Share via

Network Policy Server

Handian Sudianto 7,241 Reputation points
2026-06-05T10:29:28.0966667+00:00

We use NPS as radius authentication for my cisco devices, so if we need to login to the cisco device then we need to enter the AD username and this is working fine. In the cisco device i also have local user and radius (NPS) was setup as 1st authentication method. So the device will authenticated use local account from device only if radius (NPS) is failed to respond or radius (NPS) is dead.

Now we have requirement that we can use local account also together with radius (NPS) user and to enable this then we need to change message reply from NPS from reject to drop if the entered user not in radius (NPS). How we can change the reply message from reject to drop on NPS?

Windows for business | Windows Server | Networking | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 22,230 Reputation points Independent Advisor
    2026-06-05T10:58:39.7833333+00:00

    Hello Handian,

    NPS can’t be configured to “drop” requests instead of sending a reject by design, RADIUS servers must reply with either Access‑Accept or Access‑Reject. There’s no supported way to make NPS silently ignore invalid users. If you want Cisco to fall back to local accounts even when the username isn’t in AD, you’ll need to adjust the device’s AAA method list. Set RADIUS as the first method and local as the second, but allow reject responses to still trigger the local fallback. In Cisco IOS, this is done by configuring aaa authentication login default group radius local so that if RADIUS rejects or is unreachable, the device will check the local database. The change has to be on the Cisco side - NPS cannot be modified to “drop” instead of “reject.”

    I really hope it's helpful to you!

    Harry.

    Was this answer helpful?

  2. AI answer

    2026-06-05T10:29:41.5266667+00:00

    NPS cannot be configured to “drop” an Access-Request instead of replying with Access-Reject when a request does not match any policy or when credentials are invalid.

    According to NPS connection request processing:

    • RADIUS Access-Request messages are processed or forwarded only if they match at least one connection request policy.
    • If the settings of an incoming Access-Request do not match any connection request policy, NPS sends an Access-Reject to the RADIUS client and the user is denied access.

    This behavior is by design and is not changeable to a silent drop. NPS can:

    • Process requests locally as a RADIUS server.
    • Forward requests to another RADIUS server as a RADIUS proxy.
    • Discard requests only when they do not match any policy, but in that case it still returns Access-Reject to the client.

    To allow local accounts on the Cisco device to be used when AD/NPS users are not found, the behavior must be controlled on the Cisco side (for example, by changing AAA method lists or local/remote user matching), not by changing NPS’s response type.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.