07-08-2021 06:45 AM
Hi All,
I have configured radius authentication for cisco login and NPS server for login.
But authentication is rejected by the server. What could be the reason?
On the NPS I can see that it's not wrong user/pass error. It seems user is configuredon the NPS but rule is not matching to the authentication request. I have configured service-type: Administrator and Cisco value pair like below on the NPS server:
Name; Cisco-AV-Pair
Att Number; 5000
Format; String
Value; shell:priv-lvl=15
Cisco sw config:
aaa group server radius nps-servers
server name nps-server1
!
radius server nps-server1
address ipv4 10.10.10.1 auth-port 1812 acct-port 1813
key xxx
aaa authentication login userAuthentication group nps-servers local
aaa authorization exec userAuthorization group nps-servers local if-authenticated
aaa accounting exec default start-stop group nps-servers
aaa accounting system default start-stop group nps-servers
!
!
ip radius source-interface Vlan6
!
!
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
!
07-08-2021 07:05 AM
Try service-type: Login instead of service-type: Administrator
Did you configure any Conditions or Constraints in your NPS Policy?
Did you check the Eventlog on the NPS Server for errors?
07-08-2021 07:28 AM
Hi,
I tried Login, didn't work.
Conditions are; Windows Group for the users and client Ip address for switch ip
Constraints are: authentication methods CHAP and PAP
Event Log showing as below: It's going to the last network policy that is Deny, it's not matching with the actual Administrators Policy that I configured constraints and conditions.
Authentication Details:
Connection Request Policy Name: Secure Connections
Network Policy Name: Login to other servers
Authentication Provider: Windows
Authentication Server: xxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
07-08-2021 11:26 AM
I have it configured like this (works on 3750 and 3850):
Conditions
Windows Group: domain\group
NAS IPv4-Address: 10\.1\.1\.+
Constraints
PAP, SPAP
Settings
service-type: Login
Cisco-AV-Pair Att Number 5000 shell:priv-lvl=15
aaa group server radius radius-server server-private <radius-server-ip> key <radius-key>
aaa authentication login default group radius-server local aaa authorization exec default group radius-server local
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide