Cisco ASA VPN RADIUS accounting to Advanced Threat Analytics (ATA) center to configure VPN Location

%3CLINGO-SUB%20id%3D%22lingo-sub-1026591%22%20slang%3D%22en-US%22%3ECisco%20ASA%20VPN%20RADIUS%20accounting%20to%20Advanced%20Threat%20Analytics%20(ATA)%20center%20to%20configure%20VPN%20Location%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1026591%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIt%20is%20complex%20issue%20%22%3CSTRONG%3EVPN%20Intergation%20Microsoft%20ATA%20and%20Cisco%20ASA%3C%2FSTRONG%3E%22%20and%20%22%3CSTRONG%3ENetwork%20socket%20conflict%3C%2FSTRONG%3E%22%20in%20total%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECondition%3A%20%3CSPAN%3ERADIUS%20Server%20(Network%20Policy%20Server%20(NPS)%20%2B%20AD)%20is%20deployed%20on%20Lightweight%20Gateway%20(Domain%20controller)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWay%20to%20solve%20the%20issue%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EI.%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3BVPN%20Intergation%20Microsoft%20ATA%20and%20Cisco%20ASA%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3CEM%3EOption%201%3A%20Use%20ASDM%20Cisco%20configurator%20(GUI)%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20Radius%20server%20settings%20Cisco%20ASA%205505%20(as%20VPN%20server)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EGo%20to%20Configuration%20%26gt%3B%20Remote%20Access%20VPN%20%26gt%3B%20AAA%2FLocal%20Users%20%26gt%3B%20AAA%20Server%20Groups%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E1.1.%20In%20the%20%22AAA%20Server%20Groups%22%20window%2C%20Add%20AAA%20Server%20Group%20(e.g.%20%22RADIUSSERVERS%22)%26nbsp%3Bsee%20screenshot%20%22%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2FD05H3DVu%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2FD05H3DVu%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E1.2.%20In%20the%20%22Servers%20in%20the%20Selected%20Group%22%20window%20-%22RADIUSSERVERS%22%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Esee%20screenshot%20%22%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2Fx7uIbnqjX%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2Fx7uIbnqjX%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20Turn%20on%20RADIUS%20Accounting%20in%20Remote%20Access%20VPN%20profile.%20In%20my%20case%20AnyConnect%20Connection%20Profiles%20%22SSL_Users%22%26nbsp%3B(Cisco%20Anyconnect%20VPN%20connections%20for%20Users)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EConfiguration%20%26gt%3B%20Remote%20Access%20VPN%20%26gt%3B%20Network%20(Client)%20Access%20%26gt%3B%20AnyConnect%20Connection%20Profiles%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Esee%20screenshots%20%22%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2FxXfLHfJ49%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2FxXfLHfJ49%3C%2FA%3E%22%20and%20%22%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2FmtudvxSXP8%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2FmtudvxSXP8%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CEM%3EOption%202%3A%20Putty%20SSH%20console%20client%20(part%20CiscoASA%20config)%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20putty%20console%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20Turn%20on%20RADIUS%20Accounting%20in%20Remote%20Access%20VPN%20profile.%20In%20my%20case%20AnyConnect%20Connection%20Profiles%20%22SSL_Users%22%26nbsp%3B(Cisco%20Anyconnect%20VPN%20connections%20for%20Users)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CU%3EExample%3A%3C%2FU%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Easa%23%20conf%20t%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Easa(config)%23%20tunnel-group%20SSL_Users%20general-attributes%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Easa(config-tunnel-general)%23%20accounting-server-group%20RADIUSSERVERS%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Esee%20screenshot%20%22%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2Fydh4HE8aRue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2Fydh4HE8aRue%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EII.%20Network%20socket%20conflict%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20your%20Radius%20server%20is%20on%20the%20Gateway%20server.%20This%20would%20cause%20a%20network%20socket%20conflict.%26nbsp%3BVPN%20Server%20(Cisco%20ASA)%20and%20RADIUS%20Server%20on%20Lightweight%20Gateway%20use%20simultaneously%20the%20same%20port%201813%2C%20it%20has%20leaded%20to%20%22conflict%22.%20In%20my%20case%20Radius%20server%20is%20Network%20Policy%20Server%20(NPS)%2C%20which%20is%20deployed%20on%20my%20Domain%20controller%20(Lightweight%20Gateway).%20I've%20removed%20default%20port%26nbsp%3B1813%20in%26nbsp%3BNPS%20properties%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Esee%20screenshot%20%22%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2FgDLOIpwj%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2FgDLOIpwj%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EConclusion%26nbsp%3B%26nbsp%3BEXPECTED%20RESULT%20in%20ATA%20Console%3C%2FSTRONG%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Esee%20screenshot%20%22%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2FVG9CRTym1N4I%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2FVG9CRTym1N4I%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CU%3EUseful%20article%3C%2FU%3E%3A%20%22Anyconnect%20session%20accounting%20via%20radius%20or%20syslog%20%3F%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.cisco.com%2Ft5%2Fvpn-and-anyconnect%2Fanyconnect-session-accounting-via-radius-or-syslog%2Ftd-p%2F2176518%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcommunity.cisco.com%2Ft5%2Fvpn-and-anyconnect%2Fanyconnect-session-accounting-via-radius-or-syslog%2Ftd-p%2F2176518%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGood%20luck%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1026591%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECisco%20ASA%20VPN%20RADIUS%20accounting%20to%20ATA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098797%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20VPN%20RADIUS%20accounting%20to%20Advanced%20Threat%20Analytics%20(ATA)%20center%20to%20configure%20VPN%20Locat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F465930%22%20target%3D%22_blank%22%3E%40MikhailCoral%3C%2FA%3E%26nbsp%3Bcan%20you%20confirm%20that%20you%20don't%20have%20to%20have%20NPS%20installed%20on%20the%20domain%20controllers%3F%20So%20could%20we%20forward%20RADIUS%20accounting%20events%20from%20the%20Cisco%20ASA%20to%20the%20ATA%20Lightweight%20Gateway%20and%20VPN%20integration%20would%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099290%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20VPN%20RADIUS%20accounting%20to%20Advanced%20Threat%20Analytics%20(ATA)%20center%20to%20configure%20VPN%20Locat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099290%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13567%22%20target%3D%22_blank%22%3E%40stuart%20townsend%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ1%3A%20%22can%20you%20confirm%20that%20you%20don't%20have%20to%20have%20NPS%20installed%20on%20the%20domain%20controllers%3F%22%3CBR%20%2F%3EA1%3A%26nbsp%3BVice%20versa%2C%20The%20NSP%20is%20installed%20on%20Domain%20controller%20(I%20have%20one%20DC%20only).%20And%20the%20NSP%20role%20is%20configured%20as%20RADIUS%20server%2C%20which%20uses%20Active%20directory%20(AD)%20security%20group%20(I've%20created%20special%20security%20group%2C%20e.g.%20%22sslvpn%22%26nbsp%3Band%20added%20needed%20users).%26nbsp%3B%3C%2FP%3E%3CP%3EMy%26nbsp%3BDomain%20controller%20has%20multiple%20roles%20in%20one%3A%20DC%20(AD)%2C%20NSP%20(as%20a%20RADIUS%20server)%2C%26nbsp%3B%3CSPAN%3EATA%20Lightweight%20Gateway%2C%20also%20DNS%20and%20DHCP%20)))).%20It%20is%20just%20optimization%26nbsp%3Bto%20save%20hardware%20resources.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EPS%3A%26nbsp%3BAs%20a%20bonus%2C%20simultaneously%20I%20use%20NSP%20(as%20a%20RADIUS%20server%20with%20WIFI%20security%20AD%20group)%20and%20DHCP%20to%20access%20to%20WIFI%20Access%20Points%26nbsp%3B%26nbsp%3B(wireless%20security%20method%3A%20WPA%20%2F%20WPA2%20Enterprise).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ2%3A%20%22%3CSPAN%3ESo%20could%20we%20forward%20RADIUS%20accounting%20events%20from%20the%20Cisco%20ASA%20to%20the%20ATA%20Lightweight%20Gateway%20and%20VPN%20integration%20would%20work%3F%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3EA2%3A%20Yes.%20Only%20on%20Cisco%20ASA%20I%20use%20Remote%20Access%20VPN%20option%20(%20Anyconnect%20client%20profile%20)%20and%20RADIUS%20server%20with%20the%20same%20security%20group%20%22sslvpn%22%20for%20VPN%20Authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

It is complex issue "VPN Intergation Microsoft ATA and Cisco ASA" and "Network socket conflict" in total,

 

Condition: RADIUS Server (Network Policy Server (NPS) + AD) is deployed on Lightweight Gateway (Domain controller)

 

Way to solve the issue:

 

I. VPN Intergation Microsoft ATA and Cisco ASA Option 1: Use ASDM Cisco configurator (GUI)

1. Radius server settings Cisco ASA 5505 (as VPN server)

Go to Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups

1.1. In the "AAA Server Groups" window, Add AAA Server Group (e.g. "RADIUSSERVERS") see screenshot "https://www.screencast.com/t/D05H3DVu"

1.2. In the "Servers in the Selected Group" window -"RADIUSSERVERS",

see screenshot "https://www.screencast.com/t/x7uIbnqjX"

2. Turn on RADIUS Accounting in Remote Access VPN profile. In my case AnyConnect Connection Profiles "SSL_Users" (Cisco Anyconnect VPN connections for Users)  

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

see screenshots "https://www.screencast.com/t/xXfLHfJ49" and "https://www.screencast.com/t/mtudvxSXP8"


Option 2: Putty SSH console client (part CiscoASA config)

In putty console:

2. Turn on RADIUS Accounting in Remote Access VPN profile. In my case AnyConnect Connection Profiles "SSL_Users" (Cisco Anyconnect VPN connections for Users)  

Example:

asa# conf t

asa(config)# tunnel-group SSL_Users general-attributes

asa(config-tunnel-general)# accounting-server-group RADIUSSERVERS

see screenshot "https://www.screencast.com/t/ydh4HE8aRue"

 

II. Network socket conflict

If your Radius server is on the Gateway server. This would cause a network socket conflict. VPN Server (Cisco ASA) and RADIUS Server on Lightweight Gateway use simultaneously the same port 1813, it has leaded to "conflict". In my case Radius server is Network Policy Server (NPS), which is deployed on my Domain controller (Lightweight Gateway). I've removed default port 1813 in NPS properties,

see screenshot "https://www.screencast.com/t/gDLOIpwj"

 

Conclusion  EXPECTED RESULT in ATA Console:

see screenshot "https://www.screencast.com/t/VG9CRTym1N4I"

 

Useful article: "Anyconnect session accounting via radius or syslog ?"

https://community.cisco.com/t5/vpn-and-anyconnect/anyconnect-session-accounting-via-radius-or-syslog...

 

Good luck

2 Replies
Highlighted

@MikhailCoral can you confirm that you don't have to have NPS installed on the domain controllers? So could we forward RADIUS accounting events from the Cisco ASA to the ATA Lightweight Gateway and VPN integration would work?

Highlighted

@stuart townsend 

Q1: "can you confirm that you don't have to have NPS installed on the domain controllers?"
A1: Vice versa, The NSP is installed on Domain controller (I have one DC only). And the NSP role is configured as RADIUS server, which uses Active directory (AD) security group (I've created special security group, e.g. "sslvpn" and added needed users). 

My Domain controller has multiple roles in one: DC (AD), NSP (as a RADIUS server), ATA Lightweight Gateway, also DNS and DHCP )))). It is just optimization to save hardware resources.

PS: As a bonus, simultaneously I use NSP (as a RADIUS server with WIFI security AD group) and DHCP to access to WIFI Access Points  (wireless security method: WPA / WPA2 Enterprise).

 

Q2: "So could we forward RADIUS accounting events from the Cisco ASA to the ATA Lightweight Gateway and VPN integration would work?"

A2: Yes. Only on Cisco ASA I use Remote Access VPN option ( Anyconnect client profile ) and RADIUS server with the same security group "sslvpn" for VPN Authentication.