Cisco RADIUS and NPS Issues

Peter Sheridan — Mon, 11 Mar 2019 05:55:56 GMT

Hello,

I'm just having a bit of trouble getting some RADIUS and NPS policies working.

I want to have 3 NPS Policies

1. VPN Access

2. SSH Access Level 1

3. SSH Access Level 15

The VPN is a Cisco Anyconnect SSL vpn, and the SSH Access is obviously vty access to the router. My NPS server is configured with these three policies in that order. The NPS Policies are secured by three AD Groups (with the same names as the NPS Policies), with the exception of the VPN policy that has an additional condition of 'NAS Port Type = Virtual (VPN)'.

My problem is that when a user in a member of the 'VPN Access' and 'SSH Access Level 1', when they try and log onto the router it brings up an error message 'This line may not run PPP'. If I reorder the NPS policies, so VPN is down the bottom it lets me log in fine.

The second problem is that when a user is a member of ONLY the 'SSH Access Level 15' group, they also get access to the VPN.

Below is an extract of the config. Anyone got some clues as to why it's not working?

Regards,

Peter

aaa new-model
!
aaa authentication login AUTHEN_LOGIN local group radius
aaa authorization exec AUTHOR_EXEC local group radius if-authenticated
aaa authorization network AUTHOR_NETWORK local group radius if-authenticated
!
aaa session-id common
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
session-timeout 60
access-class SSH in
authorization exec AUTHOR_EXEC
logging synchronous
login authentication AUTHEN_LOGIN
transport input ssh
!
!
webvpn gateway HOME
hostname XXXXXXXXX
ip address XXXXXXXXX port XXXXX
http-redirect port XXXX
ssl trustpoint XXXXXXXXX
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.1.06073-k9.pkg sequence 1
!
webvpn import svc profile HOME flash:/webvpn/XXXXXX.xml
!
webvpn context CONTEXTPOLICY1
ssl authenticate verify all
!
!
policy group POLICY_1
   functions svc-enabled
   functions svc-required
   svc address-pool XXXXXXXXXXX
   svc default-domain XXXXXXXXXXXXXX
   svc keep-client-installed
   svc module XXXXXXXXXXXXX
   svc profile XXXXXXXXXXXXX
   svc split dns XXXXXXXXXXX
   svc split include XXXXXXXXXXX
   svc dns-server primary XXXXXXXXXXXXX
   svc dns-server secondary XXXXXXXXXXXXXX
virtual-template 1
default-group-policy POLICY_1
aaa authentication list AUTHEN_LOGIN
aaa authorization list AUTHOR_NETWORK
gateway XXXXXXXXX
max-users 5
inservice
!
end

Same here. I found that

johnnylingo — Thu, 01 Jun 2017 23:10:49 GMT

Same here. I found that removing the "aaa authorization exec" line did fix it, but no problems if I try a Unix-based RADIUS server. So it's something special to NPS.

The solution I found was in

johnnylingo — Thu, 01 Jun 2017 23:38:37 GMT

The solution I found was in the Network Policy, pull up the Settings tab and then change or remove the RADIUS Attributes.

By default, it uses "Framed-Protocol=PPP" and "Service-Type=Framed". I changed it to SLIP

topic Same here. I found that in Network Access Control

Cisco RADIUS and NPS Issues

Same here. I found that

The solution I found was in