Hi Folks i'm working with our network provider to get a proper Radius authentification or authorization with a Cisco ASA. We're working with Smartcards, the process seems to work with a simple Username / Password - Authentification. But if we try to authenticate with Smartcards, the ASA tries to communicate with our NPS and this process generates the following error Log: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: NULL SID Account Name: user@domain.ch Account Domain: DOMAIN Fully Qualified Account Name: DOMAIN\user Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 1.2.3.4 Calling Station Identifier: 4.3.2.1 NAS: NAS IPv4 Address: 1.1.2.2 NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Virtual NAS Port: 68 RADIUS Client: Client Friendly Name: MVA - Connectis ASA Client IP Address: 1.2.3.4 Authentication Details: Connection Request Policy Name: MVA Network Policy Name: - Authentication Provider: Windows Authentication Server: server.domain.ch Authentication Type: PAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. We tried as much as we could (from my perspective) ;) It seems that NPS needs authentification instead of authorization only. We need only authorization because the Cisco ASA sorts out the Smartcard - process in terms of certificate validation (CRL and so on). Anyone out there with similar problems or a possible solution? -mike

Unfortunately you cannot accomplish what you are trying to do with NPS (or IAS) out of the box. NPS will do both authentication and authorization unless you have a custom extention dll that offloads either of these to third party applications. These are custom so you would have to write them yourself. With NPS, in the absense of an extension dll, we require AD to have the certificate mapped to the user's account.Clay Seymour - MSFT