Hey, I'm trying to get RADIUS set up on Windows Datacenter 2019 for authentication via NPS, but I'm running into some serious issues. I'm more experienced on the networking side and not so much with server configurations, so bear with me!
I'm routing through a Palo Alto Firewall with Global Protect VPN, and I've got a Cisco switch and WLC in my network. My server is trunked to the switch for all VLANs. I already set up Active Directory, DNS, NPS, DHCP, and the necessary security groups.
I've heard there might be a bug in NPS that requires a manual configuration, which I've tried, but I'm still having trouble authenticating. When I attempt to log in via the Cisco switch, I get a 'Rejected/Rejected' response despite checking the keys multiple times.
What steps should I take next? Any guidance would be much appreciated!
4 Answers
Just a heads up, Cisco typically requires a specific RADIUS attribute to grant admin access. When you're in your connection request policy, you'll want to add a vendor attribute as follows:
- Name: Cisco-AV-Pair
- Vendor: Cisco
- Value: shell:priv-lvl=15
This setup should allow full access rather than just read-only, which is what you're currently experiencing.
Check the RADIUS logs on your Windows Server. You need to verify that the authentication request from your platform is in the right format, successfully authenticated against your LDAP backend, and review the response sent back to your devices. Each platform can have unique requirements for vendor-specific attributes—make sure you're accounting for those!
Sounds like I need to dig into the logs more. I realized I was missing the attribute for Cisco shell:priv-lvl=15, so I’m restarting the server to see if that helps.
It sounds like you might be dealing with a security protocol mismatch among your devices. Since you have an enterprise-grade firewall, consider reaching out to Palo Alto support to help troubleshoot this issue. They can provide insights into whether your devices are using compatible protocols for RADIUS.
Thanks for the advice! I've got a license on the PA until June. I'm checking into that now. Just to add, I think the bind information for the PA LDAP portal might have been incorrect, so I'm hoping that's my issue.
Make sure you've created a RADIUS access policy in NPS that allows authenticated devices. Also, confirm you've added your Cisco switch as a trusted client and set the correct IP addresses in the server's configuration. Noticed any mistakes there might be causing your issue?
Yes, my switch is registered as a client, and I've set up distinct access policies for each security group. However, I recently found some incorrect binding info in the PA. I’ll update my post with any progress.
This totally makes sense! Thanks for pointing that out. I had previously thought to create a policy for a group like domain admins, but I'll definitely implement this now. I can access the switch locally; I'm hoping this will help me get better results.