cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1014
Views
0
Helpful
2
Replies

VPN Authentication via Radius

limlayhin
Level 1
Level 1

I am wondering whether anybody has encounter following error.

I have cisco ASA firewall, I configure AAA authentication to my Active Directory Server. In my Active Directory Server, I configure my ASA firewall as my Radius client.

For my VPN user authentication, I configure my VPN user to authenticate through Active Directory Server.

In my Active Directory Server, I have multiple Groups. Some users are in GROUP-ABC, most users are in GROUP-XYZ.

Users who are members of GROUP-ABC can login sucessfully.

Uses who are members of GROUP-XYZ cannot login, Cisco VPN client keep on prompt users to authenticate.

ASA Firewall give error : Error processing payload: Payload ID: 14

When I add the user to become member of GROUP-ABC, the user is able to login successfully.

From Cisco ASA Firewall, I do not see any configuration that associate with Active Directory Group name.

1 Accepted Solution

Accepted Solutions

m.kafka
Level 4
Level 4

Hi,

Verify the debug aaa/debug radius output on the ASA for any clues.

I assume you use Microsoft NPS, look into the logs for any clue.

My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).

Also check your authentication policies on NPS if you have more than one.

Hope that helps,

MiKa

View solution in original post

2 Replies 2

m.kafka
Level 4
Level 4

Hi,

Verify the debug aaa/debug radius output on the ASA for any clues.

I assume you use Microsoft NPS, look into the logs for any clue.

My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).

Also check your authentication policies on NPS if you have more than one.

Hope that helps,

MiKa

Hi Kafka,

Thanks for pointing me to the correct direction. The issue is in the NPS. The group "GROUP-XYZ" do not have the correct setting in "Authenticatin Method".

The setting is in Network Policy Server => Policies => Network Policies

Go to individual network group to view their setting.