Router VPN authenticaiton fail via windows 2008 NPS radius

Unanswered Question
Oct 24th, 2009


Cisco router trying VPN authentcatoin via windows 2008 NPS RADIUS server but "Access-Reject" by NPS.

1. windows 2008 NAP

1) radius clients

-address= (router IP address)

-vendor name=radius stanadard

-sharded key=manual


2) netrork policies

-accesspermission=grant access

-type of netwrok access server=unspecified

-condition=Domain Admins


>authentication methods=check mark on "unencrypted authentication(PAP,SPAP). all others uncheck

>NAS port type=VPN


>standard=remove all

>vendor specific=Cisco-AV-Pair, Cisco, shell:priv-lvl=15

3) windows 2008 listening UDP 1645

4) wireshark trace

Access-Request (udp 1645) from Cisco router

Access-Reject by radius server

2. Cisco router


aaa new-model


aaa authentication login user_auth local

aaa authorization network group_auth local


crypto map clientmap client authentication list user_auth

crypto map clientmap isakmp authorization list group_auth

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap


radius-server host auth-port 1645 acct-port 1646 key 12345




-debug redius


*Oct 24 18:44:34.845: RADIUS/ENCODE(00000042):Orig. component type = VPN_IPSEC

*Oct 24 18:44:34.845: RADIUS(00000042): Config NAS IP:

*Oct 24 18:44:34.845: RADIUS/ENCODE(00000042): acct_session_id: 64

*Oct 24 18:44:34.845: RADIUS(00000042): sending

*Oct 24 18:44:34.845: RADIUS(00000042): Send Access-Request to id 1645/32, len 83

*Oct 24 18:44:34.845: RADIUS: authenticator C9 8E D8 DB 77 A3 95 D9 - B6 47 82 0D 76 80 BF 4E

*Oct 24 18:44:34.845: RADIUS: User-Name [1] 12 "vpn_user"

*Oct 24 18:44:34.845: RADIUS: User-Password [2] 18 *

*Oct 24 18:44:34.845: RADIUS: Calling-Station-Id [31] 15 ""

*Oct 24 18:44:34.845: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

*Oct 24 18:44:34.845: RADIUS: Service-Type [6] 6 Outbound [5]

*Oct 24 18:44:34.845: RADIUS: NAS-IP-Address [4] 6

*Oct 24 18:44:34.849: RADIUS: Received from id 1645/32, Access-Reject, len 20

*Oct 24 18:44:34.849: RADIUS: authenticator D1 97 F0 44 BD 8C 73 53 - 00 D9 99 92 91 73 E5 08

*Oct 24 18:44:34.849: RADIUS(00000042): Received from id 1645/32


VPN authentication successful via Cisco router local but fails when I switch to windows 2008 NPS radius. Please advise what's wrong my windows 2008 NPS radius configuration.

Thanks in advance,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Sat, 10/24/2009 - 11:27


please add this nas-ip-address in the condition section along with the domain admin group.

NAS IPv4 address :

Now go to connection profile radius attribute > standard > add the following attributes

Name ------ Value

FramedProtocol : PPP

Service-type : Framed

Add the servicetype attrbute with value framed under the network policy > radius attribute > standard.

Now try again. If the above suggestion doesn't work. Then open event viewer and get the hit from there. You may see this in application.



Plz rate helpful post-

cjrchoi11 Sat, 10/24/2009 - 13:04

Hi JK,

No luck by adding the attributes but I found error in event log


Log Name:Security


Date:10/24/2009 4:52:31 PM

Event ID:6273

Task Category:Network Policy Server


Keywords:Audit Failure



Network Policy Server denied access to a user.


Security ID:NULL SID

Account Name:vpntest

Account Domain:test

Fully Qualified Account Name:test\vpntest

Client Machine:

Security ID:NULL SID

Account Name:-

Fully Qualified Account Name:-


Called Station Identifier:-

Calling Station Identifier:


NAS IPv4 Address:

NAS IPv6 Address:-

NAS Identifier:-

NAS Port-Type:Virtual

NAS Port:-

RADIUS Client:

Client Friendly Name:vpn_server

Client IP Address:

Authentication Details:Proxy Policy Name:Use Windows authentication for all users

Network Policy Name:-

Authentication Provider:Windows


Authentication Type:PAP

EAP Type:-

Account Session Identifier:-

Reason Code:16

Reason:Authentication was not successful because an unknown user name or incorrect password was used.


Follows the Cisco router isakmp configuration.


crypto isakmp client configuration group vpntest

key Password1

pool pool_test

acl 100



I didn't create a user "vpntest" in windows 2008 AD but same result even I create the ID and password same as Cisco router's. I configured group user as name "gp_test" and applied into "Network Policies > windows group". "gp_test" has three members that agent1, agent2 and agent3.

Any clue why I have user authentication error?

Thanks, John

Jatin Katyal Sat, 10/24/2009 - 13:13

Hi John,

See we are getting an error

Reason:Authentication was not successful because an unknown user name or incorrect password was used.

And as per the error message its clear that we tried with user name "vpntest".

You need to create a user "vpntest" in your AD database and this user should be a member of Domain Admins group on AD.

For a time being, I would suggest you to delete a condition for domain admin and keep only NAS ipv4 and try again.

Try again and let me know.

do get the error message from event viewer if issue persist.



Plz rate helpful posts.

cjrchoi11 Sat, 10/24/2009 - 14:13

Hi JK,

I deleted the exisitng condition "windows group" and added "NAS ipv4" but still I got same event log "Authentication was not successful because an unknown user name or incorrect password was used". joined the AD user "vpntest" to "Domain admin" group but same result.

Don't know why still complain user even I change to NAS ipv4 address.

Thanks - John

cjrchoi11 Sun, 10/25/2009 - 14:00

authentication works okay after change the router authorization to local.


aaa authentication login user_auth group radius local

aaa authorization network group_auth local


Thanks - John


This Discussion