NPS for authorization only?

asked 2021-04-14T15:34:47.927+00:00
Jeremy J Hallam 96 Reputation points


I am currently using NPS for authentication and authorization for my Cisco AnyConnect VPN users. NPS is either granting or denying access and if access is granted it is sending a Class attribute back to the ASA with the grant reply that tells the ASA what policy to apply to the user. We are doing this to dynamically assign users to specific vlans based on AD group membership.

I am currently working on switching the authentication piece to Okta SAML. That is working, but I now need to make a second call to the NPS server for the Class attribute (authorization) so the ASA can assign the user to the correct vlan.

I know that the process of making the separate authorization call to a RADIUS server is possible and is fairly common practice. What I am not seeing is how to write the Network Policy for just the Authorization piece. You have to select a Grant or Deny option.

From my research, since the authentication is happening elsewhere the ASA does not have a user password to send to the NPS server. All it has to send is the username it receives from the Authentication server (Okta). Am I able to configure it to ignore the password somehow?



Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,142 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-04-15T19:04:43.15+00:00
    Jeremy J Hallam 96 Reputation points

    While it is true you need a username and password to authenticate, I did not ask about authentication. I asked about authorization only. I also discovered that this is 100% possible with NPS. The ASA profile is configured to send an Authorization only request to the NPS server after it Authenticates from a different source (in my case Okta). Then, in the NPS you have to check the "Allow clients to connect without negotiating an authentication method" box shown in the image below in the Network policy. This allows the ASA to receive the attribute back from the network rule that satisfies the condition. In my case the condition is that the user is in a specific AD group.

    You can also set the policy in the ASA to fail Authentication if the user is not present in the Authorization database. This can add an extra layer of security. Even if the user is Authenticated by the different source (in my case Okta) Any Connect will not allow the user to connect if they are not also in one of the AD groups that is defined in the NPS server for Authorization.

1 additional answer

Sort by: Most helpful
  1. answered 2021-04-15T09:49:58.877+00:00
    Sunny Qi 10,651 Reputation points


    Thanks for posting in Q&A platform.

    Please understand your issue is also related to some third party products which we're not familiar with, and we don't have such machines for testing in our lab from forum support level.

    From NPS sever perspective, if you need authenticate user based on AD group membership, NPS must identify the user name and password to grant or deny network access if the connection request matches this policy. I'm afraid your goal to configure NPS to ignore the password cannot be achieved.


    Best Regards,


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments