Hi,
I trying to get my Cisco catalyst switches (2960G) to use MS NPS as a RADIUS server so that AD accounts can be used to log into and manage the device.
I have read several guides on the internet including some posts here at EE - no resolution.
My problem is that I get 'Authentication was not successful because an unknown user name or incorrect password was used' in the event logs.
I am 100% sure that the username and password is correct. The account is also not locked out and does not have any options such as 'change at next logon'.
I have tried the account in AD dial-in properties with 'Allow access' and 'Control with NPS Network Policy'.
The account becomes locked after a while, which tells me that the correct in AD is identified, but the password beign tried on the account is not identical to what I enter when I try to log on. I have verified the password is inserted correct by typing it in the username part as a test (so that I can see the characters that I type).
The NPS runs on the AD DC.
Any idea what I am missing?
The exact error in event viewer is:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: salt.cobus.burger![Server Server](/uploads/1/2/5/7/125705876/431672352.png)
Account Domain: NATDOM
Fully Qualified Account Name: NATDOMsalt.cobus.burger
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 10.36.8.10
NAS:
NAS IPv4 Address: 10.36.29.11
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 2
RADIUS Client:
Client Friendly Name: SWI000001
Client IP Address: 10.36.29.11
Authentication Details:
Proxy Policy Name: Cisco devices policy - v1
Network Policy Name: -
Authentication Provider: Windows![Radius Login Incorrect Radius Login Incorrect](https://community.sophos.com/cfs-file/__key/communityserver-discussions-components-files/124/2016_2D00_10_2D00_26-14_5F00_14_5F00_10_2D00_Sophos.png)
Authentication Server: svr000001.natdom.local
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 16
Reason: Authentication was not successful because an unknown user name or incorrect password was used.
My Cisco config:
aaa new-model
!
!
aaa group server radius Radius-svr-grp-1
server-private 10.36.8.10 auth-port 1645 acct-port 1646 key 7 12341234123412341562346
!
aaa authentication login default group Radius-svr-grp-1 line
!
!
!
aaa session-id common
While NTLM authentication works fine on both the Windows RADIUS and FreeRADIUS servers while logged into the servers locally (Can login to the Windows RADIUS via the test account and can get successful authentication on the FreeRADIUS server when using ntlmauth command with just a username and password), neither RADIUS server seems to. For an introduction to RADIUS authentication in SonicOS, see Using RADIUS for Authentication. If you selected RADIUS or RADIUS + Local Users from the Authentication method for login drop-down menu on the Users Settings page, the Configure RADIUS button becomes available.
I trying to get my Cisco catalyst switches (2960G) to use MS NPS as a RADIUS server so that AD accounts can be used to log into and manage the device.
I have read several guides on the internet including some posts here at EE - no resolution.
My problem is that I get 'Authentication was not successful because an unknown user name or incorrect password was used' in the event logs.
I am 100% sure that the username and password is correct. The account is also not locked out and does not have any options such as 'change at next logon'.
I have tried the account in AD dial-in properties with 'Allow access' and 'Control with NPS Network Policy'.
The account becomes locked after a while, which tells me that the correct in AD is identified, but the password beign tried on the account is not identical to what I enter when I try to log on. I have verified the password is inserted correct by typing it in the username part as a test (so that I can see the characters that I type).
The NPS runs on the AD DC.
Any idea what I am missing?
The exact error in event viewer is:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: salt.cobus.burger
![Server Server](/uploads/1/2/5/7/125705876/431672352.png)
Account Domain: NATDOM
Fully Qualified Account Name: NATDOMsalt.cobus.burger
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 10.36.8.10
NAS:
NAS IPv4 Address: 10.36.29.11
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 2
RADIUS Client:
Client Friendly Name: SWI000001
Client IP Address: 10.36.29.11
Authentication Details:
Proxy Policy Name: Cisco devices policy - v1
Network Policy Name: -
Authentication Provider: Windows
![Radius Login Incorrect Radius Login Incorrect](https://community.sophos.com/cfs-file/__key/communityserver-discussions-components-files/124/2016_2D00_10_2D00_26-14_5F00_14_5F00_10_2D00_Sophos.png)
Authentication Server: svr000001.natdom.local
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 16
Reason: Authentication was not successful because an unknown user name or incorrect password was used.
My Cisco config:
aaa new-model
!
!
aaa group server radius Radius-svr-grp-1
server-private 10.36.8.10 auth-port 1645 acct-port 1646 key 7 12341234123412341562346
!
aaa authentication login default group Radius-svr-grp-1 line
!
!
!
aaa session-id common