ASA(8.0) > Active Directory Authentication

Happy New Year!

So it seems I am stuck with trying to find a secure way to authenticate VPN users through an ASA to Active Directory. I am hoping someone here has done something similar and may have a solution.

I am trying to switch over VPN access from a Firebox to an ASA. The Firebox has a tab for AD that you just fill in basic info and voila, users can easily authenticate with their domain credentials. I am trying to do the same with the ASA and I can see only 2 ways.

1. I can setup LDAP on the ASA, but this requires that you allow anonymous query access to Active Directory. This is not an acceptable solution.
2. I can setup IAS on a server and have the ASA go to the IAS server using RADIUS. While testing this I noticed that IAS uses PAP to verify the credentials. Not a very secure solution.

Does anyone know of a secure way to authenticate VPN users on an ASA to AD?

Thanks!

P.S. While typing this out I realized that if IAS is on a DC, authenticating using PAP should not be a problem because IAS would not have to send the credentials out of the physical server. Does this sound right? I just need to research RADIUS communication and make sure it is secure!

Find more posts tagged with

Comments

Slowhand

This thread might be helpful to you. It doesn't use an ASA specifically, but mrgeorge27 goes through a pretty good amount of detail on how to set up IAS (RADIUS), through Windows Server, to authenticate against AD when you log into the router/firewall.

Ahriakin

Radius encrypts the password portion (not username though) via MD5 hashing before sending it on to the server, after that IAS communication with AD should be secure inside the server itself.
We're using 7.3 at the moment and recently migrated our remote access VPNs to it. I noticed it was using MSCHAP V2 by default now though on IAS which was a bit odd since previously it was as you said limited to PAP, no changes were made to the IAS service. Not sure what changed and haven't had time to look into why.

Yossarian

Ahriakin wrote:

Radius encrypts the password portion (not username though) via MD5 hashing before sending it on to the server, after that IAS communication with AD should be secure inside the server itself.
We're using 7.3 at the moment and recently migrated our remote access VPNs to it. I noticed it was using MSCHAP V2 by default now though on IAS which was a bit odd since previously it was as you said limited to PAP, no changes were made to the IAS service. Not sure what changed and haven't had time to look into why.

Looks like this setup is going to work. Since the RADIUS traffic is on the internal network, I'm not too concerned about the flaws in MD5. Interesting bit about it using the better authentication protocol. If you ever figure out why, please let us know. Thanks for the reply!

Slowhand wrote:

This thread might be helpful to you. It doesn't use an ASA specifically, but mrgeorge27 goes through a pretty good amount of detail on how to set up IAS (RADIUS), through Windows Server, to authenticate against AD when you log into the router/firewall.

Thanks for the link. I have found a few other guides which are similar and will use this one to help me better understand the different ways to configure the setup. Your link in the thread on the analysis of the RADIUS protocol was edifying. Thanks!

dtlokee

If you're that worried about it build a IPSec tunnel to your IAS box and encrypt the RADIUS traffic.

Yossarian

dtlokee wrote:

If you're that worried about it build a IPSec tunnel to your IAS box and encrypt the RADIUS traffic.

I had definitely considered this option. For about a second.

I'm a complete newbie to a lot of this stuff and that would add a layer of complexity I don't have time to grasp. If the IAS server was not on a DC, I may have tried it though.

Ahriakin

Just an update on the authentication type. I've only had a quick look but since 7.x adds the ability for remote users to update expired passwords it can only do so when MsChapV2 is used. So while I haven't seen an explicit option for authentication type I think the ASA automatically uses this type when you have the enable client password resetting enabled.