I am trying to setup a Cisco ASA (version 9.1(7)6) to authenticate against a Microsoft Network Policy Server 2012 R2.
The ASA is able to communicate with the NPS server, however the test aaa-server
command returns AAA Failure. Checking the security event log on the NPS server shows that authentication is failing because The user attempted to use an authentication method that is not enabled in the matching network policy.
and Authentication Type: PAP
.
What I dont understand is that Unencrypted authentication (PAP, SPAP)
is enabled for the network policy. The server is on a fresh install of Windows and there is only a single network policy outside of the defaults. The event log entry does show it is matching my single (non-default) network policy. There do not appear to be any other relevant event log entires.
There only seems to be a problem with PAP authentication, as I am able to login via my VPN connection by authenticating against the NPS by using MSCHAPv2. As a note, the test aaa-server
command only supports PAP authentication.
In NPS, make sure PAP is enabled on the Connection Request Policy in addition to the Network Policy. I had a similar problem authenticating Cisco Prime Infrastructure using PAP, so maybe my solution will be applicable to you as well.