none
W2k8 NPS as a RADIUS server for a Cisco router

    Question

  • I currently have W2k3 IAS configured as a RADIUS server for our VPN clients connecting to a Cisco 2811 router. That works fine but I can't get it to work for the Authentication Proxy feature on the same router. I thought I'd try the new NPS on W2k8 since Cisco and MS are now cooperating on RADIUS. I can't get NPS to respond to the Auth-Proxy or even the VPN requests so I seem to be going backwards!

     

    I have searched and searched but cannot find anything useful on how to configure NPS for RADIUS, though I have found a mountain of literature on NAP (interesting but something for the future). One problem could be that I have passed authentication off to our existing IAS server since it is a DC and auths the current VPN well, if a little slowly. I can't even get the NPS to log the fact that a RADIUS request is coming into it, either in the Event Log or in the basic log file configured under the NPS interface. I have opened all four standard UDP ports in the W2k8 firewall

     

    Can anybody suggest any tips or refer me to any documentation on the NPS RADIUS configuration please. I don't expect help here on the Cisco hardware but also don't want to pay a small fortune for Cisco ACS RADIUS when it has a terrible reputation anyway

     

    Help!

    Tuesday, July 10, 2007 4:13 PM

Answers

  • Hi,

     

    If IAS is mostly working for you, then you should be able to at least get this same level of support from NPS. I don't know what kind of authentication method you are using with the Cisco 2811, but I assume you configure the router as a RADIUS client in NPS and set up a RADIUS server group on the router with the IP address, port numbers, and shared secret for NPS.

     

    Set up connection request policy the same as you did in IAS, and your remote access policies are now called "network policies".  Since you say that NPS isn't recognizing the RADIUS messages from your router, I would check that you are using 1812 as the authentication port. Another commonly used port is 1645, but to use this you will need to add it to the list of firewall exceptions on NPS.

     

    Documentation for configuring NPS that is currently available can be found at www.microsoft.com/nps. As you said, this is mostly about configuring NPS for NAP but the steps will show you how to configure conditions and settings. There is also a wizard in the nps console that may be helpful to you.

     

    -Greg

     

    Saturday, July 21, 2007 4:03 AM

All replies

  • Hi,

     

    If IAS is mostly working for you, then you should be able to at least get this same level of support from NPS. I don't know what kind of authentication method you are using with the Cisco 2811, but I assume you configure the router as a RADIUS client in NPS and set up a RADIUS server group on the router with the IP address, port numbers, and shared secret for NPS.

     

    Set up connection request policy the same as you did in IAS, and your remote access policies are now called "network policies".  Since you say that NPS isn't recognizing the RADIUS messages from your router, I would check that you are using 1812 as the authentication port. Another commonly used port is 1645, but to use this you will need to add it to the list of firewall exceptions on NPS.

     

    Documentation for configuring NPS that is currently available can be found at www.microsoft.com/nps. As you said, this is mostly about configuring NPS for NAP but the steps will show you how to configure conditions and settings. There is also a wizard in the nps console that may be helpful to you.

     

    -Greg

     

    Saturday, July 21, 2007 4:03 AM
  • I have the exact same problem. There is lots of information abut "features and capabilities" of the new NPS and but no reall instructions of how to really do anything.


    I have a Cisco 2821. I would like to use NPS Radius server to authenticate VPN users but I cannot get it to happen.


    On windows server 2008, I have added the router as a client:

    Address: Internal Interface of router
    Vendor name: Radius Standard
    Manual shared key



    Under Network Policies: I have tried everything but nothing works:

    Here is what I keep getting: RADIUS: Response (32) failed decrypt


    I have been to the end of the internet and back but I can't find anything. Please help
    Tuesday, November 25, 2008 11:08 PM
  • Same issues here using a Cisco 4400 Wireless LAN Controller.
    Tuesday, January 06, 2009 8:54 PM
  • Has anyone came up with a solution for this?
    Thursday, February 12, 2009 3:30 PM
  • same issue to get radius server running.

    all document show NSP can do this,can do that, never show how to do this or that.

    Thursday, May 07, 2009 5:21 AM
  • Not sure if it is of any help but I have achieved something similar with Remote access VPN users on a PIX and SSH logins on other Cisco devices. What you need to do is follows;

    1                     Create a RADIUS Client on the NPS

    2                     Create a network Policy as follows;

    a.       Right click network policies and click new

    b.      Type a policy name accept the defaults and click next

    c.       Add a condition (I used a windows group with my users in it), click next

    d.      Make sure the access granted radio button is selected and hit next

    e.      Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest

    f.        Select NO on the annoying help box

    g.       Finally select next then next and finish to complete.

    3                     Configure your Cisco device for RADIUS as you would have with 2k3.

     

    Please bear in mind this is not a finished config and as such will allow any RADIUS Client to authenticate with unencrypted details. I am working on sorting that out ATM.

    Hope that is of Help

     

    Saturday, May 09, 2009 7:34 PM
  • hi!

    same problems, cisco PPTP client (routers: 2821, 871W) and Radius server 2008 NPS (in mode Radius server for vpn connections) DC with AD GC and with all roles!

    on the win 2008 server in logs - client has granted access to network. soft VPN client tell (windows vista or Mac Os x  - Not identificated ....

    has any one manual to config NPS in mode Radius server for remote connection and VPN?

    • Proposed as answer by Sed3000 Sunday, September 13, 2009 11:44 PM
    Wednesday, September 02, 2009 2:30 PM
  • Found this link, After a little configuration this did the trick.

    Make sure you use a User Group and Not a Windows Group.


    http://filedb.experts-exchange.com/incoming/2008/12_w51/87700/TA0001-Windows-2008-RADIUS-for-C.pdf

    Good Luck
    Sunday, September 13, 2009 11:47 PM
  • My goal was to be able to use my Cisco 1800 series router as a VPN server and allow it to provide RADIUS authentication for end users using the Cisco 5.x VPN client on Windows XP machines.

    I followed the walk-through above: http://filedb.experts-exchange.com/incoming/2008/12_w51/87700/TA0001-Windows-2008-RADIUS-for-C.pdf

    The only variations I did from the walkthrough above were:

    -       I did not use the vender specific attribute shell string

    -       I didn’t use the wildcard for client friendly name, I simply used the name as I had it in the Radius client config

    -       Someone above mentioned to use “user groups” rather than “windows groups”

    o    I didn’t notice a difference

    -       I didn’t follow any of the Cisco walk through part as mentioned above. I used the following commands on my router:

              config t

              aaa authentication login userauthen group radius local

              aaa authorization network groupauthor local

              crypto map clientmap client authentication list userauthen

              crypto map clientmap isakmp authorization list groupauthor

              radius-server host a.b.c.d key xxx

    To add to the walkthrough above:

    -       Create a new "Connection Request Policy"

    -       I only added the condition of a "client friendly name"

    -       Everything else was defaults:

    o    Enable the policy

    o    Didn’t specify a network connection method: unspecified

    o    No special vpn selections or anything

    o    Under the settings tab, I override the network policy and selected to only use PAP

    I spent a ton of time Googling this, I hope this was helpful for others.


    Cheers!

     

    • Proposed as answer by NPS-Question Friday, September 25, 2009 5:55 PM
    Tuesday, September 15, 2009 8:42 PM
  • I had the same issue and I had done quite a few test and running sniffer on NPS server. My conclusion is that NPS dropped the support of PAP. I changed to CHAP/MSCHAP/MSCHAP2 and all worked. Just PAP. NPS seems ignore all PAP request. I don't know if it is on purpose?
    Friday, September 25, 2009 5:38 PM
  • Hi, I have changed my VPN user to use EAP and worked. Unlike IAS, NPS is no longer support PAP. Microsoft claimed that they drop PAP on purpose and there is a procedure to enable PAP. http://technet.microsoft.com/en-us/library/cc732393(WS.10).aspx. However this procedure does not work for me. No luck to get PAP working. I end up to give up PAP and use EAP instead. Still interested in to get PAP work with NPS.
    Friday, September 25, 2009 6:03 PM
  • irishHam,

    This is exactly the solution that I was looking for. But I have one question... how did you configure the Cisco VPN Client?

    I am using Cisco VPN Client ver.5.0.06.0110

     

    Thanks!

    Friday, August 06, 2010 10:04 AM
  • Recently I have setup my VPN in a suimilar way, using Server 2008 as a RADIUS and ASA.

    Step by Step guide for ASA and server 2008 setup can be found here: Setup-windows-server-2008-r2-as-radius-server-for-cisco-asa

    Hope this will work.

     THX

    • Proposed as answer by Ranjodh Deol Tuesday, January 10, 2012 4:55 PM
    Monday, October 04, 2010 6:00 PM
  • Here are some good instructions (with screen shots) I've found for enabling NPS RADIUS with AD level authorization to level-15

    http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

    My problem is that I can't seem to figure out how to have my cisco device use a particular Switched Virtual Interface (SVI) or VLAN IP address for authentication.   On a layer 3 switch which has multiple SVIs, when I look at the "Best Local IP-Address" it seems to change so unless I add ALL the SVIs (highly undesirable) as RADIUS clients, it's pretty much the luck of the draw which address will try to authenticate at any given time.

    • Proposed as answer by MarkusAlan Wednesday, June 13, 2012 3:34 PM
    Wednesday, June 13, 2012 3:34 PM