Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1888
Views
0
Helpful
4
Replies

ACE Module - RADIUS authentication against Microsoft NPS

david.stout
Level 1
Level 1

‎07-06-2010 02:18 AM

Hi all,

  I am currently having difficulty getting the correct login role when using RADIUS against Microsoft NPS. When I authenticate I am always assigned the network-monitor role. Here are the settings I am currently using for both ACE and NPS. Can you guys see what's wrong ? I have attached the screen shots from NPS and the radius config / debug output.

Many thanks.

Dave.

Labels:
Preview file
73 KB
Preview file
108 KB
68758-radiusdebug.txt.zip
Preview file
72 KB
0 Helpful
4 Replies 4

ciscocsoc
Level 4
Level 4

‎07-06-2010 05:12 AM

Hi David,

See similar discussion at https://supportforums.cisco.com/message/463627#463627 - you need to set the AV pair as documented.  I don't use Microsoft's NPS but it should be documented how to set/return the attributes.

HTH

Cathy

0 Helpful

david.stout
Level 1
Level 1
In response to ciscocsoc

‎07-06-2010 05:52 AM

I had already tried that this morning as per the attached screen shot. Still did not work.

It's going to be something silly .... always is when it gets like this

Dave.

Preview file
73 KB
0 Helpful

david.stout
Level 1
Level 1
In response to david.stout

‎07-06-2010 08:11 AM

Ok we have now fixed this.

Under Network Policies I was being matched on my domain user account in the previous network policy being used for a test VPN Service. So even though I was being authenticated, the Cisco AV Pair wasn't being forwarded to the ACE Module because the policy I was being matched to was not the policy I had set up.

So please note that in Microsoft NPS the policy processing order is important. If the conditions match a previous policy then that Network Policy will be processed and chances are you won't get the level of access you require.

Hope this post helps make things clearer.

I have included screenshots of incorrect and correct network policy condition lists.

In the first screenshot I was being matched to the VPN network policy which did not contain the shell:Admin=Admin default-domain Cisco AV-Pair attribute.

Once the order was reversed I was being matched to the IP Address of the originating device and therefore the correct attribute was being forwarded back to the ACE Module.

Preview file
102 KB
0 Helpful

branfarm1
Level 4
Level 4
In response to david.stout

‎11-07-2011 04:52 PM

Found this thread very helpful in diagnosing a similar Radius authentication issue with Microsoft NPS.   Just wanted to add one clarification that I didn't immediately pick up on --  when you're specifying the AV-Pair values,  you are specifying the context and permission level. 

In other words: shell:Admin=Admin default-domain  represents shell:=

The documentation says this, but It didn't jump out at me at first.  Hopefully my post will save someone an hour or so of troubleshooting!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card