How to create or view logs for NPS RADIUS server

Posted on 2013-11-11
Last Modified: 2013-11-13

I've set-up a RADIUS server within my network for my Cisco 877 device to point to my RADIUS server for authentication.

The problem i'm having is that when I'm connecting via the Cisco device it fails to authenticate.  To clarify what I am doing, I try a log-in and receive a cget lost message.

When I connected from a client using Radius Test it connects fine.

I know the Cisco is hitting the RADIUS server, because when I don't allow the Cisco IP to connect, the event viewer says blocked connection from the IP in question.

The event viewer isn't very helpful though when IP is allowed, in fact I have nothing posted at all.

Does anyone know how I can debug the issue with authentication.

Question by:benowens
  • 3
  • 3

Accepted Solution

psychokraft earned 500 total points
ID: 39638881
Without seeing your config my best advice to start is to use the exec command: test aaa group radius <username> <password> {legacy | new-code}. This will generate one of three messages:
No authoritive response, which means your not hitting the NPS
User Rejected, which means you are hitting it but being rejected
User Authenticated, which means, well, authenticated...
Setting up NPS for Cisco devices can be tricky and soemtimes invloves removing policies, items and recreating to get them to work.
Please see the attached document for a guide my coworker and I set up.
You may also find the followign helpful:
And remember, NPS uses ports 1645 and 1646 for RADIUS, not 1812 and 1813.

Author Comment

ID: 39638911
Okay i'll look at the exec commands and see what we get.  I am using a Windows 2013 server and set-up NPS according to this guide.

Seems to work fine on the Windows side.  As I said, used a few RADIUS testing tools and the report authentication working fine.  Note:  I have to change to the allowed IP to my client PC when I test it from my client.  

I was really looking for some sort of Windows log which shows the traffic or connection.

As said, when I allow the IP of the Cisco device to connect, it doesn't show anything on the event viewer.  However when I set the allowed IP to my client PC, then try to connect from the Cisco via telent login, it posts a message "A RADIUS message was received from the invalid RADIUS client IP address"

Expert Comment

ID: 39638932
What is the ip address of the client pc and the router?
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.


Author Comment

ID: 39638978
Just had of progression I think.  We reset the shared secret but my colleague who is looking after the Cisco side submitted the shared secret using the unencrypted option.  The login now works fine from telnet.  I would still like to find out how to troubleshoot that on the Windows side.

The IP of the Cisco is and the IP of my client is

Expert Comment

ID: 39639040
Yes, the only way I have found to pass the RADIUS request from a Cisco device to a Windows NPS is with the unencrypted option. The password itself is encrypted but that is all. If you do find a way to do it with encryption, please post it here, I'd love to see someone make that work:) We only use RADIUS as a backup for our Cisco devices after TACACS for just that reason. When you say you changed to unencrypted to you mean like on page 12 of the document, under configure authentication methods?

Author Comment

ID: 39639229
Ah, no sorry, not there.  I mean my colleague set the shared secret as unencrypted on the Cisco device.  I think by default it was encrypted and therefore there was a shared secret mismatch.  I haven't looked at TACACS.  I'll have to chekc that out.

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505 Login issues 2 38
Using VLAN Interface in ASA 5 32
Help logging in to my router 12 45
ASA and ICMP 4 20
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question