locked
how to set NPS radius server to authenticate with different domain controllers? RRS feed

  • Question

  • when user \\aaa\user1  access VPN server, NPS radius server get this user authenticated with domain controller aaa.
    if  user \\bbb\user1  access VPN server, NPS radius server get this user authenticated with domain controller bbb.

    i cannot find the setting for domain name, the only setting i found was local machine authenticate or forward to a Radius server group....

    could someone help me, thanks!

    Tuesday, April 28, 2009 3:19 AM

Answers

  • Hi Kevin,
      Sorry for the late reply. You need to add a Realm Name rule to remove the to slash in the front and below is the link for screenshot of the Connectio Request Policy Property page where you need to add condition. The rule should be select attribute as "User-Name" and then add manupulation as find = "^\\" & leave the replace field as empty.
     Feel free you ask us, if you have any more question.
    http://img32.imageshack.us/my.php?image=crprealm.png

    Free Image Hosting at www.ImageShack.us


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Wednesday, May 27, 2009 6:52 PM

All replies

  • If both the domain aaa and bbb are trusted domain for each other, it should work fine. You don't need to do any spl configuration(AFAIK).

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, April 28, 2009 6:49 PM
  • hi, RamaSubbu

    our NPS server was installed in DCP domain, and this DCP domain are trusted doamin with aaa, bbb, and ccc.

    so where solud i set which user go to which domain server?

    what i did is create one connection request profile for each domain, (i still dont sure how to make the connection for domain aaa or domain bbb), i specified user group under each doamin.

    i can see \\aaa\user1 came to NPS for authentication, it was rejected, and there are no events in the events viewer.

    my question is how set a connect request for domain aaa, another one for doamin bbb, which options (settings) make the profile is for a specific doamin??

    in the conditions or some where else?

    thanks!

    Kevin
    Wednesday, May 6, 2009 6:02 AM
  • Generally NPS will know to which domain that I needs to contact for authentication. Users will enter the domain name along with username when trying to authenticate. Can you tell me which version of Server you are trying i.e. Windows Server 2003 or Windows Server 2008 ?

    Thanks
    -RamaSubbu SK


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Thursday, May 7, 2009 11:25 PM
  • hi, RamaSubbu

    i am using windows 2008, we want to replace a old Nortel Radius server.

    during test, i can capture packet on this machine using a third-party software, \\aaa\user1 and password was sent to this NPS for authentication, then VPN server got a reject(3) error, i don't where this rejection came from, because i cann't find any event in NPN event viewer.

    now i have a lot question about how to setup this connection request profile in NPS.
    1. i just want to use Radius function, so i create a Radius for VPN, Not VPN to use with NPS, am i right?

    2. because VPN server send \\aaa\user1 for authentication, so do i need look "\\" as realm name, so NPS will remove \\ make login name looks like aaa\user1, so NPS will send aaa\user1 to aaa doamin for authentication?

    3. i have 7 VPN  customers, they will log in with \\aaa\user1, \\bbb\user1, ....\\fff\user1,  so i need 1 vpn connection reqest profile with 7 network policies, each policy for one customer?
     or 7 connection request profile with 7 network policies?

    thanks!

    kevin

    Friday, May 8, 2009 12:06 AM
  • Hi Kevin,
      Sorry for the late reply. You need to add a Realm Name rule to remove the to slash in the front and below is the link for screenshot of the Connectio Request Policy Property page where you need to add condition. The rule should be select attribute as "User-Name" and then add manupulation as find = "^\\" & leave the replace field as empty.
     Feel free you ask us, if you have any more question.
    http://img32.imageshack.us/my.php?image=crprealm.png

    Free Image Hosting at www.ImageShack.us


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Wednesday, May 27, 2009 6:52 PM
  • i am investigating radius authentication with NPS and want to be sure its possible to do this. Firewall vpn endpoint supports radius auth so id like to point it to a root domain (test.com) which contains no users directly but have NPS auth the users which are in either of 2 subdomains (a.test.com and b.test.com). I could also create a group in root domain and add the subdomain users to that group as well if thats required.

    any thoughts?
    Friday, June 26, 2009 12:46 PM
  • Hi,

    Since the subdomains by default has trust with the parent domain, NPS will be able to authenticate the users in the sub domain by default (You wouldn't need to create a group in the parent domain) Please let us know if you face any issues.

    Thanks,
    Srinivasulu.
    Monday, June 29, 2009 10:06 PM
  • Hi Srinivasulu,

    We are facing issue with Sub domain( Child Domain) authentication.

    Primary ,Parent Domain authentication working fine but child domain authentication is not going through 

    Tuesday, October 3, 2017 2:27 PM