Using Microsoft NPS.

I can authenticate both telnet and PPPoE/PPTP, but can't tell that one of the logins is EXEC.

I have done very little work with Microsoft's NPS but from what I can recall it was very limited when it came to its functionality. 

For instance, in ISE and/or ACS, you can distinguish between the two via the following attributes:

1. EndpointID   > > > For SSH this would look like this ip:source-ip=x.x.x.x. While for VPNs this field would just be populated with the public IP address of the client

2. CVPN3000/ASA/PIX7x-Tunnel-Group-Name > > > This field will only populate when doing VPNs and will reflect the name of the tunnel-group configured on the ASA

You can check and see if NPS has these either one of those attributes from I highly doubt it. I think you can create custom based Radius attributes in NPS but from what I remember it was not an easy task :) However, google.com should be able to point you in the right direction

Hope this helps!

Thank you for rating helpful posts!

Hi!

While trying to reply to your answer, turned on maximum possible debugs for the login and saw this:

Nov 16 10:00:29.186: RADIUS/ENCODE(0000000F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

so put the command to the config:

radius-server attribute 6 on-for-login-auth

and then in every request for authentication i see:

for Login: 

Nov 16 11:02:12.303: RADIUS:  Service-Type        [6]   6   Login                     [1]

for PPPoE/ PPTP/...

Nov 16 11:02:37.475: RADIUS:  Service-Type        [6]   6   Framed                    [2]

This answers my question.

By the way, this command is mandatory for ISE according to this post http://www.ajsnetworking.com/switch-configuration-for-ise-integration-part-2-radius-server-config/

Thanks for you participating!

Ah good catch and good job solving your own problem!! Also, thank you for coming back and taking the time to post the solution!!! (+5 from me). 

If your issue is resolved, please mark the thread as "answered" :)