My church uses a Cisco ISA570 as our firewall and runs Windows Server 2012 R2 servers on the LAN. The ISA by default uses its local database for authenticating management users and VPN users but I wanted to use the Network Policy Server and Active Directory on our 2012 R2 servers for authentication and authorization. It turns out that getting this setup and working was much easier than I’d thought.
First I added the ISA-570 to the NPS as a standard RADIUS client:
I wanted to use NPS to authenticate 3 groups of users:
- Those that have admin management access to the ISA.
- Those that have read-only management access to the ISA.
- Those who can VPN into the ISA.
I wanted each user authenticated against AD and to use their AD Security Group to match the group above. This meant I needed to create 3 Network Policies on the NPS and set each policy’s condition to match an AD Security Group I had previously created:
Firewall admin access policy
FIREWALL READONLY ACCESS POLICY
VPN ACCESS POLICY
There are 2 things to note about all 3 network policies:
- The Filter-Id value must match the name of the group (not created yet) on the ISA570.
- The Authentication Method is PAP and SPAP which as it says on the screen shots is an unencrypted authentication method. And this bothered me.
Both of these are clearly stated on page 394 of the ISA500 Admin Guide. I plan to open a support request with Cisco and ask if there is another Authentication Method I can use besides PAP, SPAP. I did try a few different methods but none worked except PAP, SPAP.
First I needed to point the ISA at the NPS (RADIUS):
Next I created 3 new groups which matched the Filter-Id setting on my NPS Network Policies:
And that was it. Everything is working as I’d wanted.