topic Re: FTD SSL VPN authentication with NPS server in Network Security

FTD SSL VPN authentication with NPS server

sam cook — Fri, 21 Feb 2020 17:36:52 GMT

HI,

Does any one has a tutorial how to configure FTD SSL VPN authentication with NPS server ?

I only found this (for ASA):

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

I tried same configuraion but I always get this error on NPS :

error code encountered is 6273 with reason code 16: "Authentication failed due to a mismatch of the user's credentials." The username provided does not match not an existing user account or the password is incorrect. "

Any help please ?

Re: FTD SSL VPN authentication with NPS server

Rahul Govindan — Tue, 22 Oct 2019 15:07:49 GMT

FTD (managed by FDM) guide should be here:

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

NPS guide should be the same. The error seems to point out that the password is incorrect. You can go to the FTD CLI and run "debug radius all" to see the same debug as you would see on the ASA.

Re: FTD SSL VPN authentication with NPS server

sam cook — Wed, 23 Oct 2019 08:43:42 GMT

Hi Rahul,

Thank you for the reply, The acoount is correct , beacuse with same account and password , it works with ASA.

I activated all possible debug :

> show debug
debug ssl enabled at level 1
debug ssl enabled at level 1 (persistent)
debug webvpn enabled at level 1
debug webvpn enabled at level 1 (persistent)
debug radius session
debug radius decode
debug radius dynamic-authorization
No such file or directory

But still could not see anything...

Also when doing a packet capture , I see FTD send request paquet and receive Reject paquet from NPS

Meanwhile ASA send nearly same request paquet and receive accept paquet from NPS

I'm sure I used same configuration , only difference is using CHAPv2 because I did not find where to activate it on FTD.