Add extra RADIUS attribute to NPS Network Policy condition RRS feed

  • Question

  • Sometimes you want to add a condition in policy which checks value of a RADIUS attribute which is not available for including in conditions by default. For example, when authenticating connection requests from Cisco routers, it is very useful to be able to check value of NAS-Port-Id attribute, but neither IAS nor NPS allow you to add such condition in their MMC consoles.

    On IAS, there was a trick with manual editing dnary.mdb database in MS Access (described here: http://www.tech-archive.net/Archive/Internet/microsoft.public.internet.radius/2005-02/0142.html). After setting field "IsAllowedInCondition" for desired attribute to True, IAS console allows you to add that attribute as condition, and shows this condition when you view policy settings later.

    With NPS, it is possible to add such non-standard conditions by manually editing exported XML file with NPS configuration and then importing it back, see here: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/f96086ed-42ce-4c09-808b-38fa6aee722a. The drawback of this approach is the fact that such condition works (I've tested it), but is not visible in NPS console when you view policy settings. It is visible only in netsh. In our environment, the same server may be reconfigured at times by different IT staff members from different countries, and I'm afraid it can lead to occasional deletion of required settings.

    I've tried to recreate the trick from IAS on NPS, but without much success. NPS uses XML files instead of Jet Red, attribute list is now stored in dnary.xml. Attribute XML elements have sub-elements <IsAllowedInCondition> with values of 0 or 1. I've tried setting it to 1 for NAS-Port-Id:


    Then rebooted server just to be sure. Now attribute NAS-Port-Id has appeared in list of attributes availbale for Network Policy conditions in netsh (it wasn't there before):

    netsh nps show npconditionattributes | find "57"
    NAS-Port-Id         0x57        Octet string

    But NPS console still doesn't offer it for creating conditions, and, what is much worse, doesn't display already existing conditions with NAS-Port-Id in policies. So the question is, is it possible to modify console behaviour somehow?

    • Edited by Dr.Sigmund Sunday, June 3, 2012 10:39 AM
    • Moved by Aiden_Cao Tuesday, June 5, 2012 9:30 AM (From:Network Infrastructure Servers)
    Sunday, June 3, 2012 10:37 AM


All replies

  • Hi,

    After go through your question, it’s a Radius server related issue. It’s more appropriate to post at Network Access Protection forum. So I will move this thread to the right forum. Hope other experts familiar with this topic can give more effective suggestion. Your understanding is highly appreciated.

    Best Regards,


    Aiden Cao

    TechNet Community Support

    Tuesday, June 5, 2012 9:30 AM
  • Ok, no problem. "Network Infrastracture Servers" forum has comment "Discussion on DirectAccess, DHCP, DNS, NPS, and RRAS with Windows Server", so I originally poted it there.
    Friday, June 8, 2012 7:42 AM
  • Hi,

    As far as I know, the method you described (modifying XML) is the only way to add this attribute as a condition. It is one of the available _settings_ but this doesn't help you. Also see this thread: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/f96086ed-42ce-4c09-808b-38fa6aee722a.

    If this is a common condition, I will contact the feature team and ask that it be included in a future version of NPS.


    Monday, June 11, 2012 7:04 AM