none
NPS Radius Proxy on standalone server?

    Question

  • Hello All,

    We have an NPS Radius server that works, the server is a ember of a domain and a cisco device was set up to be a Radius client, i was able to make conections in this setup.

    Another standalone, non domain member, server was set up to be a Radius proxy. I can see the authentication attempts on the Radius server but the get rejected.

    The proxy has a connection request policy to forward all requests to the radius server. The proxy is set up as a client on the readius server and the radius server is set up as a remote readius server on  the proxy.

    The only thing I noticed is the following.

    For a successful attempt when it is made directly against the radius server, the security log entry looks something like this:

    User:
    Security ID: DOMAIN\User
    Account Name: User
    Account Domain: DOMAIN
    Fully Qualified Account Name: domain.com/Users/User

    For the failed one, the log entry on the radius server looks like this:

    User:
    Security ID: NULL SID
    Account Name: User
    Account Domain: DOMAIN
    Fully Qualified Account Name: DOMAIN\User

    What am I doing wrong?

    • Edited by B. Voros Friday, February 17, 2012 10:47 AM
    Thursday, February 16, 2012 6:03 PM

Answers

  • Solution:

    It failed when using the generated shared secret.

    Success when using a manually entered shared secret.

    • Marked as answer by B. Voros Tuesday, February 21, 2012 3:44 PM
    Tuesday, February 21, 2012 3:44 PM

All replies

  •  

    Hi B.Voros,

    Thanks for posting here.

    First at all domain membership of the NPS proxy is irrelevant. The proxy does not need to be registered in Active Directory Domain Services (AD DS) because it does not need access to the dial-in properties of user accounts.

    According to you description ,It seems proxy did forward the requests to the RADIUS server but somehow it failed. May I know if any special setting in the request polies we defined on proxy server ? modified attributes ?

    Planning NPS as a RADIUS proxy

    http://technet.microsoft.com/en-us/library/dd197525(WS.10).aspx

    Connection Request Processing

    http://technet.microsoft.com/en-us/library/cc755217.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Monday, February 20, 2012 6:56 AM
  • Hi Tiger,

    Thank you for your response.

    There is no special setting in the request policy on the proxy server, everything is kept as default.

    One thing I noticed it that the Newtwork Policy on the Radius server does not get evaluated for the requests coming from the Proxy even though the conditions are set up so it should. Currently it's only the NAS Port type. Tried it with all sorts of different conditions, always the same result, the Network policy does not get evaluated for those requests.

    If the nas is pointed directly against the radius server it works.

    Bertalan

    Monday, February 20, 2012 2:09 PM
  • One more thing,

    The Proxy checklist says that the NPS Proxy should be registered in the domain. http://technet.microsoft.com/en-us/library/cc772591.aspx 

    How do you register a standalone server?

    Tuesday, February 21, 2012 10:40 AM
  • Solution:

    It failed when using the generated shared secret.

    Success when using a manually entered shared secret.

    • Marked as answer by B. Voros Tuesday, February 21, 2012 3:44 PM
    Tuesday, February 21, 2012 3:44 PM