ACE Module - RADIUS authentication against Microsoft NPS

Unanswered Question

Hi all,

  I am currently having difficulty getting the correct login role when using RADIUS against Microsoft NPS. When I authenticate I am always assigned the network-monitor role. Here are the settings I am currently using for both ACE and NPS. Can you guys see what's wrong ? I have attached the screen shots from NPS and the radius config / debug output.

Many thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Ok we have now fixed this.

Under Network Policies I was being matched on my domain user account in the previous network policy being used for a test VPN Service. So even though I was being authenticated, the Cisco AV Pair wasn't being forwarded to the ACE Module because the policy I was being matched to was not the policy I had set up.

So please note that in Microsoft NPS the policy processing order is important. If the conditions match a previous policy then that Network Policy will be processed and chances are you won't get the level of access you require.

Hope this post helps make things clearer.

I have included screenshots of incorrect and correct network policy condition lists.

In the first screenshot I was being matched to the VPN network policy which did not contain the shell:Admin=Admin default-domain Cisco AV-Pair attribute.

Once the order was reversed I was being matched to the IP Address of the originating device and therefore the correct attribute was being forwarded back to the ACE Module.

branfarm1 Mon, 11/07/2011 - 16:52
User Badges:
  • Bronze, 100 points or more

Found this thread very helpful in diagnosing a similar Radius authentication issue with Microsoft NPS.   Just wanted to add one clarification that I didn't immediately pick up on --  when you're specifying the AV-Pair values,  you are specifying the context and permission level. 

In other words: shell:Admin=Admin default-domain  represents shell:=

The documentation says this, but It didn't jump out at me at first.  Hopefully my post will save someone an hour or so of troubleshooting!


This Discussion