VPN Radius/NPS Issue

Solved
Court
Getting noticed

VPN Radius/NPS Issue

We were trying to implement NPS extension for MFA, but having issues so uninstalled NPS extension restarted NPS service and were back to normal VPN operation. After doing this again yesterday, VPN stops working and we are getting the below in logs. I removed and recreated the VPN settings in NPS with no change. Any thoughts?

 

***** = Redacted Info

____________________

Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
Security ID: NULL SID
Account Name: *****
Account Domain: *****
Fully Qualified Account Name: *****\*****
 
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: CLIENTVPN
 
NAS:
NAS IPv4 Address: *****
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: -
NAS Port: 1
 
RADIUS Client:
Client Friendly Name: Meraki VPN Client
Client IP Address: 10.23.1.1
 
Authentication Details:
Connection Request Policy Name: Meraki
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: *****
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

____________________

1 Accepted Solution
Court
Getting noticed

Can disregard, we resolved the issue by moving the ias.xml file and allowing NPS to build a new config and reconfigured from scratch. Something in the old config was causing issues.

View solution in original post

4 Replies 4
Court
Getting noticed

Can disregard, we resolved the issue by moving the ias.xml file and allowing NPS to build a new config and reconfigured from scratch. Something in the old config was causing issues.

PhilipDAth
Kind of a big deal
Kind of a big deal

Just to forewarn you - my experience is that the NPS extension tends to break 1 to 2 times per year.  It's really hard to fix as well as the logging is poor.

 

I'm going to guess you want to do this for client VPN?

If so, I strongly recommend you use AnyConnect with SAML authentication against Azure AD instead.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

 

If you *really* want to use the Windows client VPN, then I suggest using Duo for MFA instead.

https://duo.com/ 

Court
Getting noticed

Still need DUO for MFA with AnyConnect though correct?

PhilipDAth
Kind of a big deal
Kind of a big deal

You don't require Duo if you authenticate directly against AzureAD using SAML with Cisco AnyConnect.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels