10-24-2009 10:39 AM - edited 03-10-2019 04:45 PM
Hi,
Cisco router trying VPN authentcatoin via windows 2008 NPS RADIUS server but "Access-Reject" by NPS.
1. windows 2008 NAP
1) radius clients
-address=10.10.10.1 (router IP address)
-vendor name=radius stanadard
-sharded key=manual
-key=12345
2) netrork policies
-accesspermission=grant access
-type of netwrok access server=unspecified
-condition=Domain Admins
-constraints,
>authentication methods=check mark on "unencrypted authentication(PAP,SPAP). all others uncheck
>NAS port type=VPN
-settings
>standard=remove all
>vendor specific=Cisco-AV-Pair, Cisco, shell:priv-lvl=15
3) windows 2008 listening UDP 1645
4) wireshark trace
Access-Request (udp 1645) from Cisco router
Access-Reject by radius server
2. Cisco router
!
aaa new-model
!
aaa authentication login user_auth local
aaa authorization network group_auth local
!
crypto map clientmap client authentication list user_auth
crypto map clientmap isakmp authorization list group_auth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
radius-server host 10.10.10.10 auth-port 1645 acct-port 1646 key 12345
!
(truncated)
!
-debug redius
!
*Oct 24 18:44:34.845: RADIUS/ENCODE(00000042):Orig. component type = VPN_IPSEC
*Oct 24 18:44:34.845: RADIUS(00000042): Config NAS IP: 10.10.10.1
*Oct 24 18:44:34.845: RADIUS/ENCODE(00000042): acct_session_id: 64
*Oct 24 18:44:34.845: RADIUS(00000042): sending
*Oct 24 18:44:34.845: RADIUS(00000042): Send Access-Request to 10.10.10.10:1645 id 1645/32, len 83
*Oct 24 18:44:34.845: RADIUS: authenticator C9 8E D8 DB 77 A3 95 D9 - B6 47 82 0D 76 80 BF 4E
*Oct 24 18:44:34.845: RADIUS: User-Name [1] 12 "vpn_user"
*Oct 24 18:44:34.845: RADIUS: User-Password [2] 18 *
*Oct 24 18:44:34.845: RADIUS: Calling-Station-Id [31] 15 "173.32.20.103"
*Oct 24 18:44:34.845: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Oct 24 18:44:34.845: RADIUS: Service-Type [6] 6 Outbound [5]
*Oct 24 18:44:34.845: RADIUS: NAS-IP-Address [4] 6 10.10.10.1
*Oct 24 18:44:34.849: RADIUS: Received from id 1645/32 10.10.10.10:1645, Access-Reject, len 20
*Oct 24 18:44:34.849: RADIUS: authenticator D1 97 F0 44 BD 8C 73 53 - 00 D9 99 92 91 73 E5 08
*Oct 24 18:44:34.849: RADIUS(00000042): Received from id 1645/32
!
VPN authentication successful via Cisco router local but fails when I switch to windows 2008 NPS radius. Please advise what's wrong my windows 2008 NPS radius configuration.
Thanks in advance,
10-24-2009 11:27 AM
Hi,
please add this nas-ip-address in the condition section along with the domain admin group.
NAS IPv4 address : 10.10.10.1
Now go to connection profile radius attribute > standard > add the following attributes
Name ------ Value
FramedProtocol : PPP
Service-type : Framed
Add the servicetype attrbute with value framed under the network policy > radius attribute > standard.
Now try again. If the above suggestion doesn't work. Then open event viewer and get the hit from there. You may see this in application.
HTH
JK
Plz rate helpful post-
10-24-2009 01:04 PM
Hi JK,
No luck by adding the attributes but I found error in event log
**************
Log Name:Security
Source:Microsoft-Windows-Security-Auditing
Date:10/24/2009 4:52:31 PM
Event ID:6273
Task Category:Network Policy Server
Level:Information
Keywords:Audit Failure
User:N/A
Computer:AD.test.com
Description:
Network Policy Server denied access to a user.
User:
Security ID:NULL SID
Account Name:vpntest
Account Domain:test
Fully Qualified Account Name:test\vpntest
Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
OS-Version:-
Called Station Identifier:-
Calling Station Identifier:173.32.20.103
NAS:
NAS IPv4 Address:10.10.10.1
NAS IPv6 Address:-
NAS Identifier:-
NAS Port-Type:Virtual
NAS Port:-
RADIUS Client:
Client Friendly Name:vpn_server
Client IP Address:10.10.10.1
Authentication Details:Proxy Policy Name:Use Windows authentication for all users
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:AD.test.com
Authentication Type:PAP
EAP Type:-
Account Session Identifier:-
Reason Code:16
Reason:Authentication was not successful because an unknown user name or incorrect password was used.
**************
Follows the Cisco router isakmp configuration.
!
crypto isakmp client configuration group vpntest
key Password1
pool pool_test
acl 100
netmask 255.255.255.0
!
I didn't create a user "vpntest" in windows 2008 AD but same result even I create the ID and password same as Cisco router's. I configured group user as name "gp_test" and applied into "Network Policies > windows group". "gp_test" has three members that agent1, agent2 and agent3.
Any clue why I have user authentication error?
Thanks, John
10-24-2009 01:13 PM
Hi John,
See we are getting an error
Reason:Authentication was not successful because an unknown user name or incorrect password was used.
And as per the error message its clear that we tried with user name "vpntest".
You need to create a user "vpntest" in your AD database and this user should be a member of Domain Admins group on AD.
For a time being, I would suggest you to delete a condition for domain admin and keep only NAS ipv4 and try again.
Try again and let me know.
do get the error message from event viewer if issue persist.
HTH
JK
Plz rate helpful posts.
10-24-2009 02:13 PM
Hi JK,
I deleted the exisitng condition "windows group" and added "NAS ipv4 10.10.10.1" but still I got same event log "Authentication was not successful because an unknown user name or incorrect password was used". joined the AD user "vpntest" to "Domain admin" group but same result.
Don't know why still complain user even I change to NAS ipv4 address.
Thanks - John
10-25-2009 02:00 PM
authentication works okay after change the router authorization to local.
!
aaa authentication login user_auth group radius local
aaa authorization network group_auth local
!
Thanks - John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide