Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
2
Replies

VPN Authentication via Radius

Go to solution
limlayhin
Level 1
Level 1

‎12-18-2013 07:55 PM

I am wondering whether anybody has encounter following error.

I have cisco ASA firewall, I configure AAA authentication to my Active Directory Server. In my Active Directory Server, I configure my ASA firewall as my Radius client.

For my VPN user authentication, I configure my VPN user to authenticate through Active Directory Server.

In my Active Directory Server, I have multiple Groups. Some users are in GROUP-ABC, most users are in GROUP-XYZ.

Users who are members of GROUP-ABC can login sucessfully.

Uses who are members of GROUP-XYZ cannot login, Cisco VPN client keep on prompt users to authenticate.

ASA Firewall give error : Error processing payload: Payload ID: 14

When I add the user to become member of GROUP-ABC, the user is able to login successfully.

From Cisco ASA Firewall, I do not see any configuration that associate with Active Directory Group name.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m.kafka
Level 4
Level 4

‎12-19-2013 03:48 PM

Hi,

Verify the debug aaa/debug radius output on the ASA for any clues.

I assume you use Microsoft NPS, look into the logs for any clue.

My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).

Also check your authentication policies on NPS if you have more than one.

Hope that helps,

MiKa

View solution in original post

0 Helpful
2 Replies 2

Go to solution
m.kafka
Level 4
Level 4

‎12-19-2013 03:48 PM

Hi,

Verify the debug aaa/debug radius output on the ASA for any clues.

I assume you use Microsoft NPS, look into the logs for any clue.

My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).

Also check your authentication policies on NPS if you have more than one.

Hope that helps,

MiKa

0 Helpful

Go to solution
limlayhin
Level 1
Level 1
In response to m.kafka

‎12-19-2013 06:57 PM

Hi Kafka,

Thanks for pointing me to the correct direction. The issue is in the NPS. The group "GROUP-XYZ" do not have the correct setting in "Authenticatin Method".

The setting is in Network Policy Server => Policies => Network Policies

Go to individual network group to view their setting.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents