Network policy using radius vendor-specific attribute as a condition RRS feed

  • Question

  • Windows 2008 R2 NPS

    I have difficulty setting up a network policy to use radius vendor-specific attribute as a condition for processing a VPN radius authentication request from a cisco asa firewall. On the firewall, "debug radius all" is on and the firewall debug info indicates vendor type 146 and type 150 data are sent upstream to nps, along with other standard radius attributes. From the hex dump info, Cisco vendor attributes appear to conform to rfc. From the nps log (xml format) on the windows server, it also confirms receiving the two vendor specific data in data_type 2, and the hex strings are the same as displayed by the cisco firewall.

    I read a post about how to use the setting portion of the NPS GUI to create a vendor specific data string.  After creating the settings, use the command "netsh nps sh np" to display the string and then setup the condition for the policy with the command,

    netsh nps set np name = "policy 2" state="enable"
     conditionid = "0x1a" conditiondata = "0100000C049208Policy"
     other conditions omitted....

    At this point this policy is not working because NPS decides the incoming cisco radius request is not a match for the policy conditions. The event log authentication event shows the policy is a match when the 1A condition is removed, but will use the next policy in line when the 1A condition is present. Any idea on how the condition data should look like to match the tunnel name "Policy"? Thanks in advance.

    Wednesday, February 3, 2016 9:40 PM


  • Hi,

    I'm not sure if NPS supports using a custom attribute as condition.

    I try to create a network policy with the condition of Framed-Protocol. In settings of the network policy, there is the same attribute. The value of both of them are same, PPP.

    When I run the command  "netsh nps sh np" to check the value of these two attributes, I found that the value in condition is "^1$" and the another is "0x1".

    So please try to replace the value of your condition to "^0100000C049208Policy$"(start with 0 and end with y).

    If it still doesn't work, I would suggest you to open a case with Microsoft so that a dedicated Support Professional can assist with your request.

    Best Regards,

    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, February 4, 2016 4:10 PM