10-24-2012 04:38 AM - edited 03-07-2019 09:39 AM
Hi !
I like to use Microsoft Network Policy Server 2008 As Radius server for my routers and so control logins using active directory groups
I think i did it all correctly but i get authentication failure
and I should add that i have tested it both with domain groups and local groups
Router Interface : Fa 0/1 : 192.168.10.254
NPS : 192.168.10.11
Router Config :
aaa new-model ! ! aaa authentication login Ganji group radius local aaa authorization exec Ganji group radius local ! ! radius-server host 192.168.10.11 auth-port 1812 acct-port 1813 key 123456 ! line vty 0 4 exec-timeout 15 0 authorization exec Ganji logging synchronous login authentication Ganji transport input all !
NPS Config :
http://www.webbosworld.co.uk/blog/?p=191
Router Log :
*Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): ask "Password: " *Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): send packet; GET_PASSWORD R1# *Oct 24 11:43:13.891: RADIUS/ENCODE(00000014):Orig. component type = Exec *Oct 24 11:43:13.899: RADIUS: AAA Unsupported Attr: interface [204] 4 *Oct 24 11:43:13.899: RADIUS: 74 74 [ tt] *Oct 24 11:43:13.903: RADIUS(00000014): Config NAS IP: 192.168.10.254 *Oct 24 11:43:13.907: RADIUS/ENCODE(00000014): acct_session_id: 10 *Oct 24 11:43:13.907: RADIUS(00000014): sending *Oct 24 11:43:13.923: RADIUS(00000014): Send Access-Request to 192.168.10.11:1812 id 1645/12, len 73 *Oct 24 11:43:13.923: RADIUS: authenticator AB 7D 7F 2C 5F 53 4E 56 - 87 25 94 F0 88 EA 5E A0 *Oct 24 11:43:13.923: RADIUS: User-Name [1] 5 "noc" *Oct 24 11:43:13.923: RADIUS: User-Password [2] 18 * *Oct 24 11:43:13.923: RADIUS: NAS-Port [5] 6 2 *Oct 24 11:43:13.923: RADIUS: NAS-Port-Id [87] 6 "tty2" *Oct 24 11:43:13.923: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Oct 24 11: R1#43:13.923: RADIUS: Service-Type [6] 6 Login [1] *Oct 24 11:43:13.923: RADIUS: NAS-IP-Address [4] 6 192.168.10.254 *Oct 24 11:43:13.927: RADIUS(00000014): Started 5 sec timeout *Oct 24 11:43:13.943: RADIUS: Received from id 1645/12 192.168.10.11:1812, Access-Reject, len 20 *Oct 24 11:43:13.947: RADIUS: authenticator BB A6 60 D5 8C E7 4D 87 - B5 00 1A 76 87 E3 0E 94 *Oct 24 11:43:13.963: RADIUS(00000014): Received from id 1645/12 R1# *Oct 24 11:43:17.983: AAA/AUTHEN/LOGIN (00000014): Pick method list 'Ganji' *Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): ask "Username: " *Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): send packet; GET_USER R1#
NPS Log :
*Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): ask "Password: " *Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): send packet; GET_PASSWORD R1# *Oct 24 11:43:13.891: RADIUS/ENCODE(00000014):Orig. component type = Exec *Oct 24 11:43:13.899: RADIUS: AAA Unsupported Attr: interface [204] 4 *Oct 24 11:43:13.899: RADIUS: 74 74 [ tt] *Oct 24 11:43:13.903: RADIUS(00000014): Config NAS IP: 192.168.10.254 *Oct 24 11:43:13.907: RADIUS/ENCODE(00000014): acct_session_id: 10 *Oct 24 11:43:13.907: RADIUS(00000014): sending *Oct 24 11:43:13.923: RADIUS(00000014): Send Access-Request to 192.168.10.11:1812 id 1645/12, len 73 *Oct 24 11:43:13.923: RADIUS: authenticator AB 7D 7F 2C 5F 53 4E 56 - 87 25 94 F0 88 EA 5E A0 *Oct 24 11:43:13.923: RADIUS: User-Name [1] 5 "noc" *Oct 24 11:43:13.923: RADIUS: User-Password [2] 18 * *Oct 24 11:43:13.923: RADIUS: NAS-Port [5] 6 2 *Oct 24 11:43:13.923: RADIUS: NAS-Port-Id [87] 6 "tty2" *Oct 24 11:43:13.923: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Oct 24 11: R1#43:13.923: RADIUS: Service-Type [6] 6 Login [1] *Oct 24 11:43:13.923: RADIUS: NAS-IP-Address [4] 6 192.168.10.254 *Oct 24 11:43:13.927: RADIUS(00000014): Started 5 sec timeout *Oct 24 11:43:13.943: RADIUS: Received from id 1645/12 192.168.10.11:1812, Access-Reject, len 20 *Oct 24 11:43:13.947: RADIUS: authenticator BB A6 60 D5 8C E7 4D 87 - B5 00 1A 76 87 E3 0E 94 *Oct 24 11:43:13.963: RADIUS(00000014): Received from id 1645/12 R1# *Oct 24 11:43:17.983: AAA/AUTHEN/LOGIN (00000014): Pick method list 'Ganji' *Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): ask "Username: " *Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): send packet; GET_USER R1#
10-24-2012 05:47 AM
It is solved now
the problem was the fact that Vendor-Specific and Configure VSA were not set
more details here :
http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
04-13-2020 06:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide