locked
Issues with Cisco ASA 5500 Series and NAP RRS feed

  • Question

  • Using the VPN NAP enforcement in a test lab step by step guide, I am trying to setup and test a VPN solution but am having problems getting NAP authentication to work. I am not sure if there is an issue with the ASA, NAP server or the client.

    The information below is how we have it configured.
        Cisco ASA 5500 series configured as the Internet Facing device
        Server 2008 is configured as RADIUS server and NAP authentication server
        Windows XP SP3 machines as the clients, these machines are running the Cisco VPN client Version 5.0.x

    It appears that the SOH is not being passed or received by the client/NAP server. Whenever we enable the NAP policies, we get the following error in the Event Logs:
        

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            domain\username
        Account Name:            username
        Account Domain:            domain
        Fully Qualified Account Name:    domain\username

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        -
        Calling Station Identifier:        -

    NAS:
        NAS IPv4 Address:        172.16.102.3
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Virtual
        NAS Port:            87

    RADIUS Client:
        Client Friendly Name:        EVG ASA
        Client IP Address:            172.16.102.3

    Authentication Details:
        Proxy Policy Name:        NAP VPN 2
        Network Policy Name:        NAP VPN 2 Non NAP-Capable
        Authentication Provider:        Windows
        Authentication Server:        MSMMV102.domain.com
        Authentication Type:        PAP
        EAP Type:            -
        Account Session Identifier:        -
        Reason Code:            65
        Reason:                The connection attempt failed because network access permission for the user account was denied. To allow network access, enable network access permission for the user account, or, if the user account specifies that access is controlled through the matching network policy, enable network access permission for that network policy.


    1. How does one troubleshoot from the PC side of things. Other than netsh are there logs anywhere that detail the SOH being passed to the NAP server.
    2. No matter what Network Policies we use, the client-machines are being seen as Non NAP-Capable.
    3. It appears that we are only able to pass PAP and not EAP/PEAP. Is there a way to configure either the RADIUS/NAP server or the ASA to allow EAP and NAP to go through when using the Cisco VPN client.


    Tuesday, August 18, 2009 8:10 PM

Answers

  • Hi,

    You can't use the VPN enforcment method without a Microsoft VPN server. If you look at the step by step guide for setting up VPN NAP, there is a procedure that is not valid for a non-Microsoft VPN server - see below:

    Configure VPN1 as a NAP-capable RADIUS client

    Because VPN1 is a NAP enforcement server running Windows Server 2008, it must be marked as a NAP-capable RADIUS client.


    When you tell NPS that the RADIUS client is NAP-capable, it will expect an SoH. If you were to skip this step on a Microsoft VPN server, clients would also all appear non NAP-capable. Since the Cisco VPN server doesn't recognize the SoH, it discards the data and marking it as NAP-capable doesn't help.

    To use NAP with a non-Microsoft VPN server, you need to deploy the IPsec enforcement method.

    -Greg
    Wednesday, August 19, 2009 8:55 PM

All replies

  • Hi,

    You can't use the VPN enforcment method without a Microsoft VPN server. If you look at the step by step guide for setting up VPN NAP, there is a procedure that is not valid for a non-Microsoft VPN server - see below:

    Configure VPN1 as a NAP-capable RADIUS client

    Because VPN1 is a NAP enforcement server running Windows Server 2008, it must be marked as a NAP-capable RADIUS client.


    When you tell NPS that the RADIUS client is NAP-capable, it will expect an SoH. If you were to skip this step on a Microsoft VPN server, clients would also all appear non NAP-capable. Since the Cisco VPN server doesn't recognize the SoH, it discards the data and marking it as NAP-capable doesn't help.

    To use NAP with a non-Microsoft VPN server, you need to deploy the IPsec enforcement method.

    -Greg
    Wednesday, August 19, 2009 8:55 PM
  • Greg,

    Thank you for the information. I posted this prior to finding the answer and your clarification in another post. I am in the process of implementing the NAP with IPSEC as per your instructions.

    Thanks again for the help
    Wednesday, August 19, 2009 10:31 PM
  • Hi,

    Is possible configure Cisco SSL VPN works with NAP Radius client?  We planning to setup ASA SSL( Microsoft CA) VPN through NPS using NAP. Is there a way to configure Radius/NAP server allow EAP and NAP client  to go through when using the ASA SSL VPN?

    Thanks,

    Mike


    MCSE
    Friday, August 12, 2011 10:37 PM
  • --------It appears that we are only able to pass PAP and not EAP/PEAP. Is there a way to configure either the RADIUS/NAP server or the ASA to allow EAP and NAP to go through when using the Cisco VPN client.-------------------

    "eap-proxy" command enables EAP which permits the security appliance  to proxy the PPP authentication process to an external RADIUS  authentication server.

     

    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html

     

    The ASA only supports the PPP authentications PAP  and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and  CHAP are performed by proxy authentication servers. Therefore, if a  remote user belongs to a tunnel group configured with the

    authentication eap-proxy

    or

    authentication chap

    commands, and the ASA is configured to use the local database, that user will not be able to connect.
    Tuesday, February 26, 2013 8:47 PM