« Cisco IOS-fu #6 - Ruckus Public Wifi / Cisco ASA DMZ Setup | Main | Dell PowerConnect + RADIUS + Windows Server 2008 NPS »



Feed You can follow this conversation by subscribing to the comment feed for this post.


You can also do Cisco-* in client friendly name field, either one works but might be some long time windows guys to remember the ol * for anything following.

Hey, did an Apple guy just write that?! :)


Bless you! This was the exact solution I was looking for. Thanks for making a clear and concise guide w/ troubleshooting! You da man!

DW Hunter

No worries Aaaron! Glad it was helpful. I refer back to this post often when doing this for other customers.



Mark Hauschild

Thanks, Brother! I really appreciate your sharing this. This was just the walk through I needed. We are currently running RADIUS on our W2K3 servers but are (finally) getting around to migrating to W2K8 R2. Awesome testimony by the way. For those that haven't seen it, I recommend reading Darryl's blog on Faith.

Also, I was listening to the radio yesterday. If you haven't heard of the blog "Not A Fan" it speaks a great deal about many of those things you mentioned in your testimony. God is truly moving in His people now. Let's pray that we will see this as the beginning of the next GREAT AWAKENING!!! 2 Chronicles 7:14


Hi, such a luck to find you!

Actually I face another very interesting issue with our CISCO ASA 5500 + Win2008R2 + NPS, I wonder if you can help me?

It is that we implemented an authentication server that sends out OTP SMSs to the user they can then use to get in to the VPN.

The problem is that CISCO ASA 5500 has a config paraneter for AAA servers called retry-interval that can only be set up between 1-10 sec.

So our current config looks like this:

hostname(config)# aaa-server srv1 protocol radius
hostname(config-aaa-server-group)# aaa-server srv1 host
hostname(config-aaa-server-host)# timeout 20
hostname(config-aaa-server-host)# retry-interval 10

Because sending out the SMS OTP usually takes more than 15 sec it results in CISCO automatically sending out a repeated radius request so the AAA server generates another OTP and sends out another SMS still for the same login request.

Is there any way to set up the system (any part, either CISCO or NPS) to only forward a login request for the same user not earlier than eg. 60 sec?

Your advice would be highly appreciated.
Best regards,

Bruno Silva

awesome dude. thumbs up for you

Mike Aossey

Thanks for the post, just what i was looking for.

John Kelly

Thanks for putting this up. A couple of comments:
(1) While you're troubleshooting, if you have more than one RADIUS network access policy, try changing the order they're applied in. I bashed my brains out troubleshooting a policy for two days, then fixed everything by moving it up in the order of policies. Turned out the culprit was the policy right above it--which was actually doing what I wanted, just too much of it.
(2) I'm not so sure about setting the RADIUS attribute "shell:priv-lvl=15". It's convenient but risky: on every device, anyone with the right credentials gets godlike powers the minute they walk in. I think better to configure it on the devices themselves as appropriate. Sometimes you want godlike powers from the get-go, sometimes you want the option of harmlessly looking around first--stethoscope first, THEN the chainsaw.


Thank you. This blog helped me a lot.

Walt SYkes

Hi, just a question on the Cisco side. What would the 'Group Name' match up with on the windows server side? 'Cisco Admins?



HI Dary,

I wounder if you have done it and can provide me some help. Although I still have not given up, but I tried configuring NPS for 802.1x port-based authentication with Cisco Catalyst 2950 switches and so far I did not have any luck. The logs in NPS show that authentication failed, but my configurations for client and server certificates are all right. I did some google search and there are people with the same problem for some of them it works today, but fails tomorrow. I suspect there mus some configuration required on NPS to get this work.

Thanks for your post, I will definitely try it.


Sir, you are AWESOME!!! This tutorial helped me a lot.Thanks!!!


I could setup it and authenticate, however teh user logs to Cisco without privilege. If I try enable command it does not accept the password.

Halo Digital

Thanks for sharing, great article.

The comments to this entry are closed.

Twitter Updates

    follow me on Twitter