Cisco ASA with Radius authentification on W2K8 R2 NPS / Radius with Smartcard
Hi Folks
i'm working with our network provider to get a proper Radius authentification or authorization with a Cisco ASA. We're working with Smartcards, the process seems to work with a simple Username / Password - Authentification. But if we try to authenticate
with Smartcards, the ASA tries to communicate with our NPS and this process generates the following error Log:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: user@domain.ch
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 1.2.3.4
Calling Station Identifier: 4.3.2.1
NAS:
NAS IPv4 Address: 1.1.2.2
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 68
RADIUS Client:
Client Friendly Name: MVA - Connectis ASA
Client IP Address: 1.2.3.4
Authentication Details:
Connection Request Policy Name: MVA
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: server.domain.ch
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
We tried as much as we could (from my perspective) ;) It seems that NPS needs authentification instead of authorization only. We need only authorization because the Cisco ASA sorts out the Smartcard - process in terms of certificate validation (CRL and
so on). Anyone out there with similar problems or a possible solution? -mike
September 20th, 2010 4:13am
Unfortunately you cannot accomplish what you are trying to do with NPS (or IAS) out of the box. NPS will do both authentication and authorization unless you have a custom extention dll that offloads either of these to third party applications.
These are custom so you would have to write them yourself.
With NPS, in the absense of an extension dll, we require AD to have the certificate mapped to the user's account.Clay Seymour - MSFT
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2010 3:23pm