W2k8 NPS as a RADIUS server for a Cisco router

[chicagotech]

I currently have W2k3 IAS configured as a RADIUS server for our VPN clients connecting to a Cisco 2811 router. That works fine but I can't get it to work for the Authentication Proxy feature on the same router. I thought I'd try the new NPS on W2k8 since Cisco and MS are now cooperating on RADIUS. I can't get NPS to respond to the Auth-Proxy or even the VPN requests so I seem to be going backwards!



I have searched and searched but cannot find anything useful on how to configure NPS for RADIUS, though I have found a mountain of literature on NAP (interesting but something for the future). One problem could be that I have passed authentication off to our existing IAS server since it is a DC and auths the current VPN well, if a little slowly. I can't even get the NPS to log the fact that a RADIUS request is coming into it, either in the Event Log or in the basic log file configured under the NPS interface. I have opened all four standard UDP ports in the W2k8 firewall



Can anybody suggest any tips or refer me to any documentation on the NPS RADIUS configuration please. I don't expect help here on the Cisco hardware but also don't want to pay a small fortune for Cisco ACS RADIUS when it has a terrible reputation anyway

[chicagotech]

If IAS is mostly working for you, then you should be able to at least get this same level of support from NPS. I don't know what kind of authentication method you are using with the Cisco 2811, but I assume you configure the router as a RADIUS client in NPS and set up a RADIUS server group on the router with the IP address, port numbers, and shared secret for NPS.



Set up connection request policy the same as you did in IAS, and your remote access policies are now called "network policies". Since you say that NPS isn't recognizing the RADIUS messages from your router, I would check that you are using 1812 as the authentication port. Another commonly used port is 1645, but to use this you will need to add it to the list of firewall exceptions on NPS.



Documentation for configuring NPS that is currently available can be found at www.microsoft.com/nps. As you said, this is mostly about configuring NPS for NAP but the steps will show you how to configure conditions and settings. There is also a wizard in the nps console that may be helpful to you.

[chicagotech]

Not sure if it is of any help but I have achieved something similar with Remote access VPN users on a PIX and SSH logins on other Cisco devices. What you need to do is follows;

1 Create a RADIUS Client on the NPS

2 Create a network Policy as follows;

a. Right click network policies and click new

b. Type a policy name accept the defaults and click next

c. Add a condition (I used a windows group with my users in it), click next

d. Make sure the access granted radio button is selected and hit next

e. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest

f. Select NO on the annoying help box

g. Finally select next then next and finish to complete.

3 Configure your Cisco device for RADIUS as you would have with 2k3.



Please bear in mind this is not a finished config and as such will allow any RADIUS Client to authenticate with unencrypted details. I am working on sorting that out ATM.

Hope that is of Help

[chicagotech]

Found this link, After a little configuration this did the trick.

Make sure you use a User Group and Not a Windows Group.

[chicagotech]

My goal was to be able to use my Cisco 1800 series router as a VPN server and allow it to provide RADIUS authentication for end users using the Cisco 5.x VPN client on Windows XP machines.

I followed the walk-through above: http://filedb.experts-exchange.com/inco ... -for-C.pdf

The only variations I did from the walkthrough above were:

- I did not use the vender specific attribute shell string

- I didn’t use the wildcard for client friendly name, I simply used the name as I had it in the Radius client config

- Someone above mentioned to use “user groups” rather than “windows groups”

o I didn’t notice a difference

- I didn’t follow any of the Cisco walk through part as mentioned above. I used the following commands on my router:

config t

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

radius-server host a.b.c.d key xxx

To add to the walkthrough above:

- Create a new "Connection Request Policy"

- I only added the condition of a "client friendly name"

- Everything else was defaults:

o Enable the policy

o Didn’t specify a network connection method: unspecified

o No special vpn selections or anything

o Under the settings tab, I override the network policy and selected to only use PAP

I spent a ton of time Googling this, I hope this was helpful for others.

[chicagotech]

I had the same issue and I had done quite a few test and running sniffer on NPS server. My conclusion is that NPS dropped the support of PAP. I changed to CHAP/MSCHAP/MSCHAP2 and all worked. Just PAP. NPS seems ignore all PAP request. I don't know if it is on purpose?

[chicagotech]

Hi, I have changed my VPN user to use EAP and worked. Unlike IAS, NPS is no longer support PAP. Microsoft claimed that they drop PAP on purpose and there is a procedure to enable PAP. http://technet.microsoft.com/en-us/libr ... 2393(WS.10).aspx. However this procedure does not work for me. No luck to get PAP working. I end up to give up PAP and use EAP instead. Still interested in to get PAP work with NPS.

[chicagotech]

This is exactly the solution that I was looking for. But I have one question... how did you configure the Cisco VPN Client?

I am using Cisco VPN Client ver.5.0.06.0110