Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Authentication via Radius

I am wondering whether anybody has encounter following error.

I have cisco ASA firewall, I configure AAA authentication to my Active Directory Server. In my Active Directory Server, I configure my ASA firewall as my Radius client.

For my VPN user authentication, I configure my VPN user to authenticate through Active Directory Server.

In my Active Directory Server, I have multiple Groups. Some users are in GROUP-ABC, most users are in GROUP-XYZ.

Users who are members of GROUP-ABC can login sucessfully.

Uses who are members of GROUP-XYZ cannot login, Cisco VPN client keep on prompt users to authenticate.

ASA Firewall give error : Error processing payload: Payload ID: 14

When I add the user to become member of GROUP-ABC, the user is able to login successfully.

From Cisco ASA Firewall, I do not see any configuration that associate with Active Directory Group name.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

VPN Authentication via Radius

Hi,

Verify the debug aaa/debug radius output on the ASA for any clues.

I assume you use Microsoft NPS, look into the logs for any clue.

My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).

Also check your authentication policies on NPS if you have more than one.

Hope that helps,

MiKa

2 REPLIES
Bronze

VPN Authentication via Radius

Hi,

Verify the debug aaa/debug radius output on the ASA for any clues.

I assume you use Microsoft NPS, look into the logs for any clue.

My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).

Also check your authentication policies on NPS if you have more than one.

Hope that helps,

MiKa

New Member

VPN Authentication via Radius

Hi Kafka,

Thanks for pointing me to the correct direction. The issue is in the NPS. The group "GROUP-XYZ" do not have the correct setting in "Authenticatin Method".

The setting is in Network Policy Server => Policies => Network Policies

Go to individual network group to view their setting.

262
Views
0
Helpful
2
Replies