06-01-2013 12:10 PM - edited 02-21-2020 10:00 PM
Steps needs to be followed on the Microsoft Radius server to configure group-lock and tunnel-group-lock
In order to troubleshoot any issues look at event-viewer logs on Radius server.
Using the event logs in Event Viewer, you can monitor Network Policy Server (NPS) errors and other events that you configure NPS to record.
NPS records connection request failure events in the System and Security event logs by default. Connection request failure events consist of requests that are rejected or discarded by NPS. Other NPS authentication events are recorded in the Event Viewer system log on the basis of the settings that you specify in the NPS snap-in. Some events that might contain sensitive data are recorded in the Event Viewer security log.
Let me know if you have any questions.
Hi,
I'm trying to setup the group-lock using NPS Server & having trouble with it. If you have more information regarding above configuration in the radius server, please let me know.
Regards,
Would it be possible for you to send the screen shots for your NPS network policy. I can review and let you know what could be a problem. Also, did you check the NPS > event viewer to know if you are hitting the right policy because attribute can only be pushed once the access-request match the right policy.
Hi Jatin,
Please find attached printscreen. Can you please verify the Vendor Specific Attriburtes
This part is looking perfect. I now need to look at ASA/Firewall side and NPS logs.
From the ASA:
show run group-policy GROUP_105
debug radius
debug aaa authentication
duplicate the issue and paste the debugs.
From the NPS:
Check the event-viewer logs as I'd like to see if the radius request hitting the right network policy.
Hi Jatin,
We have done the same steps to provide group policy for VPN users through the Microsoft Radius server. But after defining it VPN user is not able to connect.
Can you please tell us what can be the issue in this case?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
As we have done the troubleshooting we have found that Radius server is not providing Group policy to the user.
Below is the tunnel group and group policy configuration of ASA:
tunnel-group ANY type remote-access
tunnel-group ANY general-attributes
address-pool SSL_Pool
authentication-server-group Radius LOCAL
password-management
tunnel-group ANY webvpn-attributes
group-alias ABC enable
!
group-policy GP internal
group-policy GP attributes
wins-server none
dns-server value 10.2.2.100
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel1
default-domain value Cisco.com
!
And the Radius server we have done is same as you have mentioned.
Can you please tell us what can be the issue?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
Hi Mukesh,
You may need to look at NPS event viewer logs to understand if right remote policy is being matched.
~ Jatin
Hello Jatin,
Thanks for giving reply.
But I have checked on the NPS server it is matching the exact policy that I have defined.
Authentication has been done successfully with the same policy that I have defined but it is not providing group policy to the user.
What other things we need to check to resolve this issue?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
Hello Jatin,
Can you please tell me what can be the issue in our case?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
Hello Jatin,
Below are the ASA debugs, can you please check these?
radius mkreq: 0x89
alloc_rip 0xcc8357e0
new request 0x89 --> 76 (0xcc8357e0)
got user 'vpn-t1@in.spooster.com'
got password
add_req 0xcc8357e0 session 0x89 id 76
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=10.1.1.2
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 608).....
01 4c 02 60 04 89 bc f6 22 82 62 3c 50 67 37 52 | .L.`....".b<Pg7R
2b ad 24 dd 01 18 76 70 6e 2d 74 31 40 69 6e 2e | +.$...vpn-t1@in.
73 70 6f 6f 73 74 65 72 2e 63 6f 6d 05 06 00 03 | spooster.com....
b0 00 1e 0a 31 30 2e 31 2e 31 2e 31 1f 0a 31 30 | ....10.1.1.1..10
2e 31 2e 31 2e 32 3d 06 00 00 00 05 42 0a 31 30 | .1.1.2=.....B.10
2e 31 2e 31 2e 32 1a 18 00 00 01 37 0b 12 53 29 | .1.1.2.....7..S)
a7 3d a3 50 61 2e 4e 52 a9 99 8f d4 58 71 1a 3a | .=.Pa.NR....Xq.:
00 00 01 37 19 34 00 00 1b 88 b1 06 6f ff 31 e3 | ...7.4......o.1.
27 22 4d 6d 35 08 3f ab 00 00 00 00 00 00 00 00 | '"Mm5.?.........
56 7b a5 0b 8a be 3f a2 a8 11 10 a3 4c c4 c1 69 | V{....?.....L..i
b3 68 0b 97 21 d5 20 62 1a 23 00 00 00 09 01 1d | .h..!. b.#......
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
6c 61 74 66 6f 72 6d 3d 77 69 6e 1a 2c 00 00 00 | latform=win.,...
09 01 26 6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 | ..&mdm-tlv=devic
65 2d 6d 61 63 3d 65 30 2d 64 62 2d 35 35 2d 62 | e-mac=e0-db-55-b
36 2d 32 66 2d 61 33 1a 2c 00 00 00 09 01 26 6d | 6-2f-a3.,.....&m
64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d 61 | dm-tlv=device-ma
63 3d 66 38 2d 32 66 2d 61 38 2d 63 35 2d 65 35 | c=f8-2f-a8-c5-e5
2d 35 31 1a 31 00 00 00 09 01 2b 6d 64 6d 2d 74 | -51.1.....+mdm-t
6c 76 3d 64 65 76 69 63 65 2d 70 6c 61 74 66 6f | lv=device-platfo
72 6d 2d 76 65 72 73 69 6f 6e 3d 36 2e 32 2e 39 | rm-version=6.2.9
32 30 30 20 1a 31 00 00 00 09 01 2b 6d 64 6d 2d | 200 .1.....+mdm-
74 6c 76 3d 64 65 76 69 63 65 2d 74 79 70 65 3d | tlv=device-type=
44 65 6c 6c 20 49 6e 63 2e 20 56 6f 73 74 72 6f | Dell Inc. Vostro
20 32 35 32 30 1a 5b 00 00 00 09 01 55 6d 64 6d | 2520.[.....Umdm
2d 74 6c 76 3d 64 65 76 69 63 65 2d 75 69 64 3d | -tlv=device-uid=
44 46 37 32 36 42 33 36 44 42 38 33 30 41 44 36 | DF726B36DB830AD6
37 45 37 37 44 39 34 45 30 36 34 38 37 30 46 43 | 7E77D94E064870FC
31 37 46 35 43 35 33 37 39 42 34 41 39 31 32 46 | 17F5C5379B4A912F
43 34 42 35 33 35 38 33 45 36 36 37 32 45 43 31 | C4B53583E6672EC1
04 06 ac 10 10 01 1a 31 00 00 00 09 01 2b 61 75 | .......1.....+au
64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 3d 61 | dit-session-id=a
63 31 30 31 30 30 31 30 30 30 33 62 30 30 30 35 | c1010010003b0005
37 31 62 61 32 61 30 1a 1d 00 00 00 09 01 17 69 | 71ba2a0........i
70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 31 | p:source-ip=10.1
2e 31 2e 32 1a 0b 00 00 0c 04 92 05 41 4e 59 1a | .1.2........ANY.
0c 00 00 0c 04 96 06 00 00 00 02 1a 15 00 00 00 | ................
09 01 0f 63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | ...coa-push=true
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 76 (0x4C)
Radius: Length = 608 (0x0260)
Radius: Vector: 0489BCF62282623C506737522BAD24DD
Radius: Type = 1 (0x01) User-Name
Radius: Length = 24 (0x18)
Radius: Value (String) =
76 70 6e 2d 74 31 40 69 6e 2e 73 70 6f 6f 73 74 | vpn-t1@in.spoost
65 72 2e 63 6f 6d | er.com
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x3B000
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 10 (0x0A)
Radius: Value (String) =
31 30 2e 31 2e 31 2e 31 | 10.1.1.1
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 10 (0x0A)
Radius: Value (String) =
31 30 2e 31 2e 31 2e 32 | 10.1.1.2
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 10 (0x0A)
Radius: Value (String) =
31 30 2e 31 2e 31 2e 32 | 10.1.1.2
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) =
53 29 a7 3d a3 50 61 2e 4e 52 a9 99 8f d4 58 71 | S).=.Pa.NR....Xq
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) =
00 00 1b 88 b1 06 6f ff 31 e3 27 22 4d 6d 35 08 | ......o.1.'"Mm5.
3f ab 00 00 00 00 00 00 00 00 56 7b a5 0b 8a be | ?.........V{....
3f a2 a8 11 10 a3 4c c4 c1 69 b3 68 0b 97 21 d5 | ?.....L..i.h..!.
20 62 | b
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 35 (0x23)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 29 (0x1D)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
6c 61 74 66 6f 72 6d 3d 77 69 6e | latform=win
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 44 (0x2C)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 38 (0x26)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d | mdm-tlv=device-m
61 63 3d 65 30 2d 64 62 2d 35 35 2d 62 36 2d 32 | ac=e0-db-55-b6-2
66 2d 61 33 | f-a3
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 44 (0x2C)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 38 (0x26)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d | mdm-tlv=device-m
61 63 3d 66 38 2d 32 66 2d 61 38 2d 63 35 2d 65 | ac=f8-2f-a8-c5-e
35 2d 35 31 | 5-51
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 49 (0x31)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 43 (0x2B)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
6c 61 74 66 6f 72 6d 2d 76 65 72 73 69 6f 6e 3d | latform-version=
36 2e 32 2e 39 32 30 30 20 | 6.2.9200
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 49 (0x31)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 43 (0x2B)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 74 | mdm-tlv=device-t
79 70 65 3d 44 65 6c 6c 20 49 6e 63 2e 20 56 6f | ype=Dell Inc. Vo
73 74 72 6f 20 32 35 32 30 | stro 2520
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 91 (0x5B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 85 (0x55)
Radius: Value (String) =
6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 75 | mdm-tlv=device-u
69 64 3d 44 46 37 32 36 42 33 36 44 42 38 33 30 | id=DF726B36DB830
41 44 36 37 45 37 37 44 39 34 45 30 36 34 38 37 | AD67E77D94E06487
30 46 43 31 37 46 35 43 35 33 37 39 42 34 41 39 | 0FC17F5C5379B4A9
31 32 46 43 34 42 35 33 35 38 33 45 36 36 37 32 | 12FC4B53583E6672
45 43 31 | EC1
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.16.16.1 (0xAC101001)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 49 (0x31)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 43 (0x2B)
Radius: Value (String) =
61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 | audit-session-id
3d 61 63 31 30 31 30 30 31 30 30 30 33 62 30 30 | =ac1010010003b00
30 35 37 31 62 61 32 61 30 | 0571ba2a0
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 29 (0x1D)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 23 (0x17)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | ip:source-ip=10.
31 2e 31 2e 32 | 1.1.2
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 11 (0x0B)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 5 (0x05)
Radius: Value (String) =
41 4e 59 | ANY
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 2 (0x0002)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 15 (0x0F)
Radius: Value (String) =
63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | coa-push=true
send pkt 172.16.16.16/1645
rip 0xcc8357e0 state 7 id 76
rad_vrfy() : response message verified
rip 0xcc8357e0
: chall_state ''
: state 0x7
: reqauth:
04 89 bc f6 22 82 62 3c 50 67 37 52 2b ad 24 dd
: info 0xcc835918
session_id 0x89
request_id 0x4c
user 'vpn-t1@in.spooster.com'
response '***'
app 0
reason 0
skey 'Cisco@123'
sip 172.16.16.16
type 1
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 224).....
02 4c 00 e0 c3 43 b5 a5 8e 17 41 da cf ed bc d1 | .L...C....A.....
3f 74 83 18 07 06 00 00 00 01 06 06 00 00 00 02 | ?t..............
19 2e a7 d5 08 d0 00 00 01 37 00 01 02 00 ac 10 | .........7......
10 10 00 00 00 00 69 bf be 43 42 fa 87 69 01 d1 | ......i..CB..i..
9b d9 13 93 32 3a 00 00 00 00 00 00 00 0b 1a 2a | ....2:.........*
00 00 01 37 11 24 80 53 df 3f 2a 3c 06 0a a3 1b | ...7.$.S.?*<....
d7 49 93 27 61 cd 0f cd 68 75 ee e0 88 16 47 5e | .I.'a...hu....G^
f1 b3 e4 34 87 a0 6e 94 1a 2a 00 00 01 37 10 24 | ...4..n..*...7.$
80 54 9f 6c 9d 08 35 a5 db ef cf 53 b1 cb 07 4b | .T.l..5....S...K
b2 7c 04 d4 3d 38 84 e6 20 3b db 4c b9 e6 f3 3e | .|..=8.. ;.L...>
8f 23 1a 33 00 00 01 37 1a 2d 00 53 3d 44 30 46 | .#.3...7.-.S=D0F
32 30 33 46 43 34 44 45 36 45 41 36 35 38 39 41 | 203FC4DE6EA6589A
44 45 39 37 34 30 33 36 32 44 43 46 46 43 31 41 | DE9740362DCFFC1A
43 43 43 30 34 1a 0b 00 00 01 37 0a 05 00 49 4e | CCC04.....7...IN
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 76 (0x4C)
Radius: Length = 224 (0x00E0)
Radius: Vector: C343B5A58E1741DACFEDBCD13F748318
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 25 (0x19) Class
Radius: Length = 46 (0x2E)
Radius: Value (String) =
a7 d5 08 d0 00 00 01 37 00 01 02 00 ac 10 10 10 | .......7........
00 00 00 00 69 bf be 43 42 fa 87 69 01 d1 9b d9 | ....i..CB..i....
13 93 32 3a 00 00 00 00 00 00 00 0b | ..2:........
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 42 (0x2A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 17 (0x11) MS-MPPE-Recv-Key
Radius: Length = 36 (0x24)
Radius: Value (String) =
80 53 df 3f 2a 3c 06 0a a3 1b d7 49 93 27 61 cd | .S.?*<.....I.'a.
0f cd 68 75 ee e0 88 16 47 5e f1 b3 e4 34 87 a0 | ..hu....G^...4..
6e 94 | n.
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 42 (0x2A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 16 (0x10) MS-MPPE-Send-Key
Radius: Length = 36 (0x24)
Radius: Value (String) =
80 54 9f 6c 9d 08 35 a5 db ef cf 53 b1 cb 07 4b | .T.l..5....S...K
b2 7c 04 d4 3d 38 84 e6 20 3b db 4c b9 e6 f3 3e | .|..=8.. ;.L...>
8f 23 | .#
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 51 (0x33)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 26 (0x1A) MS-CHAP2-Success
Radius: Length = 45 (0x2D)
Radius: Value (String) =
00 53 3d 44 30 46 32 30 33 46 43 34 44 45 36 45 | .S=D0F203FC4DE6E
41 36 35 38 39 41 44 45 39 37 34 30 33 36 32 44 | A6589ADE9740362D
43 46 46 43 31 41 43 43 43 30 34 | CFFC1ACCC04
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 11 (0x0B)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 10 (0x0A) Unknown
Radius: Length = 5 (0x05)
rad_procpkt: ACCEPT
radius.c 1300: status = 1
MSChapv2 authenticator received.
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xcc8357e0 session 0x89 id 76
free_rip 0xcc8357e0
radius: send queue empty
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
the instructions works well but with Office 365 MFA and NPS extension installed on the Radius server
it stops working.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
Anyone able to configure VPN group-lock with NPS extension installed on the Radius server?
Hi !
This instruction works well for us on ASA 5510 (9.1.7), 5512-X (9.12.4), 5525-X (9.14.3) and MS NPS Server 2012 R2.
On step 13 we write 85, and on step 15 we write corp-ra-group (name of tunnel-group).
We checked exchange between ASA and NPS via "debug radius all" on ASA:
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 42 (0x2A)
Radius: Length = 135 (0x0087)
Radius: Vector: EB16DE5326F3E8B65EE6164242A571C4
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 85 (0x55) The tunnel group that tunnel must be associated with
Radius: Length = 15 (0x0F)
Radius: Value (String) =
66 75 6e 64 2d 72 61 2d 67 72 6f 75 70 | corp-ra-group
Many thanks to @Jatin Katyal !
I have the same issue as k.dixon, has this been resolved?
thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: