Network policy server - attribute manipulation

All replies

• 

  

  0

  Sign in to vote

  Hi Dominique -

  Would you mind providing more information about your deployment, such as the connection methods you're using (wireless, VPN, etc), the authentication methods you have deployed, and any other information that will help provide an overview of what you're trying to do?

  Thanks -

  ---

  James McIllece

  Monday, August 27, 2012 5:36 PM
• 

  

  0

  Sign in to vote

  Hi James,

  Thank you for your reply, sorry I should have added more info.

  The connection method is Virtual (VPN). Basically its a GGSN device that needs to allow connection through RADIUS authentication. This one is connected directly to us via an interface on our firewall. The routing is properly done, I get the request through in the logs. I have set the right network policies according to the attributes that I receive. Authentication is against AD group membership.

  What I have noticed, we have a wireless deployment, and when a user gets granted access,the FQDA field gets populated with the user location in AD tree and the Security ID fiels with domain\user, then depending on group membership allows or denies access.

  But the in this case I get an event ID 6273 with reason code 16. And a security ID field with "Null SID". I have tried forwarding the authentication request to another RADIUS server (FreeRadius) and this one authenticates without any problem but NPS (working as a proxy in this case) still denies its response. This was just for testing purpose, as our main RADIUS is NPS and I must use it.

  Regards,

  Dominique.

  Monday, August 27, 2012 6:04 PM
• 

  

  0

  Sign in to vote

  Hi,

  Thank you for the post.

  Please check the VPN (GGSN) device radius server settings (share secret/authentication method) and NPS radius client settings.
  Here is thread which is resolved via change authentication method.
  The router had to be configured to pass MSCHAPv2 (instead of PAP).  After that change (and others on the router) is still didn't work.  The Cisco eng. then copied the 'Share Secret' from the running config and pasted in the RADIUS clients config.  After restarting the services, it worked.
  http://social.technet.microsoft.com/forums/en-us/winserverNIS/thread/76644DCC-911D-451E-B7F1-39269DB43AC7

  If there are more inquiries on this issue, please feel free to let us know.

  Regards

  ---

  Rick Tan

  TechNet Community Support

  

  • Marked as answer by Leon Liu - MS Tuesday, September 4, 2012 2:33 AM

  Tuesday, August 28, 2012 7:32 AM
• 

  

  0

  Sign in to vote

  Hi Rick,

  Thanks for your reply. So if I understand correctly, the ISP must configure their device to use MsCHAPv2?

  Regards,

  Tuesday, August 28, 2012 7:41 AM
• 

  

  0

  Sign in to vote

  Hi,
   
  Yes. Or compare NPS with FreeRadius in your side. 

  Regards,

  ---

  Rick Tan

  TechNet Community Support

  

  • Proposed as answer by stephane yapo Monday, January 19, 2015 3:21 PM

  Wednesday, August 29, 2012 3:13 AM