Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
0
Helpful
6
Replies

VPN Authorization

gcook0001
Level 1
Level 1

‎05-06-2021 08:23 AM

VPN Authorization

I am looking at transitioning from using AD to NPS for authorizing users on our VPN.   It is working good with AD but I need to use some of the features available through NPS such as framed-ip-address.   I have a couple of connection profiles created.  As soon as I add the our NPS server to the Radius Server Group and change one the connection profiles to use Radius instead of AD everything stops working.  Even the profiles still using AD.  Has anyone experienced this or have any insight to why.  

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎05-06-2021 08:30 AM

@gcook0001 

Can you provide screenshots of your NPS RADIUS configuration

From the CLI, can you turn on RADIUS debugs, attempt authentication/authorisation and then provide the output for review.

0 Helpful

gcook0001
Level 1
Level 1
In response to Rob Ingram

‎05-06-2021 10:04 AM

Thanks for the response.   The issue isn't with the Radius configuration.

 

Currently I have three configuration profiles setup on my 1140 firewalls using FMC.   All three are currently using Realm connected to AD to authenticate.  I would like to transition to using the NPS to get the added features of the NPS.  The main one being able to assign IP addresses.  When I configure the NPS server under Objects/Radius Server Groups in FMC my VPN stops working.   I don't even have it assigned to one of the connection profiles.  All three are still just using Realms.

0 Helpful

Rob Ingram
VIP
VIP
In response to gcook0001

‎05-06-2021 10:18 AM

Ok, seems strange. Did you deploy the policy after making the changes?

Define stops working, all existing VPN connections drop or no new VPN users can connect?

What version of FMC/FTD are you running?

 

0 Helpful

gcook0001
Level 1
Level 1
In response to Rob Ingram

‎05-06-2021 11:45 AM

Here are the steps I took.

 

I added the NPS server to the Radius Server Group.

I tested the system before making any changes to the VPN connection profiles.   So it still should connect using AD.

 

Tried connecting to the VPN. It asks for my credentials and then it just says establishing connection and never completes the connection.

Users already connected stay connected.

0 Helpful

Rob Ingram
VIP
VIP
In response to gcook0001

‎05-06-2021 12:34 PM

So if you just made the change on the FMC and did not deploy the policy to the FTD, I don't see how that could cause an issue.

Turn on debugs on the FTD, make a test authentication and provide the output for review.

 

0 Helpful

gcook0001
Level 1
Level 1
In response to Rob Ingram

‎05-07-2021 11:53 AM

So I tried it once more since as you said it didn't make sense and it is working.  I must have done something different before. 

 

thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents