« Cisco IOS-fu #6 - Ruckus Public Wifi / Cisco ASA DMZ Setup | Main | Dell PowerConnect + RADIUS + Windows Server 2008 NPS »

06/16/2010

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e5500aa93388330133f506d380970b

Listed below are links to weblogs that reference Cisco IOS-fu #7 - Cisco + RADIUS + Windows Server 2008 NPS:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

@hezetation

You can also do Cisco-* in client friendly name field, either one works but might be some long time windows guys to remember the ol * for anything following.

Hey, did an Apple guy just write that?! :)

Aaron

Bless you! This was the exact solution I was looking for. Thanks for making a clear and concise guide w/ troubleshooting! You da man!

DW Hunter

No worries Aaaron! Glad it was helpful. I refer back to this post often when doing this for other customers.

JT

YOU ARE MY HERO! LOL

Mark Hauschild

Thanks, Brother! I really appreciate your sharing this. This was just the walk through I needed. We are currently running RADIUS on our W2K3 servers but are (finally) getting around to migrating to W2K8 R2. Awesome testimony by the way. For those that haven't seen it, I recommend reading Darryl's blog on Faith.

Also, I was listening to the radio yesterday. If you haven't heard of the blog "Not A Fan" it speaks a great deal about many of those things you mentioned in your testimony. God is truly moving in His people now. Let's pray that we will see this as the beginning of the next GREAT AWAKENING!!! 2 Chronicles 7:14

Gyozo

Hi, such a luck to find you!

Actually I face another very interesting issue with our CISCO ASA 5500 + Win2008R2 + NPS, I wonder if you can help me?

It is that we implemented an authentication server that sends out OTP SMSs to the user they can then use to get in to the VPN.

The problem is that CISCO ASA 5500 has a config paraneter for AAA servers called retry-interval that can only be set up between 1-10 sec.

So our current config looks like this:

hostname(config)# aaa-server srv1 protocol radius
hostname(config-aaa-server-group)# aaa-server srv1 host 1.2.3.4
hostname(config-aaa-server-host)# timeout 20
hostname(config-aaa-server-host)# retry-interval 10

Because sending out the SMS OTP usually takes more than 15 sec it results in CISCO automatically sending out a repeated radius request so the AAA server generates another OTP and sends out another SMS still for the same login request.

Is there any way to set up the system (any part, either CISCO or NPS) to only forward a login request for the same user not earlier than eg. 60 sec?

Your advice would be highly appreciated.
Best regards,
Gyozo

Bruno Silva

awesome dude. thumbs up for you

Mike Aossey

Thanks for the post, just what i was looking for.

John Kelly

Thanks for putting this up. A couple of comments:
(1) While you're troubleshooting, if you have more than one RADIUS network access policy, try changing the order they're applied in. I bashed my brains out troubleshooting a policy for two days, then fixed everything by moving it up in the order of policies. Turned out the culprit was the policy right above it--which was actually doing what I wanted, just too much of it.
(2) I'm not so sure about setting the RADIUS attribute "shell:priv-lvl=15". It's convenient but risky: on every device, anyone with the right credentials gets godlike powers the minute they walk in. I think better to configure it on the devices themselves as appropriate. Sometimes you want godlike powers from the get-go, sometimes you want the option of harmlessly looking around first--stethoscope first, THEN the chainsaw.

DaemOn

Thank you. This blog helped me a lot.

Walt SYkes

Hi, just a question on the Cisco side. What would the 'Group Name' match up with on the windows server side? 'Cisco Admins?

Thanks!

GTA 5 PC en ligne

I'm not sure exactly why but this weblog is loading incredibly slow for me. Is anyone else having this issue or is it a problem on my end? I'll check back later and see if the problem still exists.

MW

HI Dary,

I wounder if you have done it and can provide me some help. Although I still have not given up, but I tried configuring NPS for 802.1x port-based authentication with Cisco Catalyst 2950 switches and so far I did not have any luck. The logs in NPS show that authentication failed, but my configurations for client and server certificates are all right. I did some google search and there are people with the same problem for some of them it works today, but fails tomorrow. I suspect there mus some configuration required on NPS to get this work.


Thanks for your post, I will definitely try it.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Twitter Updates

    follow me on Twitter