07-23-2015 07:10 AM - edited 03-10-2019 10:55 PM
Hello,
I'm just having a bit of trouble getting some RADIUS and NPS policies working.
I want to have 3 NPS Policies
1. VPN Access
2. SSH Access Level 1
3. SSH Access Level 15
The VPN is a Cisco Anyconnect SSL vpn, and the SSH Access is obviously vty access to the router. My NPS server is configured with these three policies in that order. The NPS Policies are secured by three AD Groups (with the same names as the NPS Policies), with the exception of the VPN policy that has an additional condition of 'NAS Port Type = Virtual (VPN)'.
My problem is that when a user in a member of the 'VPN Access' and 'SSH Access Level 1', when they try and log onto the router it brings up an error message 'This line may not run PPP'. If I reorder the NPS policies, so VPN is down the bottom it lets me log in fine.
The second problem is that when a user is a member of ONLY the 'SSH Access Level 15' group, they also get access to the VPN.
Below is an extract of the config. Anyone got some clues as to why it's not working?
Regards,
Peter
aaa new-model
!
aaa authentication login AUTHEN_LOGIN local group radius
aaa authorization exec AUTHOR_EXEC local group radius if-authenticated
aaa authorization network AUTHOR_NETWORK local group radius if-authenticated
!
aaa session-id common
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
session-timeout 60
access-class SSH in
authorization exec AUTHOR_EXEC
logging synchronous
login authentication AUTHEN_LOGIN
transport input ssh
!
!
webvpn gateway HOME
hostname XXXXXXXXX
ip address XXXXXXXXX port XXXXX
http-redirect port XXXX
ssl trustpoint XXXXXXXXX
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.1.06073-k9.pkg sequence 1
!
webvpn import svc profile HOME flash:/webvpn/XXXXXX.xml
!
webvpn context CONTEXTPOLICY1
ssl authenticate verify all
!
!
policy group POLICY_1
functions svc-enabled
functions svc-required
svc address-pool XXXXXXXXXXX
svc default-domain XXXXXXXXXXXXXX
svc keep-client-installed
svc module XXXXXXXXXXXXX
svc profile XXXXXXXXXXXXX
svc split dns XXXXXXXXXXX
svc split include XXXXXXXXXXX
svc dns-server primary XXXXXXXXXXXXX
svc dns-server secondary XXXXXXXXXXXXXX
virtual-template 1
default-group-policy POLICY_1
aaa authentication list AUTHEN_LOGIN
aaa authorization list AUTHOR_NETWORK
gateway XXXXXXXXX
max-users 5
inservice
!
end
06-01-2017 04:10 PM
Same here. I found that removing the "aaa authorization exec" line did fix it, but no problems if I try a Unix-based RADIUS server. So it's something special to NPS.
06-01-2017 04:38 PM
The solution I found was in the Network Policy, pull up the Settings tab and then change or remove the RADIUS Attributes.
By default, it uses "Framed-Protocol=PPP" and "Service-Type=Framed". I changed it to SLIP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide