Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.2 + AnyConnect + Win2k8 NPS RADIUS

Scenario: ASA 5520 with 8.2 firmware, AnyConnect SSL VPN Client 2.5.3046 on Windows platforms, and Windows 2008 R2 NPS server RADIUS. 

I've read a lot of blog posts regarding various aspects of this scenario, but none fully describe how to setup the complete solution. For example, one post concisely showed how to enable the ASA to connect to and communicate with the RADIUS services on the Windows 2008 R2 NPS server. Another explains how to apply the RADIUS settings to the VPN group policy. Yet something is missing from these various sources and connection issues arise.

The problem I am running into is that once the setup is completed my VPN client authenticates successfully, according to the logs of the ASA, and unfortunately, the VPN client shows "login failed" and does not provide access to the network.

Previously, this same client was setup to authenticate using the local database of users on the ASA and was successful in doing so.

Is there a source for an end-to-end solution on how this is setup?

  • Remote Access
Cisco Employee

ASA 8.2 + AnyConnect + Win2k8 NPS RADIUS

Could you please send me the following info:

Sh run from the ASA

Are you seeing access-accept in the debugs?

If you haven't seen yet than please run

debug radius

debug aaa authentication

What message do you see on NPS under event viewer logs?



Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

ASA 8.2 + AnyConnect + Win2k8 NPS RADIUS

Yes, on the ASA i see:

AAA transaction status ACCEPT: use=[username]

then multiple DAP messages ending with the last message:

DAP: User [username], addr Connection AnyConnect: THe following DAP records were selected for this connection: DfltAccessPolicy

username and ip address obfuscated, of course.

Cisco Employee

ASA 8.2 + AnyConnect + Win2k8 NPS RADIUS

I'm not sure how exactly it's setup in your network or whether you have DAP configured for VPN users. However, If DAP record are changed,       for example, the Action: parameter in the DfltAccessPolicy is changed from its       default value to Terminate and additional DAP records are not configured,       authenticated users will, by default, match the DfltAccessPolicy DAP record and       will be denied VPN access even though user is authenticated JUST fine.

You need to check the value of DfltAccessPolicy.



~BR Jatin Katyal **Do rate helpful posts**
New Member

ASA 8.2 + AnyConnect + Win2k8 NPS RADIUS

In DAP, what is configured is the following:

Action: Continue

Network ACL Filters: ACL to allow authentication access    [permit all]

Web-Type ACL Filters: ACL to allow authentication access [permit all]

Functions: enable on all

Port Forwarding Lists: none

Bookmarks: disabled

Access Methods: both, AnyConnect by default.

This widget could not be displayed.