locked
IAS Failure RRS feed

  • Question

  • I'm trying to set up a IAS service.
    I have everything installed but the authentication keeps failing eg:

    User user1 was denied access
    Fully-Qualified-User-Name = <undetermined>
    NAS-IP-Address = 10.123.246.97
    NAS-Identifier = <not present>
    Called-Station-Identifier = <not present>
    Calling-Station-Identifier = <not present>
    Client-Friendly-Name = NAS 2
    Client-IP-Address = 10.123.246.97
    NAS-Port-Type = <not present>
    NAS-Port = <not present>
    Proxy-Policy-Name= <none>
    Authentication-Provider = <undetermined>
    Authentication-Server = <undertermined>
    Policy-Name = <undetermined>
    Authentication-Type = <undetermined>
    EAP-Type = <undetermined>
    Reason-Code = 49
    Reason = The connection attempt did not match any connection request policy.

    Please Help!
    Tuesday, June 24, 2008 9:15 AM

Answers

All replies

  • How have you configured your CRP policies?

    From that error, the authentication request for user1 is coming through to NPS but it is failing to match any of your CRP policies.
    Wednesday, June 25, 2008 12:09 AM
  • Hi!

    The default Connection Request Policy is already there.
    The policy conditions are:
    Day-And-Time-Restrictions matches "Sun 00:00-24:00; Mon 00:00-24:00; Tue 00:00-24:00; Wed 00:00-24:00; Thur 00:00-24:00; Fri 00:00-24:00; Sat 00:00-24:00" AND
    NAS-Port-Type matches "Ethernet OR Wireless - IEEE 802.11 OR Wireless - Other"

    Tried to create another one with the following parameters
    Day-And-Time-Restrictions matches "Sun 00:00-24:00; Mon 00:00-24:00; Tue 00:00-24:00; Wed 00:00-24:00; Thur 00:00-24:00; Fri 00:00-24:00; Sat 00:00-24:00" AND
    NAS-Port-Type matches "Ethernet OR Wireless - IEEE 802.11 OR Wireless - Other"
    Framed-Protocol matches "PPP"

    Any idea?

    Appreciate assistance
    Wednesday, June 25, 2008 6:49 AM
  • Yes, you are not matching the policy because you have the NAS-Port-Type condition specified, but your NAS (NAS 2) is not including this attribute information in the RADIUS request:

    User user1 was denied access
    Fully-Qualified-User-Name = <undetermined>
    NAS-IP-Address = 10.123.246.97
    NAS-Identifier = <not present>
    Called-Station-Identifier = <not present>
    Calling-Station-Identifier = <not present>
    Client-Friendly-Name = NAS 2
    Client-IP-Address = 10.123.246.97
    NAS-Port-Type = <not present>
    NAS-Port = <not present>
    Proxy-Policy-Name= <none>
    Authentication-Provider = <undetermined>
    Authentication-Server = <undertermined>
    Policy-Name = <undetermined>
    Authentication-Type = <undetermined>
    EAP-Type = <undetermined>
    Reason-Code = 49
    Reason = The connection attempt did not match any connection request policy.

    I am curious why NPS isn't using the default CRP policy as you haven't removed it. Have you disabled or modified the default CRP policy?
    Wednesday, June 25, 2008 9:31 PM
  • Hi! 

    I have had to remove the NAS-Port-Type value. Without it, I have no problem login in. I believe there is some problem with the compatibility of the NAS with the Radius causing that parameter to fail the user login.
    However, there is another issue now.
    The Nortel NAS that I'm using specify the following.

    Nortel Application Switch Operating System-Proprietary Attributes for Radius

    User Name/Access         User-Service-Type                     Value
    user                               Vendor-supplied                         255
    slboper                          Vendor-supplied                         254
    l4oper                            Vendor-supplied                         253
    oper                               Vendor-supplied                         252
    slbadmin                        Vendor-supplied                         251
    l4admin                          Vendor-supplied                         250
    admin                             Vendor-supplied                         6 (pre-defined)

    By specifiying Under Policy -> Edit Profile -> Advance -> Add Service Type with Attribute Value = Administrative (which has the value 6) I can log in and access the system successfully.

    How do i customise for the other values? I need them to show as 250 / 251 / 252 / 253 / 254 / 255 in order to proceed from the log in screen...else i dont see anything after logging in...

    Any ideas? I have tried with all the other pre-defined values ie: Authenticate Only / Call Check / Callback Administrative....but non have the corresponding values...
    Can I add in my own attributes / values? Can I change the existing ones to have values that i need?

    Thanks!



    Thursday, June 26, 2008 5:12 AM
  • This isn't supported. You can only set the Service-Type condition to the IANA assigned values for that RADIUS attribute (Attribute ID 6 - Service-Type).

    http://www.iana.org/assignments/radius-types
    Monday, June 30, 2008 11:26 PM
  • I actually found a work around where the values could be modified via the dictonary file. Tested and it works. The Radius returns the values I need for the NAS to grant the right access.
    Wednesday, July 16, 2008 1:22 AM