[c-nsp] ASA 5505 VPN with 2008 NPS as AD Integrated RADIUS
Eric Girard
egirard at focustsi.com
Tue Oct 20 16:32:20 EDT 2009
Jeff,
I've done several VPN setups with 2008 NPS, and from what I remember offhand they were no different than the 'old' IAS. Some of the items might have moved around a bit in the GUI, but the basic IAS functionality is still there. From the error message, I would look at the connection policies, because if I am remembering correctly the default is not very useful and needs to be changed.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski
Sent: Tuesday, October 20, 2009 3:58 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA 5505 VPN with 2008 NPS as AD Integrated RADIUS
Hi All,
Has anyone gotten ASA based VPN (soft clients) to work with Windows 2008 NPS - AD Integrated RADIUS to work?
As our engineer put it:
"Cisco does not have a document for authentication configuration with Windows 2008. Since they say the ASA configuration looks fine they have washed their hands of it and want to close the case."
I can see this in the logs on our AD server:
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: %domain\username%
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: %some ip address%
Calling Station Identifier: %some originating ip address%
NAS:
NAS IPv4 Address: %ip of server%
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 159744
RADIUS Client:
Client Friendly Name: whl_vpn_new
Client IP Address: %ip address of client%
Authentication Details:
Proxy Policy Name: -
Network Policy Name: -
Authentication Provider: -
Authentication Server: %fqdn of server%
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 49
Reason: The connection attempt did not match any connection request policy.
If this has been asked and answered (or if there is a better forum for this), I apologize. If someone could nudge me in the right direction that would be very awesome. Technet for the above error is pretty pointless as usual....
Thanks again,
-Jeff
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list