It doesn't work when I set it to "Map all externally authenticated users to the Administrator role". 

Ok... so you need to chase that down as its the simplest config.  Check the External Auth Logs on the WSA. Try looking at a packet capture and see what's going on between the WSA and the Radius box... 

Take a look at this:

http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/

It was a bad secret.  Evidently it didn't like the long and complex generated secret.  So now that works.  Next is how to narrow it down to a group.

That link I posted has info on how to set up the policy based on AD group too... its built for Cisco hardware, the WSA stuff is just an extension of what's there...(standard radius attribute instead of Cisco attribute, etc.)

That seems to go into more router/switch specific stuff.  I tried to put together what I thought was correct.  But what gets added to the RADIUS Class Attribute in the WSA?  The Windows Group name?

That's what I thought.  I tried that and I get auth failures.  In the log on the Windows server, I see "The user attempted to use an authentication method that is not enabled on the matching network policy."  I then noticed that the policy was set for CHAP but the WSA was set for PAP.  Looks like only PAP will work.  Not ideal, but working. 

Hi Mike,

I was going through your last reply and wondering why we cannot use chap when we have an option on external authentication settings, so if you select CHAP under external authentication settings and on the microsoft side you enable CHAP as well under remote access policy > properties > authentication tab and select CHAP.

User guide:

The appliance can communicate with RADIUS directories using either the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP).

Let me know how it goes.

~BR
Jatin Katyal

**Do rate helpful posts**

I was a little brief in my last reply.  I should have included that CHAP does not work.  The following error is recorded in the log: 

"The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account."

This error occurs when the user’s account is not stored in reversible encryption.

CHAP requires that the secret be available in plaintext form. CHAP cannot use irreversibly encrypted password databases that are commonly available. If the RADIUS server does not have access to the plaintext password, it cannot perform the one-way hash to verify the user and the authentication will fail. By default, Microsoft Active Directory does not store user accounts with reversible encryption.

Reversible encryption is a user class attribute and is not enabled by default in the Active Directory. You must enable this setting manually on each account or through Group Policy Objects when dealing with multiple users.

~BR
Jatin Katyal

**Do rate helpful posts**

did you get a chance to try out last suggestion on CHAP authentication?

~BR
Jatin Katyal

**Do rate helpful posts**

According to TAC:

"the WSA does not support “chap” as of now.  There is a bug opened and developers are working on it.  Bug : CSCzv38428    Support RADIUS CHAP protocol for External Authentication"

Enabling reversible encryption in AD is not an option.

Yeah, there is a severity 6 enhancement request opened on it. Thanks for keep this thread updated.

~BR
Jatin Katyal

**Do rate helpful posts**