How to create or view logs for NPS RADIUS server


I've set-up a RADIUS server within my network for my Cisco 877 device to point to my RADIUS server for authentication.

The problem i'm having is that when I'm connecting via the Cisco device it fails to authenticate.  To clarify what I am doing, I try a log-in and receive a cget lost message.

When I connected from a client using Radius Test it connects fine.

I know the Cisco is hitting the RADIUS server, because when I don't allow the Cisco IP to connect, the event viewer says blocked connection from the IP in question.

The event viewer isn't very helpful though when IP is allowed, in fact I have nothing posted at all.

Does anyone know how I can debug the issue with authentication.

Who is Participating?
Without seeing your config my best advice to start is to use the exec command: test aaa group radius <username> <password> {legacy | new-code}. This will generate one of three messages:
No authoritive response, which means your not hitting the NPS
User Rejected, which means you are hitting it but being rejected
User Authenticated, which means, well, authenticated...
Setting up NPS for Cisco devices can be tricky and soemtimes invloves removing policies, items and recreating to get them to work.
Please see the attached document for a guide my coworker and I set up.
You may also find the followign helpful:
And remember, NPS uses ports 1645 and 1646 for RADIUS, not 1812 and 1813.
benowensAuthor Commented:
Okay i'll look at the exec commands and see what we get.  I am using a Windows 2013 server and set-up NPS according to this guide.

Seems to work fine on the Windows side.  As I said, used a few RADIUS testing tools and the report authentication working fine.  Note:  I have to change to the allowed IP to my client PC when I test it from my client.  

I was really looking for some sort of Windows log which shows the traffic or connection.

As said, when I allow the IP of the Cisco device to connect, it doesn't show anything on the event viewer.  However when I set the allowed IP to my client PC, then try to connect from the Cisco via telent login, it posts a message "A RADIUS message was received from the invalid RADIUS client IP address"
What is the ip address of the client pc and the router?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

benowensAuthor Commented:
Just had of progression I think.  We reset the shared secret but my colleague who is looking after the Cisco side submitted the shared secret using the unencrypted option.  The login now works fine from telnet.  I would still like to find out how to troubleshoot that on the Windows side.

The IP of the Cisco is and the IP of my client is
Yes, the only way I have found to pass the RADIUS request from a Cisco device to a Windows NPS is with the unencrypted option. The password itself is encrypted but that is all. If you do find a way to do it with encryption, please post it here, I'd love to see someone make that work:) We only use RADIUS as a backup for our Cisco devices after TACACS for just that reason. When you say you changed to unencrypted to you mean like on page 12 of the document, under configure authentication methods?
benowensAuthor Commented:
Ah, no sorry, not there.  I mean my colleague set the shared secret as unencrypted on the Cisco device.  I think by default it was encrypted and therefore there was a shared secret mismatch.  I haven't looked at TACACS.  I'll have to chekc that out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.