Using the VPN NAP enforcement in a test lab step by step guide, I am trying to setup and test a VPN solution but am having problems getting NAP authentication to work. I am not sure if there is an issue with the ASA, NAP server or the client.
The information below is how we have it configured.
Cisco ASA 5500 series configured as the Internet Facing device
Server 2008 is configured as RADIUS server and NAP authentication server
Windows XP SP3 machines as the clients, these machines are running the Cisco VPN client Version 5.0.x
It appears that the SOH is not being passed or received by the client/NAP server. Whenever we enable the NAP policies, we get the following error in the Event Logs:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: domain\username
Account Name: username
Account Domain: domain
Fully Qualified Account Name: domain\username
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.102.3
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 87
RADIUS Client:
Client Friendly Name: EVG ASA
Client IP Address: 172.16.102.3
Authentication Details:
Proxy Policy Name: NAP VPN 2
Network Policy Name: NAP VPN 2 Non NAP-Capable
Authentication Provider: Windows
Authentication Server: MSMMV102.domain.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 65
Reason: The connection attempt failed because network access permission for the user account was denied. To allow network access, enable network access permission for the user account, or, if the user account specifies that access is controlled through the matching network policy, enable network access permission for that network policy.
The information below is how we have it configured.
Cisco ASA 5500 series configured as the Internet Facing device
Server 2008 is configured as RADIUS server and NAP authentication server
Windows XP SP3 machines as the clients, these machines are running the Cisco VPN client Version 5.0.x
It appears that the SOH is not being passed or received by the client/NAP server. Whenever we enable the NAP policies, we get the following error in the Event Logs:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: domain\username
Account Name: username
Account Domain: domain
Fully Qualified Account Name: domain\username
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.102.3
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 87
RADIUS Client:
Client Friendly Name: EVG ASA
Client IP Address: 172.16.102.3
Authentication Details:
Proxy Policy Name: NAP VPN 2
Network Policy Name: NAP VPN 2 Non NAP-Capable
Authentication Provider: Windows
Authentication Server: MSMMV102.domain.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 65
Reason: The connection attempt failed because network access permission for the user account was denied. To allow network access, enable network access permission for the user account, or, if the user account specifies that access is controlled through the matching network policy, enable network access permission for that network policy.
- How does one troubleshoot from the PC side of things. Other than netsh are there logs anywhere that detail the SOH being passed to the NAP server.
- No matter what Network Policies we use, the client-machines are being seen as Non NAP-Capable.
- It appears that we are only able to pass PAP and not EAP/PEAP. Is there a way to configure either the RADIUS/NAP server or the ASA to allow EAP and NAP to go through when using the Cisco VPN client.