My office has replaced its Windows 2003 domain and domain controllers with Windows 2008.
I have a Cisco ASA 5510 which handles VPN connectivity for our remote users, still integrated with one of the old Windows 2003 DCs running RADIUS.
I need to migrate the ASA from the 2003 domain to the 2008 domain. How do I configure NPS under Windows 2008?
ASA config:
aaa-server NEWDC protocol radius
aaa-server NEWDC host x.x.x.x
key ********
ASA configuration test command:
test aaa-server authentication NEWDC host x.x.x.x
This always returns immediately with a bad user/pass error, for any username. The users exist in AD, are enabled, and the passwords are correct. The key is the same in both Windows and the ASA.
Windows 2008 NPS Radius Client config:
Enabled
Vendor name: RADIUS Standard or Cisco (neither works)
Manual shared secret: ********
(unchecked) Access-Request messages must contain the Message-Authenticator attribute
(unchecked) RADIUS client is NAP-capable
Windows 2008 NPS Connection Request Policy:
Enabled
Processing Order 2 (following Use Windows auth for all users)
Source unspecified
Auth Provider: Local Computer
Auth Method: MS-CHAP v1 or MS-CHAP v2 or Allow unauthenticated
Override Auth: Enabled
Class: OU=Admin;
Framed-Protocol: PPP
Service-Type: Framed
Windows 2008 Network Policy:
Enabled
Processing Order 3 (highest)
Condition Windows Group = DOMAIN\VPN
Ignore User Dial-In Properties: False
Access Permission: Grant Access
Auth method: MS-CHAP v1 or MS-CHAP v2
NAP Enforcement: Allow full network access
Update Noncompliant clients: True
Framed Protocol: PPP
Service-Type: Framed
See this article for more information. I think you will need to modify your Network Policy to allow the use of PAP and SPAP. I haven't found a way to change the authentication protocol the ASA uses. Hope that helps.
I think you need to allow SPAP. here is the step by step guide worked for me.