12-18-2013 07:55 PM
I am wondering whether anybody has encounter following error.
I have cisco ASA firewall, I configure AAA authentication to my Active Directory Server. In my Active Directory Server, I configure my ASA firewall as my Radius client.
For my VPN user authentication, I configure my VPN user to authenticate through Active Directory Server.
In my Active Directory Server, I have multiple Groups. Some users are in GROUP-ABC, most users are in GROUP-XYZ.
Users who are members of GROUP-ABC can login sucessfully.
Uses who are members of GROUP-XYZ cannot login, Cisco VPN client keep on prompt users to authenticate.
ASA Firewall give error : Error processing payload: Payload ID: 14
When I add the user to become member of GROUP-ABC, the user is able to login successfully.
From Cisco ASA Firewall, I do not see any configuration that associate with Active Directory Group name.
Solved! Go to Solution.
12-19-2013 03:48 PM
Hi,
Verify the debug aaa/debug radius output on the ASA for any clues.
I assume you use Microsoft NPS, look into the logs for any clue.
My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).
Also check your authentication policies on NPS if you have more than one.
Hope that helps,
MiKa
12-19-2013 03:48 PM
Hi,
Verify the debug aaa/debug radius output on the ASA for any clues.
I assume you use Microsoft NPS, look into the logs for any clue.
My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).
Also check your authentication policies on NPS if you have more than one.
Hope that helps,
MiKa
12-19-2013 06:57 PM
Hi Kafka,
Thanks for pointing me to the correct direction. The issue is in the NPS. The group "GROUP-XYZ" do not have the correct setting in "Authenticatin Method".
The setting is in Network Policy Server => Policies => Network Policies
Go to individual network group to view their setting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide