As the only network engineer on staff, I'm finally getting around to configuring NPS as a RADIUS server for our network devices so we can finally be rid of local-auth passwords and I'm running into a strange issue where NPS simultaneously fails and authorizes logins via SSH.
We are using Netgear Prosafe switches and AAA is configured correctly. I have a Connection Request and Network Policy configured. The setup so far is fairly basic, owing in part to my complete inexperience with NPS and reading endless blog posts, docs, and trying to fill in the blanks in between.
The Connection Request Policy:
- Looks for RADIUS Clients containing the friendly name "Switch_" (we'll be setting up WPA2-Enterprise authentication on our WAPs next, so this seems like the right way to differentiate policies).
- Authentication is set to "Authenticate requests on this server".
And that's it.
The Network Policy:
- Also looks for the friendly name "Switch_"
- Authenticates users in the user group "[DOMAIN]\NetEng"
- The correct Authentication Method is selected (PAP, SPAP)
- "Do not allow Multilink connections" is disabled under Multilink and BAP, which stopped an error that was being generated in syslog.
- Service-Type = Administrative is enabled, since logging into the GUI will drop me into Operator mode otherwise.
And it works! Sort of. When I log into the GUI everything works fine. Huzzah.
When I log in via SSH, it also works BUT the NPS generates an error at the Connection Request Policy level after I enter my username:
Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
...but after I type in my password, I authenticate successfully. So NPS is trying to verify my username after I hit return, fails, but still passes the request to the Network Policy which finds my username/password combination in the AD group, and authenticates no problem. While it WORKS, I'd obviously love for syslog and the NPS logs not to flood with false "authentication failure" messages. I've fumbled with the Connection Request Policy but I'm not sure what changes I need to make, and it seems like any other changes I have made causes authentication requests to ignore the policy altogether and then drop.
Initially I thought it was a switch AAA config issue, but I ran Wireshark on the NPS and saw the same thing: enter username, hit return: access-request made, followed by access-reject - then enter my password - access-request made, access-accept. So it's probably related to how I have the CRP set up, but I'm not sure what else I should be doing there. Any suggestions? Thanks, all!
No comments:
Post a Comment