cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco ASA VPN RADIUS accounting to Advanced Threat Analytics (ATA) center to configure VPN Location

MikhailCoral
Copper Contributor

‎Nov 22 2019 10:29 AM - last edited on ‎Nov 30 2021 10:04 AM by

‎Nov 22 2019 10:29 AM - last edited on ‎Nov 30 2021 10:04 AM by

Cisco ASA VPN RADIUS accounting to Advanced Threat Analytics (ATA) center to configure VPN Location

It is complex issue "VPN Intergation Microsoft ATA and Cisco ASA" and "Network socket conflict" in total,

 

Condition: RADIUS Server (Network Policy Server (NPS) + AD) is deployed on Lightweight Gateway (Domain controller)

 

Way to solve the issue:

 

I. VPN Intergation Microsoft ATA and Cisco ASA Option 1: Use ASDM Cisco configurator (GUI)

1. Radius server settings Cisco ASA 5505 (as VPN server)

Go to Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups

1.1. In the "AAA Server Groups" window, Add AAA Server Group (e.g. "RADIUSSERVERS") see screenshot "https://www.screencast.com/t/D05H3DVu"

1.2. In the "Servers in the Selected Group" window -"RADIUSSERVERS",

see screenshot "https://www.screencast.com/t/x7uIbnqjX"

2. Turn on RADIUS Accounting in Remote Access VPN profile. In my case AnyConnect Connection Profiles "SSL_Users" (Cisco Anyconnect VPN connections for Users)  

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

see screenshots "https://www.screencast.com/t/xXfLHfJ49" and "https://www.screencast.com/t/mtudvxSXP8"


Option 2: Putty SSH console client (part CiscoASA config)

In putty console:

2. Turn on RADIUS Accounting in Remote Access VPN profile. In my case AnyConnect Connection Profiles "SSL_Users" (Cisco Anyconnect VPN connections for Users)  

Example:

asa# conf t

asa(config)# tunnel-group SSL_Users general-attributes

asa(config-tunnel-general)# accounting-server-group RADIUSSERVERS

see screenshot "https://www.screencast.com/t/ydh4HE8aRue"

 

II. Network socket conflict

If your Radius server is on the Gateway server. This would cause a network socket conflict. VPN Server (Cisco ASA) and RADIUS Server on Lightweight Gateway use simultaneously the same port 1813, it has leaded to "conflict". In my case Radius server is Network Policy Server (NPS), which is deployed on my Domain controller (Lightweight Gateway). I've removed default port 1813 in NPS properties,

see screenshot "https://www.screencast.com/t/gDLOIpwj"

 

Conclusion  EXPECTED RESULT in ATA Console:

see screenshot "https://www.screencast.com/t/VG9CRTym1N4I"

 

Useful article: "Anyconnect session accounting via radius or syslog ?"

https://community.cisco.com/t5/vpn-and-anyconnect/anyconnect-session-accounting-via-radius-or-syslog...

 

Good luck

2019-11-20_1945
2019-11-20_1945
screencast.com/t/xXfLHfJ49
Free online storage and sharing with Screencast.com. 2 GB of storage and 2 GB of bandwidth per month for free. We won't compress, alter or take ownership of your content.
2019-11-20_1900
2019-11-20_1900
screencast.com/t/ydh4HE8aRue
Free online storage and sharing with Screencast.com. 2 GB of storage and 2 GB of bandwidth per month for free. We won't compress, alter or take ownership of your content.
2019-11-20_1927
2019-11-20_1927
screencast.com/t/D05H3DVu
Free online storage and sharing with Screencast.com. 2 GB of storage and 2 GB of bandwidth per month for free. We won't compress, alter or take ownership of your content.
2019-11-20_1928
2019-11-20_1928
screencast.com/t/x7uIbnqjX
Free online storage and sharing with Screencast.com. 2 GB of storage and 2 GB of bandwidth per month for free. We won't compress, alter or take ownership of your content.
2019-11-20_1947
2019-11-20_1947
screencast.com/t/mtudvxSXP8
Free online storage and sharing with Screencast.com. 2 GB of storage and 2 GB of bandwidth per month for free. We won't compress, alter or take ownership of your content.
Preview file
11 KB
Preview file
13 KB
Preview file
11 KB
Preview file
5 KB
Preview file
26 KB
6,812 Views
1 Like
3 Replies
Reply
3 Replies
stuart townsend

‎Jan 09 2020 05:27 AM

‎Jan 09 2020 05:27 AM

Re: Cisco ASA VPN RADIUS accounting to Advanced Threat Analytics (ATA) center to configure VPN Locat

@MikhailCoral can you confirm that you don't have to have NPS installed on the domain controllers? So could we forward RADIUS accounting events from the Cisco ASA to the ATA Lightweight Gateway and VPN integration would work?

0 Likes
Reply
MikhailCoral

‎Jan 09 2020 08:35 AM

‎Jan 09 2020 08:35 AM

Re: Cisco ASA VPN RADIUS accounting to Advanced Threat Analytics (ATA) center to configure VPN Locat

@stuart townsend 

Q1: "can you confirm that you don't have to have NPS installed on the domain controllers?"
A1: Vice versa, The NSP is installed on Domain controller (I have one DC only). And the NSP role is configured as RADIUS server, which uses Active directory (AD) security group (I've created special security group, e.g. "sslvpn" and added needed users). 

My Domain controller has multiple roles in one: DC (AD), NSP (as a RADIUS server), ATA Lightweight Gateway, also DNS and DHCP )))). It is just optimization to save hardware resources.

PS: As a bonus, simultaneously I use NSP (as a RADIUS server with WIFI security AD group) and DHCP to access to WIFI Access Points  (wireless security method: WPA / WPA2 Enterprise).

 

Q2: "So could we forward RADIUS accounting events from the Cisco ASA to the ATA Lightweight Gateway and VPN integration would work?"

A2: Yes. Only on Cisco ASA I use Remote Access VPN option ( Anyconnect client profile ) and RADIUS server with the same security group "sslvpn" for VPN Authentication.

 

0 Likes
Reply
Gary Smith

‎Aug 30 2023 04:07 AM

‎Aug 30 2023 04:07 AM

Re: Cisco ASA VPN RADIUS accounting to Advanced Threat Analytics (ATA) center to configure VPN Locat

@MikhailCoral Hi

 

We are looking at adding our VPN (Cisco FP series) into Defender for Identity.  Both MS and our network team are suggesting simply installing the RRAS service on our DC(s) and pointing the shared key to Defender. 

Additionally the Firewall will be configured to pass the event logs to RADIUS.   Is this correct?

 

We are currently using Cisco AnyConnect VPN for all clients and the Firewall currently authenticates against AD using Certificate Services.


Thanks

 

0 Likes
Reply