Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
0
Helpful
2
Replies

Cisco RADIUS and NPS Issues

Peter Sheridan
Level 1
Level 1

‎07-23-2015 07:10 AM - edited ‎03-10-2019 10:55 PM

Hello,

I'm just having a bit of trouble getting some RADIUS and NPS policies working.

I want to have 3 NPS Policies

1. VPN Access

2. SSH Access Level 1

3. SSH Access Level 15

 

The VPN is a Cisco Anyconnect SSL vpn, and the SSH Access is obviously vty access to the router. My NPS server is configured with these three policies in that order. The NPS Policies are secured by three AD Groups (with the same names as the NPS Policies), with the exception of the VPN policy that has an additional condition of 'NAS Port Type = Virtual (VPN)'.

My problem is that when a user in a member of the 'VPN Access' and 'SSH Access Level 1', when they try and log onto the router it brings up an error message 'This line may not run PPP'. If I reorder the NPS policies, so VPN is down the bottom it lets me log in fine.

The second problem is that when a user is a member of ONLY the 'SSH Access Level 15' group, they also get access to the VPN.

 

Below is an extract of the config. Anyone got some clues as to why it's not working?

Regards,

Peter


aaa new-model
!
aaa authentication login AUTHEN_LOGIN local group radius
aaa authorization exec AUTHOR_EXEC local group radius if-authenticated
aaa authorization network AUTHOR_NETWORK local group radius if-authenticated
!
aaa session-id common
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 session-timeout 60
 access-class SSH in
 authorization exec AUTHOR_EXEC
 logging synchronous
 login authentication AUTHEN_LOGIN
 transport input ssh
!
!
webvpn gateway HOME
 hostname XXXXXXXXX
 ip address XXXXXXXXX port XXXXX
 http-redirect port XXXX
 ssl trustpoint XXXXXXXXX
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-3.1.06073-k9.pkg sequence 1
 !
 webvpn import svc profile HOME flash:/webvpn/XXXXXX.xml
 !
webvpn context CONTEXTPOLICY1
 ssl authenticate verify all
 !
 !
 policy group POLICY_1
   functions svc-enabled
   functions svc-required
   svc address-pool XXXXXXXXXXX
   svc default-domain XXXXXXXXXXXXXX
   svc keep-client-installed
   svc module XXXXXXXXXXXXX
   svc profile XXXXXXXXXXXXX
   svc split dns XXXXXXXXXXX
   svc split include XXXXXXXXXXX
   svc dns-server primary XXXXXXXXXXXXX
   svc dns-server secondary XXXXXXXXXXXXXX
 virtual-template 1
 default-group-policy POLICY_1
 aaa authentication list AUTHEN_LOGIN
 aaa authorization list AUTHOR_NETWORK
 gateway XXXXXXXXX
 max-users 5
 inservice
!         
end

 

Labels:
0 Helpful
2 Replies 2

johnnylingo
Level 5
Level 5

‎06-01-2017 04:10 PM

Same here.  I found that removing the "aaa authorization exec" line did fix it, but no problems if I try a Unix-based RADIUS server.  So it's something special to NPS.

0 Helpful

johnnylingo
Level 5
Level 5
In response to johnnylingo

‎06-01-2017 04:38 PM

The solution I found was in the Network Policy, pull up the Settings tab and then change or remove the RADIUS Attributes.  

By default, it uses "Framed-Protocol=PPP" and "Service-Type=Framed".  I changed it to SLIP

0 Helpful
Customers Also Viewed These Support Documents