SecureAuth RADIUS server supports the Microsoft Challenge Handshake Authentication Protocol (CHAP) version 2 (MS-CHAPv2) with Cisco Adaptive Security Appliance (ASA) and Citrix NetScaler Gateway. Use Cisco or Netscaler with MS-CHAPv2 to enable end-users to authenticate into your corporate VPN by using SecureAuth IdP's Push to Accept multi-factor authentication (MFA) method through the SecureAuth IdP RADIUS server.
This guide provides instructions for administrators to:
- configure SecureAuth RADIUS server and Cisco to work with MS-CHAPv2, or
- configure SecureAuth RADIUS server and Netscaler to work with MS-CHAPv2.
- SecureAuth RADIUS requires a third-party product, Microsoft Network Policy Server (NPS), to use MS-CHAPv2 because RADIUS is a proxy to NPS.
- SecureAuth RADIUS functions as a proxy only. This means that RADIUS cannot read the data stream that moves through the authentication process, so most MFA methods are unavailable. Push-to-Accept is the only second-factor method available.
- When an end-user password expires, the SecureAuth client will request a password change. After end-users change their password and then log in using the new password, the client sends a false login failure message. End-users can successfully log in with the new password the second time they log in and thereafter. The failure message is sent from NPS and cannot be configured differently.
- SecureAuth IdP v9.3 or later with a realm ready for Cisco ASA or Netscaler
- SecureAuth RADIUS server v2.5 or later
- Windows Server 2012 R2 or Windows Server 2016, configured with Active Directory in the same location where users will perform authentication
- If configuring Cisco:
- Configure Cisco with the RADIUS.
- Obtain a valid Cisco license for testing. (The configuration requires more than the two, default, free secure sockets layer (SSL) virtual private network (VPN) Peers.)
- Cisco ASA version 9.7.1 or later for AnyConnect client
- Cisco Adaptive Security Device Manager (ASDM) account and environment (version 7.8 or later)
- If configuring Netscaler, configure RADIUS in the server by following the instructions in How to Configure NetScaler Gateway to use RADIUS and LDAP Authentication with Mobile/Tablet Devices or RADIUS Authentication – NetScaler Gateway 10.5.
SecureAuth IdP configuration steps
Follow the steps in Configuration guide - v2.5 - SecureAuth IdP RADIUS server, in the "Step B: IdP Realms configuration" section.
Configure the Cisco Adaptive Security Appliance
The Cisco ASA configuration includes setting up how Cisco will authenticate users. Use the Cisco Adaptive Security Device Manager (ASDM) user interface to make the following changes:
1. If not yet completed, configure Cisco with the RADIUS server.
You should now have Cisco in the Remote Access VPN configuration, under Network (Client) Access.
2. In the Cisco ASDM UI, open the AAA/Local Users folder, and select AAA Server Groups. Open the configured RADIUS server and select the Microsoft CHAPv2 Capable box.
3. Change the current AnyConnect connection profiles. Open AnyConnect Connection Profile folder > Advanced > General > Enable Password Management.
4. Proceed to Configure SecureAuth RADIUS.
Configure Netscaler to delineate how it will authenticate users.
1. If not yet completed, configure RADIUS in the server by following the instructions in How to Configure NetScaler Gateway to use RADIUS and LDAP Authentication with Mobile/Tablet Devices or RADIUS Authentication – NetScaler Gateway 10.5.
2. In the NetScaler Gateway folder, open Policies > Authentication > RADIUS.
3. Click More, click the Password Encoding dropdown, and select mschapv2.
4. Proceed to Configure SecureAuth RADIUS.
Configure SecureAuth RADIUS
Configure SecureAuth RADIUS as a proxy. This configuration cannot be done from the UI.
1. Go to the SecureAuth RADIUS installation folder, located at C:\idpRADIUS\bin\conf\
2. Open the appliance.radius.properties file with a text editor, such as Notepad.
3. Add an entry to configure SecureAuth RADIUS as a proxy:
proxyServerPort=port where windows server will be listening
proxyServerIp=ip of SecureAuth windows server
The following is an example of a configuration:
4. Restart SecureAuth RADIUS.
5. Proceed to Configure Windows Server.
Configure Windows Server
Configure Windows Server 2012 R2 or Windows Server 2016 with Active Directory in the same location where users will perform authentication.
This section describes how to configure Microsoft Network Policy Server (NPS).
1. Open the Microsoft Server Manager.
2. In Manage, select Add Roles and Features, and set as follows:
a. Set Installation Type to Role-based or feature-based installation. Select the appropriate server.
b. Set Server Roles to Active Directory Domain Services, Remote Access, and Network Policy and Access Services.
3. In Tools, select Network Policy Server.
a. Right-click NPS and open Register server in Active Directory. The option is inactive if AD disallows registering a server or if the server is already registered in AD.
b. Right-click NPS and open Properties. In the Ports tab, add the ports that you set up in RADIUS, in step 3 of Configure SecureAuth RADIUS.
4. In RADIUS Clients and Servers, open RADIUS Clients.
a. Add your RADIUS server.
b. Add your Cisco or Netscaler server.
c. Right-click New and set up a friendly name (for example, Cisco or Netscaler), the corresponding IP address, and the RADIUS shared secret.
5. Create two policies, either for Cisco or Netscaler.
a. In New Connection Request Policy, create a policy name.
New Connection Request Policy
b. Set Type of network access server to Remote Access Server. The following shows the two policies:
c. Add two conditions and set them to the client friendly names that you set up in the previous step.
d. Set Authenticate requests on this server. Leave the settings in the default state, and save the changes.
6. Create the Network policy.
a. Select a policy name and set it to Remote Access Server.
b. Using the client friendly names you set in the previous step, add the names to conditions In the Conditions tab.
c. Select Access Granted.
d. In Authentication Methods, select MS-CHAPv2 and set User can change password.
7. Optionally, set up variables for site.
8. In Conditions, move the two new policies to the top of the list.
9. Log in using SecureAuth RADIUS.
All end-users added to SecureAuth RADIUS through Active Directory can authenticate into the corporate VPN by using SecureAuth IdP's Push to Accept second-factor MFA method.
When the end-user selects the Push-to-Accept option, the VPN waits for RADIUS to respond. When the Login Request screen appears on the mobile app, tap Approve or Deny on the screen. The following images show Push-to-Accept examples that end-users will see in the Authenticate App:
App is closed
- Open the app by swiping down on the login request notification.
2. Tap Accept to securely authenticate into the corporate VPN.
App is open
Tap Approve this request to securely log into the corporate VPN.