none
IP Filter issue in Network Policy Server

    Question

  • Hello,

    I have an existing Network Policy Server that is working just fine.  We have a Cisco ASA configured to authenticate users using radius to our NPS server.  The configuration works and allows / denies users as expected.

    However, I want to lock down a new or existing (tried both) Network Policy so a connected user (group of users) can only access the IP address ranges that I specify (either by blocking or allowing) using the policy > settings tab > IP Filters tab > Input/Output filters.

    However, the input/output filters I enter have no effect.

    I created a test lab to simulate the production environment and the IP filters work as expected there, but I can't finger out why it isn't working in our production environment.  There weren't any special steps to enable this feature... Any tips on what may be happening?

    • NPS Server = Domain Controller, Win2012 R2
    • Radius Client = Cisco ASA (unknown type/version, I dont have access to it, but dont think this is a concern)
    • Tested with Win10Home & Pro
    Friday, July 13, 2018 3:01 AM

All replies

  • Me again.

    Did some more tests.  If I use the Windows server as the VPN server instead of the Cisco ASA the network policy IP filters work as expected.  If I use the Cisco ASA for VPN connections the IP filters in NPS have no effect.

    Does that make sense to anyone why?

    Friday, July 13, 2018 7:53 PM
  • Hi,

    Thanks for your question.

    Was the same policy configured the same ip filters in test tab as the production and it worked OK? Please check the policy again if it is configured correctly, of NAS setting and type in especial.

    If that we couldn't find more clue about this issue. As suggested, you could use network monitor to do the network capture to analysis with more details.

    In addition, it sounds like that there's some part of compatibility between windows and cisco. We could also consult cisco for resolution at the same time.

    Hope this helps. I look forward to hearing your good news.

    If you have any question or concern, please feel free to ley me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Saturday, July 14, 2018 7:30 AM
    Moderator
  • Hi,

    How are things going on? Was your issue resolved?

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 18, 2018 10:17 AM
    Moderator
  • Sorry I didn't see your previous post. The issue is not resolved. I have checked a few times.

    I even took my working lab VPN server, put it in the production lab, pointed the VPN server to NPS, configured radius client & server config and it worked as expected with the same IP filter that was in production before (template).

    I think the Cisco is an older model but again, I don't have access to it so it makes things difficult and doing a packet capture from only one side sometimes doesn't help things.  I'll keep poking at it.

    Wednesday, July 18, 2018 2:12 PM
  • Hi,

    How are things going on? Any solution from Cisco?

    Please let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Sunday, July 22, 2018 9:33 AM
    Moderator