next button. Result: The Configure Constraints dialog box appears. RADIUS Authentication for AnyConnect VPN 21

Installing the NPS and RADIUS Roles on Windows Server 2008 18. Keep the default Constraints settings. Figure 25. Configure Constraints dialog box Continued on next page 22 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 19. Click the Next button. Result: The Configure Settings dialog box appears. Figure 26. Configure Settings dialog box 20. Accept the default Radius Settings. Continued on next page RADIUS Authentication for AnyConnect VPN 23

Installing the NPS and RADIUS Roles on Windows Server 2008 How to Create a New Connection Request Policy for VPN Users, continued Step Action 21. Click the Next button. Result: The Completing New Network Policy dialog box appears. Figure 27. Completing New Network Policy dialog box 22. Review the settings in the screen above and click the Finish button. Figure 28. Network Policies review screen 24 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 Install the NPS and RADIUS Roles on Windows Server 2012 Overview Just as with the steps you performed to install the NPS and RADIUS Roles on Windows Server 2008, you will need to replicate the process to complete the installation for Windows Server 2012. Step 1: Install Network Policy and Access Services How to Add Roles and Features Use the following steps to install roles, role services, and features based on the computing needs of your company, such as sharing documents or hosting a website. Step Action 1. Open the Server Manager Dashboard and click the Add roles and features option. Figure 29. Add Roles and Features Wizard Continued on next page RADIUS Authentication for AnyConnect VPN 25

Installing the NPS and RADIUS Roles on Windows Server 2012 How to Add Roles and Features, continued Step Action 2. Click the Next button. Result: The Select installation type dialog box appears. Figure 30. Select installation type dialog box 3. Make sure the Role-based or feature-based installation radio button is selected. Continued on next page 26 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 How to Add Roles and Features, continued Step Action 4. Click the Next button. Result: The Select destination server dialog box appears. Figure 31. Select destination server dialog box. 5. Click the Next button. Result: The Select server roles dialog box appears. Figure 32. Select server roles dialog box RADIUS Authentication for AnyConnect VPN 27

Installing the NPS and RADIUS Roles on Windows Server 2012 6. Check the Network Policy and Access Services box. 7. Click the Next button. Result: The Add features that are required for Network Policy and Access Services dialog box appears. Figure 33. Add features that are required for Network Policy an d Access Services dialog box 8. Check the Include management tools (if applicable) box. 9. Click the Add features button. Continued on next page 28 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 How to Add Roles and Features, continued Step Action 10. Click the Next button until you get to the Confirm installation selections dialog box. Figure 34. Confirm installation selections dialog box 11. Click the Install button. 12. When the installation completes, click the Close button. Figure 35. Installation progress dialog box RADIUS Authentication for AnyConnect VPN 29

Installing the NPS and RADIUS Roles on Windows Server 2012 How to Register the Server in Active Directory Use the following steps to register the server in active directory. Step Action 1. Open the Network Policy Server (NPS) console from the Start menu or from Server Manager. Figure 36. Network Policy Server (NPS) Console dialog box 2. Right-click the NPS option in the left navigation bar and select the Register server in Active Directory. Figure 37. Menu options 3. Click the OK button on the To enable NPS to authenticate users and the This computer is now authorized dialog boxes. 30 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 Step 2: Add Cisco Router as a Client on the NPS Server Overview The second step is to add the Cisco router as a client on the NPS server. How to Add a Cisco Router as a Client on the NPS Server Use the following steps to add the router as a client on the server. Step Action 1. From the left navigation bar, expand the RADIUS Clients and Servers folder and right-click the RADIUS Clients option. Result: A sub menu appears. Figure 38. RADIUS Clients New Continued on next page RADIUS Authentication for AnyConnect VPN 31

Installing the NPS and RADIUS Roles on Windows Server 2012 How to Add a Cisco Router as a Client on the NPS Server, continued Step Action 2. Click New. Result: The VPNHUB Properties dialog box appears. Figure 39. VPNHUB Properties dialog box 3. Click the Settings tab. 4. Enter a description for the Cisco ISR in the Friendly name field. 5. Enter the IP address in the Address (IP or DNS) field. 6. Select an existing Share Secrets template from the Shared Secret drop-down menu. 7. Click the OK button. 32 RADIUS Authentication for AnyConnect VPN

Step 3: Define Policy on NPS Server Installing the NPS and RADIUS Roles on Windows Server 2012 Overview The third step is to define the policy on the NPS server. How to Define a Policy on the NPS Server Use the following steps to define a policy on the NPS Server. Step Action 1. From the left navigation bar, expand the NPS (Local) menu and then expand the Policies option. 2. Right-click the Network Policies folder and select New. Result: The Specify Network Policy Name and Connection Type dialog box appears. Figure 40. Specify Network Policy Name and Connection Type dialog box 3. Enter a Policy name for the connection policy and click the Next button. Result: The Select Condition dialog box appears. Continued on next page RADIUS Authentication for AnyConnect VPN 33

Installing the NPS and RADIUS Roles on Windows Server 2012 How to Define a Policy on the NPS Server, continued Step Action 4. Figure 41. Select Condition dialog box 5. Click the Add button. Result: The User Groups dialog box appears. 6. Figure 42. User Groups dialog box 7. Click the Add Groups button. 8. Enter the VPN Users group that was created earlier on Active Directory. (See page 16.) Continued on next page 34 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 How to Define a Policy on the NPS Server, continued Step Action 9. Click the OK button. Result: The Specify Access Permission dialog box appears. Figure 43. Select Group dialog box 10. Figure 44. Specify Access Permission dialog box 11. Check that the Access granted radio button is selected. RADIUS Authentication for AnyConnect VPN 35

Installing the NPS and RADIUS Roles on Windows Server 2012 12. Click the Next button. Result: The Configure Authentication Methods dialog box appears. Figure 45. Configure Authentication Methods dialog box 13/ Check the MS-CHAPv2 and MS-CHAP boxes. 14. Click the Next button. Result: The Configure Settings dialog box appears. 15. Click the Next button. Result: The Completing New Network Policy dialog box appears. 16. Figure 46. Completing New Network Policy dialog box 36 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 17. Review the final options and click the Finish button. RADIUS Authentication for AnyConnect VPN 37

AnyConnect VPN with Certificate Authority Configuration Example AnyConnect mobility VPN client supports certificate authority, which issues digital certificate to certify the ownership of a public key. This allows managed device to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted party trusted both by the subject (owner) of the certificate and by the managed device relying upon the certificate. Managed device requires two types of certificate to be issue by CA 1. CA Certificate 2. 2. Identity Certificate There are two types of CA covered in this document 1. Private CA server setup by Enterprise 2. Globally Known public CA server. Private CA Private CA is a solution to improve the security and management of private intranet certificates while adhering to corporate and industry compliance standards. Following steps involves the process in which required certificate should be generated from CA and should be applied on the managed device. Note: Some of the steps will be performed by support team and are clearly mentioned Generating CA Certificate for managed device Step1 - CA server should be accessed using a web browser. If logged on locally to CA server use https://localhost/certsrv or if remotely logging on then use https://x.x.x.x/certsrv where x.x.x.x is the IP address of the CA server. User will see following screen RADIUS Authentication for AnyConnect VPN 39

Configuration Example Step 2 Next step is to download the first of two certificates CA Certificate. Click on download a ca certificate, certification chain or CRL as highlighted below. Step3 In this step, Click NO on Digital Certificate Operation window as shown below 40 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 Step 4: Once user clicks NO, following window will appear. On this window under Enrollment Method Select Base 64 and then click on Download ca certificate Step 5: Once you click on Download ca certificate it will prompt you to save that certificate. Click on Save and save it on you desired location. RADIUS Authentication for AnyConnect VPN 41

Configuration Example Generating Identity Certificate for managed device Step1 - CA server should be accessed using a web browser. If logged on locally to CA server use https://localhost/certsrv or if remotely logging on then use https://x.x.x.x/certsrv where x.x.x.x is the IP address of the CA server. User will see following screen. 42 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 Step2: (Step performed by Support Team) For generating identity certificate, CA server will require a CSR (Certificate Signing Request) file which will be generated from managed device using following command. Highlight portion of this CSR file will be pasted on the CA server to generate identity certificate. Step 3: On CA Server, click on Request a certificate Step 4: Next screen Click on Advanced Certificate request. RADIUS Authentication for AnyConnect VPN 43

Configuration Example Step 5: Next screen Click on Submit a certificate by using a base 64 option as highlighted in below Step 6: On Next screen, User needs to select Administrator as Certificate Template and also paste CSR (Certificate Signing Request generated in step2) file in Saved request Box as shown in following screenshots. 44 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 Step 7: Click Submit and Digital Certificate Operation warning will pop-up Select NO Step 8- After selecting no, user will land on following page. On this page select Base 64 encoded option as by default DER encoded will be selected then click on download certificate and save the certificate. RADIUS Authentication for AnyConnect VPN 45

Configuration Example Note: Both Certificate files (CA & Identity), which are generated and saved, should be provided to support team for installing them on managed device Installing Certificate on Managed Device (To be performed by support team) Step1: Install CA Certificate as shown below. 46 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 Step 2: Install Identity Certificate. RADIUS Authentication for AnyConnect VPN 47

Configuration Example Step 3: Verify whether both certificates are installed properly. 48 RADIUS Authentication for AnyConnect VPN

Installing the NPS and RADIUS Roles on Windows Server 2012 Global CA Global CA or Root CA servers are well known public CA servers and they offer digital certificates. An enterprise should subscribe to digital certificate from digital certificate provider. In this process, User will be able to log on to digital certificate provider s website with required credentials and upload a CSR (Certificate Signing Request) file to generate digital certificate. These digital certificate will be sent to user s email or will be available on provider s website, this process depends on different providers. Managed Device support team will be able to provider CSR file, which needs to be generated from managed device. After submitting/uploading CSR file, user will receive certificate files which should be sent to Managed device s support team for installation on managed device. RADIUS Authentication for AnyConnect VPN 49

Configuration Example Sample Configuration on Client Configuration Example on ISR router with RADIUS Authentication for Cisco AnyConnect VPN AAA Commands aaa new-model aaa group server radius TESTAD server TESTAD aaa authentication login WEBVPN-LIST group radius local RADIUS Commands radius server TESTAD address ipv4 10.106.223.6 <<<< AD Server IP Address key cisco@123 exit AnyConnect VPN Commands crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.0.00061-k9.pkg sequence 1 crypto vpn anyconnect flash0:/webvpn/anyconnect-macosx-i386-4.0.00061-k9.pkg sequence 2 webvpn gateway WEBVPN-GW ip address 10.64.117.16 port 8888 http-redirect port 80 ssl trustpoint test inservice! webvpn context WEBVPN-CONTEXT virtual-template 10 aaa authentication list WEB gateway WEBVPN-GW! ssl authenticate verify all 50 RADIUS Authentication for AnyConnect VPN

inservice! policy group WEBVPN-GROUP functions svc-enabled functions svc-required svc address-pool "WEBVPN-POOL" netmask 255.255.255.0 svc keep-client-installed svc split include 192.168.1.0 255.255.255.0 default-group-policy WEBVPN-GROUP Installing the NPS and RADIUS Roles on Windows Server 2012 End of Document RADIUS Authentication for AnyConnect VPN 51

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information