Server 2008 + NT Domain authentication on Cisco ASA = no worky?

C

Captain Colonoscopy

2[H]4U
Joined
Feb 19, 2004
Messages
3,861
First, a little backstory . . . . I am in the process of moving our entire office over to a server 2008 only AD domain. We previously had two 2003 DCs. These were demoted and removed from the domain after bringing on a transitional 2008 server to be the DC while I wiped the "old" servers and installed 2008 on them. Now that is finished and we have two 2008 server DCs. Since doing this our VPN authentication on our ASA quit working. We use the "NT Domain" option for AAA. I went in and changed all the AAA server settings on the ASA over to the new servers and the authentication still wouldn't work. I started doing the authentication tests on the ASA and they all fail saying they can't find the authentication servers. The firewall CAN ping the DCs so there aren't any problems there. I went through the ASA config for every single trace of the old servers and replaced those IPs/hostnames with the new servers. I even went so far as to completely remove all the old AAA setup and re-create new AAA groups. I still cannot get the authentication to work at all. I disabled the windows firewalls on the servers just to make sure and still I get no authentication.

In the past you simply put in the name and IP address of a windows DC and then it authenticated and it just worked. For the life of me I cannot get this working with 2008 server. I have never had a problem with 2000/2003 doing this type of authentication for a Cisco PIX or ASA firewall.

This leads me to think that perhaps Server 2008 does not support "NT Domain" authentication? Perhaps you have to install some special "role" or "feature" to get this working? I have been all over the googler and Microsoft and Cisco's sites. I am have come to the conclusion that I am either severely inept at using search engines or I am the first person to bitch about this . . . Has anyone here run into this yet? Am I really going to need to setup IAS/RADIUS on a server to get the VPN authentication working again? We have a ton of clients that use Cisco VPN authenticated against AD and I want to get this all sorted out before my boss sells someone a new box with 2008 on it....

 
2008 Dropped support for the old NT domain authentication system that enabled backwards compatibility with the likes of NT 4. You will need to see if you can get the ASA to authenticate against kerberos or LDAP for it to work in an AD environment. I think RAIDUS is going to be your best bet here.
 
That's what I was afraid of. I'll give LDAP and Kerberos a shot and see what happens. You wouldn't happen to have any pointers there would you? :D

 
Enable IAS (Internet authentication server, aka, RADIUS) on one of your servers (Not sure if it has to be a DC or not, my IAS is on a DC)

On the ASA, the config is something like

aaa-server VPN protocol radius
aaa-server VPN (Inside) host YOUR-IAS-SERVER-HERE
key YOUR-RADIUS-KEY-HERE
radius-common-pw YOUR-OTHER-RADIUS-KEY-HERE
 
I may just do IAS. I wanted to do something else because I need to finish getting my last 2008 box back on-line. Still copying gigs of data off the damn drives and moving the boss' 16GB profile . . . . . Then I have to add another drive to the array and another 4GB of RAM and put 2008 on it. Then setup our VMs. THEN I can install IAS . .. :eek:
 
Apparently Server 2008 doesn't have IAS anymore. It is called Network Access Protection or NAP. I am taking a NAP right now . . . . seems to be a bit easier than setting up IAS so far....

 
I haven't tested kerbros with 2k8 but i will in the next few days. Kerbros is very very easy to setup, shouldn't take you more than 20min to set it up.
 
Kerberos is actually one of the major components of Active Directory (along with LDAP and some other components).
 
Darthkim said:
Wowsers, you are on a 2008 domain already? Thats nutters.

The IAS has been replaced by Network Policy server. NAP is something different.
Here's some help

http://www.windowsnetworking.com/ar...indows-Server-2008-Network-Policy-Server.html
Click to expand...

Yeah, we have a MSDN sub for our office since we are re-sellers or something. I moved all of our servers over to 2008. We have the one 2008 server running exchange 2007 and I must say it actually runs faster than when it was on 2003 x64. The other server is running 2008 with the Hyper-V role installed. On top of that I have one 2008 VM running AD/DNS/WINS/DHCP and now NPS. Another VM running server core that is our fileserver and another VM that runs WSUS, NOD32 RAS/RAC and I was going to throw BE12d on it, too. Then I found out that MS VMs can't attach Tape Drives. So now I am going to have to install that on the Hyper-V machine....

2008 actually seems to be everything MS says it is. Runs pretty fast and it's easy to use. Theres a whole crap-load more you can do with GPOs, too. Just starting to take a peek at that stuff.

 
WesM63 said:
I haven't tested kerbros with 2k8 but i will in the next few days. Kerbros is very very easy to setup, shouldn't take you more than 20min to set it up.
Click to expand...

Hey, do you have any linkage for Kerberous setup? I haven't tried that route yet. Haven't had much luck getting NPS/RADIUS working today. Admittedly I only screwed around with it for about three hours today. Thing is I don't know if my problem is on the ASA or the NPS server. When I run the authentication test on the ASA it just gives a retarded error that doesn't say why it failed . . .

 
Captain Colonoscopy said:
Hey, do you have any linkage for Kerberous setup? I haven't tried that route yet. Haven't had much luck getting NPS/RADIUS working today. Admittedly I only screwed around with it for about three hours today. Thing is I don't know if my problem is on the ASA or the NPS server. When I run the authentication test on the ASA it just gives a retarded error that doesn't say why it failed . . .

Click to expand...

For which peice? ASA or server?

As my sig shows, I'm a Cisco guy and only work on Cisco equipment. So all I know is the ASA side. If you need help with the ASA let me know, that I can help with!
 
Well some linkage to the Cisco config would be helpful, too. :) I am not sure if anything needs to be setup on the server I guess. I have always just used NT domain authentication in the past. I needs to learn the other to get working with 2008 :)
 
You must log in or register to reply here.
Back
Top