יום שלישי 10 יולי 2007 16:13
I currently have W2k3 IAS configured as a RADIUS server for our VPN clients connecting to a Cisco 2811 router. That works fine but I can't get it to work for the Authentication Proxy feature on the same router. I thought I'd try the new NPS on W2k8 since Cisco and MS are now cooperating on RADIUS. I can't get NPS to respond to the Auth-Proxy or even the VPN requests so I seem to be going backwards!
I have searched and searched but cannot find anything useful on how to configure NPS for RADIUS, though I have found a mountain of literature on NAP (interesting but something for the future). One problem could be that I have passed authentication off to our existing IAS server since it is a DC and auths the current VPN well, if a little slowly. I can't even get the NPS to log the fact that a RADIUS request is coming into it, either in the Event Log or in the basic log file configured under the NPS interface. I have opened all four standard UDP ports in the W2k8 firewall
Can anybody suggest any tips or refer me to any documentation on the NPS RADIUS configuration please. I don't expect help here on the Cisco hardware but also don't want to pay a small fortune for Cisco ACS RADIUS when it has a terrible reputation anyway
שבת 21 יולי 2007 04:03
If IAS is mostly working for you, then you should be able to at least get this same level of support from NPS. I don't know what kind of authentication method you are using with the Cisco 2811, but I assume you configure the router as a RADIUS client in NPS and set up a RADIUS server group on the router with the IP address, port numbers, and shared secret for NPS.
Set up connection request policy the same as you did in IAS, and your remote access policies are now called "network policies". Since you say that NPS isn't recognizing the RADIUS messages from your router, I would check that you are using 1812 as the authentication port. Another commonly used port is 1645, but to use this you will need to add it to the list of firewall exceptions on NPS.
Documentation for configuring NPS that is currently available can be found at www.microsoft.com/nps. As you said, this is mostly about configuring NPS for NAP but the steps will show you how to configure conditions and settings. There is also a wizard in the nps console that may be helpful to you.
יום שלישי 25 נובמבר 2008 23:08I have the exact same problem. There is lots of information abut "features and capabilities" of the new NPS and but no reall instructions of how to really do anything.
I have a Cisco 2821. I would like to use NPS Radius server to authenticate VPN users but I cannot get it to happen.
On windows server 2008, I have added the router as a client:
Address: Internal Interface of router
Vendor name: Radius Standard
Manual shared key
Under Network Policies: I have tried everything but nothing works:
Here is what I keep getting: RADIUS: Response (32) failed decrypt
I have been to the end of the internet and back but I can't find anything. Please help
יום שלישי 06 ינואר 2009 20:54Same issues here using a Cisco 4400 Wireless LAN Controller.
יום חמישי 12 פברואר 2009 15:30Has anyone came up with a solution for this?
יום חמישי 07 מאי 2009 05:21same issue to get radius server running.
all document show NSP can do this,can do that, never show how to do this or that.
שבת 09 מאי 2009 19:34
Not sure if it is of any help but I have achieved something similar with Remote access VPN users on a PIX and SSH logins on other Cisco devices. What you need to do is follows;
1 Create a RADIUS Client on the NPS
2 Create a network Policy as follows;
a. Right click network policies and click new
b. Type a policy name accept the defaults and click next
c. Add a condition (I used a windows group with my users in it), click next
d. Make sure the access granted radio button is selected and hit next
e. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest
f. Select NO on the annoying help box
g. Finally select next then next and finish to complete.
3 Configure your Cisco device for RADIUS as you would have with 2k3.
Please bear in mind this is not a finished config and as such will allow any RADIUS Client to authenticate with unencrypted details. I am working on sorting that out ATM.
Hope that is of Help
יום רביעי 02 ספטמבר 2009 14:30hi!same problems, cisco PPTP client (routers: 2821, 871W) and Radius server 2008 NPS (in mode Radius server for vpn connections) DC with AD GC and with all roles!on the win 2008 server in logs - client has granted access to network. soft VPN client tell (windows vista or Mac Os x - Not identificated ....has any one manual to config NPS in mode Radius server for remote connection and VPN?
- הוצע כתשובה על-ידי Sed3000 יום ראשון 13 ספטמבר 2009 23:44
יום ראשון 13 ספטמבר 2009 23:47Found this link, After a little configuration this did the trick.
Make sure you use a User Group and Not a Windows Group.
יום שלישי 15 ספטמבר 2009 20:42
My goal was to be able to use my Cisco 1800 series router as a VPN server and allow it to provide RADIUS authentication for end users using the Cisco 5.x VPN client on Windows XP machines.
I followed the walk-through above: http://filedb.experts-exchange.com/incoming/2008/12_w51/87700/TA0001-Windows-2008-RADIUS-for-C.pdf
The only variations I did from the walkthrough above were:
- I did not use the vender specific attribute shell string
- I didn’t use the wildcard for client friendly name, I simply used the name as I had it in the Radius client config
- Someone above mentioned to use “user groups” rather than “windows groups”
o I didn’t notice a difference
- I didn’t follow any of the Cisco walk through part as mentioned above. I used the following commands on my router:
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
radius-server host a.b.c.d key xxx
To add to the walkthrough above:
- Create a new "Connection Request Policy"
- I only added the condition of a "client friendly name"
- Everything else was defaults:
o Enable the policy
o Didn’t specify a network connection method: unspecified
o No special vpn selections or anything
o Under the settings tab, I override the network policy and selected to only use PAP
I spent a ton of time Googling this, I hope this was helpful for others.
- הוצע כתשובה על-ידי NPS-Question יום שישי 25 ספטמבר 2009 17:55
יום שישי 25 ספטמבר 2009 17:38I had the same issue and I had done quite a few test and running sniffer on NPS server. My conclusion is that NPS dropped the support of PAP. I changed to CHAP/MSCHAP/MSCHAP2 and all worked. Just PAP. NPS seems ignore all PAP request. I don't know if it is on purpose?
יום שישי 25 ספטמבר 2009 18:03Hi, I have changed my VPN user to use EAP and worked. Unlike IAS, NPS is no longer support PAP. Microsoft claimed that they drop PAP on purpose and there is a procedure to enable PAP. http://technet.microsoft.com/en-us/library/cc732393(WS.10).aspx. However this procedure does not work for me. No luck to get PAP working. I end up to give up PAP and use EAP instead. Still interested in to get PAP work with NPS.
יום שישי 06 אוגוסט 2010 10:04
This is exactly the solution that I was looking for. But I have one question... how did you configure the Cisco VPN Client?
I am using Cisco VPN Client ver.5.0.06.0110
יום שני 04 אוקטובר 2010 18:00
Recently I have setup my VPN in a suimilar way, using Server 2008 as a RADIUS and ASA.
Step by Step guide for ASA and server 2008 setup can be found here: Setup-windows-server-2008-r2-as-radius-server-for-cisco-asa
Hope this will work.
- הוצע כתשובה על-ידי Ranjodh Deol יום שלישי 10 ינואר 2012 16:55
יום רביעי 13 יוני 2012 15:34
Here are some good instructions (with screen shots) I've found for enabling NPS RADIUS with AD level authorization to level-15
My problem is that I can't seem to figure out how to have my cisco device use a particular Switched Virtual Interface (SVI) or VLAN IP address for authentication. On a layer 3 switch which has multiple SVIs, when I look at the "Best Local IP-Address" it seems to change so unless I add ALL the SVIs (highly undesirable) as RADIUS clients, it's pretty much the luck of the draw which address will try to authenticate at any given time.
- הוצע כתשובה על-ידי MarkusAlan יום רביעי 13 יוני 2012 15:34