Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4270
Views
0
Helpful
3
Replies

NPS Server rejecting radius authentication request from Cisco C3560

umutyasar
Level 1
Level 1

‎07-08-2021 06:45 AM

Hi All,

 

I have configured radius authentication for cisco login and NPS server for login.

But authentication is rejected by the server. What could be the reason?

 

On the NPS I can see that it's not wrong user/pass error. It seems user is configuredon the NPS but rule is not matching to the authentication request. I have configured service-type: Administrator and Cisco value pair like below on the NPS server: 

Name; Cisco-AV-Pair
Att Number; 5000
Format; String
Value; shell:priv-lvl=15

 

Cisco sw config:

aaa group server radius nps-servers
server name nps-server1
!
radius server nps-server1
address ipv4 10.10.10.1 auth-port 1812 acct-port 1813
key xxx

aaa authentication login userAuthentication group nps-servers local
aaa authorization exec userAuthorization group nps-servers local if-authenticated
aaa accounting exec default start-stop group nps-servers
aaa accounting system default start-stop group nps-servers
!
!
ip radius source-interface Vlan6
!
!
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
!

Labels:
0 Helpful
3 Replies 3

reccon
Level 1
Level 1

‎07-08-2021 07:05 AM

Try service-type: Login instead of service-type: Administrator

 

Did you configure any Conditions or Constraints in your NPS Policy?

 

Did you check the Eventlog on the NPS Server for errors?

 

 

 

0 Helpful

umutyasar
Level 1
Level 1
In response to reccon

‎07-08-2021 07:28 AM

Hi,

 

I tried Login, didn't work.

 

Conditions are; Windows Group for the users and client Ip address for switch ip

Constraints are: authentication methods CHAP and PAP

 

Event Log showing as below: It's going to the last network policy that is Deny, it's not matching with the actual Administrators Policy that I configured constraints and conditions.

 

Authentication Details:
Connection Request Policy Name: Secure  Connections
Network Policy Name: Login to other servers
Authentication Provider: Windows
Authentication Server: xxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

 

 

 

0 Helpful

reccon
Level 1
Level 1
In response to umutyasar

‎07-08-2021 11:26 AM

I have it configured like this (works on 3750 and 3850):

 

Conditions

Windows Group: domain\group

NAS IPv4-Address: 10\.1\.1\.+

 

Constraints

PAP, SPAP

 

Settings

service-type: Login

Cisco-AV-Pair   Att Number 5000   shell:priv-lvl=15

 

 

aaa group server radius radius-server
  server-private <radius-server-ip> key <radius-key>
aaa authentication login default group radius-server local
aaa authorization exec default group radius-server local

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card