Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Steps to configure group-lock for VPN users on Microsoft radius server

     

     

    Introduction

    Steps needs to be followed on the Microsoft Radius server to configure group-lock and tunnel-group-lock

    Configuration Steps

    1. Go to Remote Access Policies.
    2. Go to the remote access policy/network policy, make a right click on the policy and click on the "Properties"
    3. Click on Edit Profile.
    4. Click on Advanced Tab settings and add ( For IAS)
    5. Click on settings (For NPS)
    6. Scroll down to "Vendor-Specific" Radius attribute.
    7. Select it, from scroll down use custom and click on Add.
    8. Make sure Attribute Number is set to 26.
    9. Click on Add.
    10. Enter Vendor Code: 3076.
    11. Select radio button : Yes. It confirms.
    12. Click on Configure Attributes.
    13. Vendor-Assigned attribute number: 25 (group-lock) and  085 (tunnel-group-lock)
    14. Attribute format: String.
    15. Attribute Value:  <group-policy-name> or <tunnel-group name>
    16. Apply. 

    In order to troubleshoot any issues look at event-viewer logs on Radius server.

    Configure NPS Event Logging

    NPS Events and Event Viewer

    Using the event logs in Event Viewer, you can monitor Network Policy Server (NPS) errors and other events that you configure NPS to record.

    NPS records connection request failure events in the System and Security event logs by default. Connection request failure events consist of requests that are rejected or discarded by NPS. Other NPS authentication events are recorded in the Event Viewer system log on the basis of the settings that you specify in the NPS snap-in. Some events that might contain sensitive data are recorded in the Event Viewer security log.

    Let me know if you have any questions.

    Comments
    New Member

    Hi,

    I'm trying to setup the group-lock using NPS Server & having trouble with it. If you have more information regarding above configuration in the radius server, please let me know.

    Regards,

    Cisco Employee

    Would it be possible for you to send the screen shots for your NPS network policy. I can review and let you know what could be a problem. Also, did you check the NPS > event viewer to know if you are hitting the right policy because attribute can only be pushed once the access-request match the right policy.

    New Member

    Hi Jatin,

    Please find attached printscreen. Can you please verify the Vendor Specific AttriburtesNPS.png

    Cisco Employee

    This part is looking perfect. I now need to look at ASA/Firewall side and NPS logs.

    From the ASA:

    show run group-policy GROUP_105

    debug radius

    debug aaa authentication

    duplicate the issue and paste the debugs.

    From the NPS:

    Check the event-viewer logs as I'd like to see if the radius request hitting the right network policy.

    New Member

    Hi Jatin,

    We have done the same steps to provide group policy for VPN users through the Microsoft Radius server. But after defining it VPN user is not able to connect.

    Can you please tell us what can be the issue in this case?

    Regards,
    Mukesh Kumar
    Network Engineer
    Spooster IT Services

    New Member

    As we have done the troubleshooting we have found that Radius server is not providing Group policy to the user.

    Below is the tunnel group and group policy configuration of ASA:

    tunnel-group ANY type remote-access
    tunnel-group ANY general-attributes
    address-pool SSL_Pool
    authentication-server-group Radius LOCAL
    password-management
    tunnel-group ANY webvpn-attributes
    group-alias ABC enable
    !
    group-policy GP internal
    group-policy GP attributes
    wins-server none
    dns-server value 10.2.2.100
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Split_Tunnel1
    default-domain value Cisco.com
    !

    And the Radius server we have done is same as you have mentioned.

    Can you please tell us what can be the issue?

    Regards,
    Mukesh Kumar
    Network Engineer
    Spooster IT Services

    Cisco Employee

    Hi Mukesh,

    You may need to look at NPS event viewer logs to understand if right remote policy is being matched.

    ~ Jatin

    New Member

    Hello Jatin,

    Thanks for giving reply.

    But I have checked on the NPS server it is matching the exact policy that I have defined.

    Authentication has been done successfully with the same policy that I have defined but it is not providing group policy to the user.

    What other things we need to check to resolve this issue?

    Regards,
    Mukesh Kumar
    Network Engineer
    Spooster IT Services

    New Member

    Hello Jatin,

    Can you please tell me what can be the issue in our case?

    Regards,
    Mukesh Kumar
    Network Engineer
    Spooster IT Services

    New Member

    Hello Jatin,

    Below are the ASA debugs, can you please check these?

    radius mkreq: 0x89
    alloc_rip 0xcc8357e0
    new request 0x89 --> 76 (0xcc8357e0)
    got user 'vpn-t1@in.spooster.com'
    got password
    add_req 0xcc8357e0 session 0x89 id 76
    RADIUS_REQUEST
    radius.c: rad_mkpkt
    rad_mkpkt: ip:source-ip=10.1.1.2

    RADIUS packet decode (authentication request)

    --------------------------------------
    Raw packet data (length = 608).....
    01 4c 02 60 04 89 bc f6 22 82 62 3c 50 67 37 52 | .L.`....".b<Pg7R
    2b ad 24 dd 01 18 76 70 6e 2d 74 31 40 69 6e 2e | +.$...vpn-t1@in.
    73 70 6f 6f 73 74 65 72 2e 63 6f 6d 05 06 00 03 | spooster.com....
    b0 00 1e 0a 31 30 2e 31 2e 31 2e 31 1f 0a 31 30 | ....10.1.1.1..10
    2e 31 2e 31 2e 32 3d 06 00 00 00 05 42 0a 31 30 | .1.1.2=.....B.10
    2e 31 2e 31 2e 32 1a 18 00 00 01 37 0b 12 53 29 | .1.1.2.....7..S)
    a7 3d a3 50 61 2e 4e 52 a9 99 8f d4 58 71 1a 3a | .=.Pa.NR....Xq.:
    00 00 01 37 19 34 00 00 1b 88 b1 06 6f ff 31 e3 | ...7.4......o.1.
    27 22 4d 6d 35 08 3f ab 00 00 00 00 00 00 00 00 | '"Mm5.?.........
    56 7b a5 0b 8a be 3f a2 a8 11 10 a3 4c c4 c1 69 | V{....?.....L..i
    b3 68 0b 97 21 d5 20 62 1a 23 00 00 00 09 01 1d | .h..!. b.#......
    6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
    6c 61 74 66 6f 72 6d 3d 77 69 6e 1a 2c 00 00 00 | latform=win.,...
    09 01 26 6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 | ..&mdm-tlv=devic
    65 2d 6d 61 63 3d 65 30 2d 64 62 2d 35 35 2d 62 | e-mac=e0-db-55-b
    36 2d 32 66 2d 61 33 1a 2c 00 00 00 09 01 26 6d | 6-2f-a3.,.....&m
    64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d 61 | dm-tlv=device-ma
    63 3d 66 38 2d 32 66 2d 61 38 2d 63 35 2d 65 35 | c=f8-2f-a8-c5-e5
    2d 35 31 1a 31 00 00 00 09 01 2b 6d 64 6d 2d 74 | -51.1.....+mdm-t
    6c 76 3d 64 65 76 69 63 65 2d 70 6c 61 74 66 6f | lv=device-platfo
    72 6d 2d 76 65 72 73 69 6f 6e 3d 36 2e 32 2e 39 | rm-version=6.2.9
    32 30 30 20 1a 31 00 00 00 09 01 2b 6d 64 6d 2d | 200 .1.....+mdm-
    74 6c 76 3d 64 65 76 69 63 65 2d 74 79 70 65 3d | tlv=device-type=
    44 65 6c 6c 20 49 6e 63 2e 20 56 6f 73 74 72 6f | Dell Inc. Vostro
    20 32 35 32 30 1a 5b 00 00 00 09 01 55 6d 64 6d | 2520.[.....Umdm
    2d 74 6c 76 3d 64 65 76 69 63 65 2d 75 69 64 3d | -tlv=device-uid=
    44 46 37 32 36 42 33 36 44 42 38 33 30 41 44 36 | DF726B36DB830AD6
    37 45 37 37 44 39 34 45 30 36 34 38 37 30 46 43 | 7E77D94E064870FC
    31 37 46 35 43 35 33 37 39 42 34 41 39 31 32 46 | 17F5C5379B4A912F
    43 34 42 35 33 35 38 33 45 36 36 37 32 45 43 31 | C4B53583E6672EC1
    04 06 ac 10 10 01 1a 31 00 00 00 09 01 2b 61 75 | .......1.....+au
    64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 3d 61 | dit-session-id=a
    63 31 30 31 30 30 31 30 30 30 33 62 30 30 30 35 | c1010010003b0005
    37 31 62 61 32 61 30 1a 1d 00 00 00 09 01 17 69 | 71ba2a0........i
    70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 31 | p:source-ip=10.1
    2e 31 2e 32 1a 0b 00 00 0c 04 92 05 41 4e 59 1a | .1.2........ANY.
    0c 00 00 0c 04 96 06 00 00 00 02 1a 15 00 00 00 | ................
    09 01 0f 63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | ...coa-push=true

    Parsed packet data.....
    Radius: Code = 1 (0x01)
    Radius: Identifier = 76 (0x4C)
    Radius: Length = 608 (0x0260)
    Radius: Vector: 0489BCF62282623C506737522BAD24DD
    Radius: Type = 1 (0x01) User-Name
    Radius: Length = 24 (0x18)
    Radius: Value (String) =
    76 70 6e 2d 74 31 40 69 6e 2e 73 70 6f 6f 73 74 | vpn-t1@in.spoost
    65 72 2e 63 6f 6d | er.com
    Radius: Type = 5 (0x05) NAS-Port
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0x3B000
    Radius: Type = 30 (0x1E) Called-Station-Id
    Radius: Length = 10 (0x0A)
    Radius: Value (String) =
    31 30 2e 31 2e 31 2e 31 | 10.1.1.1
    Radius: Type = 31 (0x1F) Calling-Station-Id
    Radius: Length = 10 (0x0A)
    Radius: Value (String) =
    31 30 2e 31 2e 31 2e 32 | 10.1.1.2
    Radius: Type = 61 (0x3D) NAS-Port-Type
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0x5
    Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
    Radius: Length = 10 (0x0A)
    Radius: Value (String) =
    31 30 2e 31 2e 31 2e 32 | 10.1.1.2
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 24 (0x18)
    Radius: Vendor ID = 311 (0x00000137)
    Radius: Type = 11 (0x0B) MS-CHAP-Challenge
    Radius: Length = 18 (0x12)
    Radius: Value (String) =
    53 29 a7 3d a3 50 61 2e 4e 52 a9 99 8f d4 58 71 | S).=.Pa.NR....Xq
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 58 (0x3A)
    Radius: Vendor ID = 311 (0x00000137)
    Radius: Type = 25 (0x19) MS-CHAP2-Response
    Radius: Length = 52 (0x34)
    Radius: Value (String) =
    00 00 1b 88 b1 06 6f ff 31 e3 27 22 4d 6d 35 08 | ......o.1.'"Mm5.
    3f ab 00 00 00 00 00 00 00 00 56 7b a5 0b 8a be | ?.........V{....
    3f a2 a8 11 10 a3 4c c4 c1 69 b3 68 0b 97 21 d5 | ?.....L..i.h..!.
    20 62 | b
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 35 (0x23)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 29 (0x1D)
    Radius: Value (String) =
    6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
    6c 61 74 66 6f 72 6d 3d 77 69 6e | latform=win
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 44 (0x2C)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 38 (0x26)
    Radius: Value (String) =
    6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d | mdm-tlv=device-m
    61 63 3d 65 30 2d 64 62 2d 35 35 2d 62 36 2d 32 | ac=e0-db-55-b6-2
    66 2d 61 33 | f-a3
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 44 (0x2C)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 38 (0x26)
    Radius: Value (String) =
    6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 6d | mdm-tlv=device-m
    61 63 3d 66 38 2d 32 66 2d 61 38 2d 63 35 2d 65 | ac=f8-2f-a8-c5-e
    35 2d 35 31 | 5-51
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 49 (0x31)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 43 (0x2B)
    Radius: Value (String) =
    6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 70 | mdm-tlv=device-p
    6c 61 74 66 6f 72 6d 2d 76 65 72 73 69 6f 6e 3d | latform-version=
    36 2e 32 2e 39 32 30 30 20 | 6.2.9200
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 49 (0x31)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 43 (0x2B)
    Radius: Value (String) =
    6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 74 | mdm-tlv=device-t
    79 70 65 3d 44 65 6c 6c 20 49 6e 63 2e 20 56 6f | ype=Dell Inc. Vo
    73 74 72 6f 20 32 35 32 30 | stro 2520
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 91 (0x5B)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 85 (0x55)
    Radius: Value (String) =
    6d 64 6d 2d 74 6c 76 3d 64 65 76 69 63 65 2d 75 | mdm-tlv=device-u
    69 64 3d 44 46 37 32 36 42 33 36 44 42 38 33 30 | id=DF726B36DB830
    41 44 36 37 45 37 37 44 39 34 45 30 36 34 38 37 | AD67E77D94E06487
    30 46 43 31 37 46 35 43 35 33 37 39 42 34 41 39 | 0FC17F5C5379B4A9
    31 32 46 43 34 42 35 33 35 38 33 45 36 36 37 32 | 12FC4B53583E6672
    45 43 31 | EC1
    Radius: Type = 4 (0x04) NAS-IP-Address
    Radius: Length = 6 (0x06)
    Radius: Value (IP Address) = 172.16.16.1 (0xAC101001)
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 49 (0x31)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 43 (0x2B)
    Radius: Value (String) =
    61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 | audit-session-id
    3d 61 63 31 30 31 30 30 31 30 30 30 33 62 30 30 | =ac1010010003b00
    30 35 37 31 62 61 32 61 30 | 0571ba2a0
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 29 (0x1D)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 23 (0x17)
    Radius: Value (String) =
    69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | ip:source-ip=10.
    31 2e 31 2e 32 | 1.1.2
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 11 (0x0B)
    Radius: Vendor ID = 3076 (0x00000C04)
    Radius: Type = 146 (0x92) Tunnel-Group-Name
    Radius: Length = 5 (0x05)
    Radius: Value (String) =
    41 4e 59 | ANY
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 12 (0x0C)
    Radius: Vendor ID = 3076 (0x00000C04)
    Radius: Type = 150 (0x96) Client-Type
    Radius: Length = 6 (0x06)
    Radius: Value (Integer) = 2 (0x0002)
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 21 (0x15)
    Radius: Vendor ID = 9 (0x00000009)
    Radius: Type = 1 (0x01) Cisco-AV-pair
    Radius: Length = 15 (0x0F)
    Radius: Value (String) =
    63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | coa-push=true
    send pkt 172.16.16.16/1645
    rip 0xcc8357e0 state 7 id 76
    rad_vrfy() : response message verified
    rip 0xcc8357e0
    : chall_state ''
    : state 0x7
    : reqauth:
    04 89 bc f6 22 82 62 3c 50 67 37 52 2b ad 24 dd
    : info 0xcc835918
    session_id 0x89
    request_id 0x4c
    user 'vpn-t1@in.spooster.com'
    response '***'
    app 0
    reason 0
    skey 'Cisco@123'
    sip 172.16.16.16
    type 1

    RADIUS packet decode (response)

    --------------------------------------
    Raw packet data (length = 224).....
    02 4c 00 e0 c3 43 b5 a5 8e 17 41 da cf ed bc d1 | .L...C....A.....
    3f 74 83 18 07 06 00 00 00 01 06 06 00 00 00 02 | ?t..............
    19 2e a7 d5 08 d0 00 00 01 37 00 01 02 00 ac 10 | .........7......
    10 10 00 00 00 00 69 bf be 43 42 fa 87 69 01 d1 | ......i..CB..i..
    9b d9 13 93 32 3a 00 00 00 00 00 00 00 0b 1a 2a | ....2:.........*
    00 00 01 37 11 24 80 53 df 3f 2a 3c 06 0a a3 1b | ...7.$.S.?*<....
    d7 49 93 27 61 cd 0f cd 68 75 ee e0 88 16 47 5e | .I.'a...hu....G^
    f1 b3 e4 34 87 a0 6e 94 1a 2a 00 00 01 37 10 24 | ...4..n..*...7.$
    80 54 9f 6c 9d 08 35 a5 db ef cf 53 b1 cb 07 4b | .T.l..5....S...K
    b2 7c 04 d4 3d 38 84 e6 20 3b db 4c b9 e6 f3 3e | .|..=8.. ;.L...>
    8f 23 1a 33 00 00 01 37 1a 2d 00 53 3d 44 30 46 | .#.3...7.-.S=D0F
    32 30 33 46 43 34 44 45 36 45 41 36 35 38 39 41 | 203FC4DE6EA6589A
    44 45 39 37 34 30 33 36 32 44 43 46 46 43 31 41 | DE9740362DCFFC1A
    43 43 43 30 34 1a 0b 00 00 01 37 0a 05 00 49 4e | CCC04.....7...IN

    Parsed packet data.....
    Radius: Code = 2 (0x02)
    Radius: Identifier = 76 (0x4C)
    Radius: Length = 224 (0x00E0)
    Radius: Vector: C343B5A58E1741DACFEDBCD13F748318
    Radius: Type = 7 (0x07) Framed-Protocol
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0x1
    Radius: Type = 6 (0x06) Service-Type
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0x2
    Radius: Type = 25 (0x19) Class
    Radius: Length = 46 (0x2E)
    Radius: Value (String) =
    a7 d5 08 d0 00 00 01 37 00 01 02 00 ac 10 10 10 | .......7........
    00 00 00 00 69 bf be 43 42 fa 87 69 01 d1 9b d9 | ....i..CB..i....
    13 93 32 3a 00 00 00 00 00 00 00 0b | ..2:........
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 42 (0x2A)
    Radius: Vendor ID = 311 (0x00000137)
    Radius: Type = 17 (0x11) MS-MPPE-Recv-Key
    Radius: Length = 36 (0x24)
    Radius: Value (String) =
    80 53 df 3f 2a 3c 06 0a a3 1b d7 49 93 27 61 cd | .S.?*<.....I.'a.
    0f cd 68 75 ee e0 88 16 47 5e f1 b3 e4 34 87 a0 | ..hu....G^...4..
    6e 94 | n.
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 42 (0x2A)
    Radius: Vendor ID = 311 (0x00000137)
    Radius: Type = 16 (0x10) MS-MPPE-Send-Key
    Radius: Length = 36 (0x24)
    Radius: Value (String) =
    80 54 9f 6c 9d 08 35 a5 db ef cf 53 b1 cb 07 4b | .T.l..5....S...K
    b2 7c 04 d4 3d 38 84 e6 20 3b db 4c b9 e6 f3 3e | .|..=8.. ;.L...>
    8f 23 | .#
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 51 (0x33)
    Radius: Vendor ID = 311 (0x00000137)
    Radius: Type = 26 (0x1A) MS-CHAP2-Success
    Radius: Length = 45 (0x2D)
    Radius: Value (String) =
    00 53 3d 44 30 46 32 30 33 46 43 34 44 45 36 45 | .S=D0F203FC4DE6E
    41 36 35 38 39 41 44 45 39 37 34 30 33 36 32 44 | A6589ADE9740362D
    43 46 46 43 31 41 43 43 43 30 34 | CFFC1ACCC04
    Radius: Type = 26 (0x1A) Vendor-Specific
    Radius: Length = 11 (0x0B)
    Radius: Vendor ID = 311 (0x00000137)
    Radius: Type = 10 (0x0A) Unknown
    Radius: Length = 5 (0x05)
    rad_procpkt: ACCEPT
    radius.c 1300: status = 1
    MSChapv2 authenticator received.
    RADIUS_ACCESS_ACCEPT: normal termination
    RADIUS_DELETE
    remove_req 0xcc8357e0 session 0x89 id 76
    free_rip 0xcc8357e0
    radius: send queue empty

    Regards,
    Mukesh Kumar
    Network Engineer
    Spooster IT Services

    New Member
    I know this is an old article but I just wanted to comment to say that the your vendor attribute is configured wrong. When you type out the string of the group-policy name it must be in the format of OU=group_policy_name, not just group_policy_name. I don't know exactly why but there was a document that I had followed when I set this up in the past, and it said to do it that way, which was the only way that made it all work.
    6296
    Views
    20
    Helpful
    11
    Comments