Meraki

Community

Vendor Specific Attribute on Windows NPS for Cisco Meraki Radius

GaryC
Comes here often
‎Jul 5 2024 4:30 PM
‎Jul 5 2024 4:30 PM

Vendor Specific Attribute on Windows NPS for Cisco Meraki Radius

2024-nps-log.jpg

I was told to reduce or set the listening AVP/VSA on Windows NPS from the standard to only (below):

NAS-IP-Address (mgmt of the switch instead of 6.X)
NAS-Port-Type (Async instead of Ethernet)
User-Name
User-Password

How do I do this on Windows NPS for C9300 on meraki?
It works fine with MS120 without any specific attributes.

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 5 2024 7:28 PM
‎Jul 5 2024 7:28 PM

Maybe it will help you.

 

https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-radius

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 7 2024 2:24 PM
‎Jul 7 2024 2:24 PM

I don't fully understand your question.

 

Are you saying you are being sent a set of attributes, but you don't want to receive all of them?
If so, you can't stop them being sent to you - but NPS will only act on the attributes you configure it to do so.  So if you don't want to use an attribute, don't match on it.

 

You get the error above when you have not created a policy that matches any of the attributes being presented.

0 Kudos
In response to PhilipDAth
GaryC
Comes here often
‎Jul 8 2024 1:13 AM
‎Jul 8 2024 1:13 AM

@PhilipDAth
I was told to limit the listening attributes on the NPS policy.
As you have pointed out:


If so, you can't stop them being sent to you - but NPS will only act on the attributes you configure it to do so.  So if you don't want to use an attribute, don't match on it.

 

You get the error above when you have not created a policy that matches any of the attributes being presented.

I have tried with Ethernet only, with no vendor set attributes. Which then resulted in the CRP error.

With that said. I am unsure how or/and where to set these listening attributes. Thank you for reconfirming the miss configuration/issues I am having.

The link that @alemabrahao has linked, from first glance looks like that is what I am looking for. But I am not sure where to get the attribute prefix for the attributes I need.

NAS-IP-Address
NAS-Port-Type (Async instead of Ethernet)
User-Name
User-Password






0 Kudos
In response to GaryC
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 8 2024 1:19 AM
‎Jul 8 2024 1:19 AM

Try authenticating.  Go to the event viewer, security, and filter on event IDs 6272 and 6273.  It will show you every attribute presented.  You can match on what you see here - and nothing else.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.