Windows NPS policy order issue

agradmin used Ask the Experts™
We have 2 network policies set for our Radius clients;
1) Allow VPN connections (to VPN user group)
2) Grant priv 15 access to Cisco devices to admin group

Our issue is that if we have is that only the first policy is being processed - the VPN policy is first then we are unable to get to privileged mode on our Cisco devices, if Cisco is first then users cannot authenticate over VPN as this is being rejected by the Cisco rule.

I believe this was working in the past, so am unsure whether this is a configuration problem or the issue lies elsewhere. Nothing has changed that might explain this problem.

Thanks in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
George SasIT Engineer

Not sure how you configured this Policies and if they are Connection Request policies or Network Policies and what are the conditions.
Might help if you give some details.

Also , 1 should be a Connection Request Policy and 2 should be a Network Policy , if looking at it without knowing ant further details.
enable event-logging and check for differences within submitted parameters.
because one is network-access authentication and the other management access you should see some.
use these parameters within NPS-Conditions to specify the correct policy.

with current OS the eventlog keeps empty by default.
enable audit-policy ...
- local security policy / advanced audit... / logon/logoff /networkpolicyserver
Pete LongTechnical Consultant

? It will match the first policy, put the Cisco Management policy above the VPN policy
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.


We have 2 Connection Request policies;
1 - VPN connections (set NOT to override Network Policies)
2- Use windows auth for all users

We also have 2 Network policies as described;
1- Allow VPN connections to group members
2 - Allow Cisco priv 15 access to admin group members

As indicated, it looks like only the first policy is being referenced. I have logging enabled as see VPN connections being rejected by the Cisco rule when this is first in the list.


I now believe the issue may be in the way the rules are being executed. Both are controlled by user groups (say 'VPN_access' for the VPN rule, 'Cisco_Support' for the Cisco level 15 rule).

As some accounts are members of both groups I feel that settings that apply to the first rule are being applied and the second rule is not tested. In this case I plan to put the (restrictive) Cisco access rule first and ensure related users use a separate account for VPN access.

Does that make sense to you?
I have tested order and group membership as per my past comment. Checking functionality and NPS logs seems to verify this theory.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial