12-18-2013 07:55 PM
I am wondering whether anybody has encounter following error.
I have cisco ASA firewall, I configure AAA authentication to my Active Directory Server. In my Active Directory Server, I configure my ASA firewall as my Radius client.
For my VPN user authentication, I configure my VPN user to authenticate through Active Directory Server.
In my Active Directory Server, I have multiple Groups. Some users are in GROUP-ABC, most users are in GROUP-XYZ.
Users who are members of GROUP-ABC can login sucessfully.
Uses who are members of GROUP-XYZ cannot login, Cisco VPN client keep on prompt users to authenticate.
ASA Firewall give error : Error processing payload: Payload ID: 14
When I add the user to become member of GROUP-ABC, the user is able to login successfully.
From Cisco ASA Firewall, I do not see any configuration that associate with Active Directory Group name.
Solved! Go to Solution.
12-19-2013 03:48 PM
Hi,
Verify the debug aaa/debug radius output on the ASA for any clues.
I assume you use Microsoft NPS, look into the logs for any clue.
My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).
Also check your authentication policies on NPS if you have more than one.
Hope that helps,
MiKa
12-19-2013 03:48 PM
Hi,
Verify the debug aaa/debug radius output on the ASA for any clues.
I assume you use Microsoft NPS, look into the logs for any clue.
My assumption (a wild guess): Verify the group policies on your Active Directory, verify the setting "grant dial in" and next to it another similar setting (I forgot the details, was more than a year ago when I last saw it), compare with NPS documentation and compare the two groups (successful/unsuccessful).
Also check your authentication policies on NPS if you have more than one.
Hope that helps,
MiKa
12-19-2013 06:57 PM
Hi Kafka,
Thanks for pointing me to the correct direction. The issue is in the NPS. The group "GROUP-XYZ" do not have the correct setting in "Authenticatin Method".
The setting is in Network Policy Server => Policies => Network Policies
Go to individual network group to view their setting.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: