Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1752
Views
0
Helpful
1
Replies

Anyconnect authentication with NPS as radius server

arader001
Level 1
Level 1

‎05-07-2014 08:01 AM

I have NPS setup on a 2012 server.  I have 3 policies.  The first two are for my wireless environment and are finally working.  The 3rd is for remote access using anyconnect.  The conditions I have are Client Friendly Name, NAS IPv4 Address and Windows Groups.  I have it working when Windows Groups is point to an OU with user accounts in it.  I also only want it to work if they connect using a company laptop on the domain, but when I add say Domain Computers it fails.  It matches my connection request policy but not my network policy. 

    Reason Code:            65
    Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.


The computer account is set to Control access through NPS Network Policy.

I have tried removing the domain user windows group and no luck, but as I said above it works fine with it by itself. 

I have a Wireless policy that checks to make sure a laptop is a domain computer and it works.  Not sure why it isn't working with my anyconnect policy. 

I also have a connection request policy for anyconnect.  It is simple with Client Friendly Name and authentication local, everything else default.

If there is another/better way of doing this I'm open to suggestions.  I don't want a user to be able to use anyconnect from any other computers, has to be a domain PC.  Also it needs to check and make sure the user is in a VPN OU at the same time.

Thanks

Labels:
0 Helpful
1 Reply 1

arader001
Level 1
Level 1

‎06-05-2014 12:45 PM

I opened a case with cisco and I guess this part of radius is not supported or doesn't pass the right attributes.  So it is either get the premium licenses which will allow you to do host end checks, or setup certification authentication.

 

I did open the case from this ticket, but it seems the tech never updated this post which I thought they were suppose to do.  Anyway good luck if you come across this post looking for the same type solution.

0 Helpful
Customers Also Viewed These Support Documents