After a lot of digging I finally have the answer. There is an additional RADIUS attribute that needs to be sent back to the switch. The NAS-Filter-Rule attribute was the key. We had to edit C:\Windows\System32\ias\dnary (XML file) to add the attribute to the list in NPS. Added this bit of code:
<Attribute>
<ID>92</ID>
<Name>NAS-Filter-Rule</Name>
<Syntax>OctetString</Syntax>
<MultiValued>1</MultiValued>
<Is-Security-Sensitive>0</Is-Security-Sensitive>
<IsAllowedInProfile>1</IsAllowedInProfile>
<IsAllowedInCondition>0</IsAllowedInCondition>
<IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
<IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
<LDAPName>msRADIUSNASFilterRule</LDAPName>
<IsTunnelAttribute>0</IsTunnelAttribute>
</Attribute>
After rebooting the server I was then able to add this attribute to a network policy in NPS.
Original Message:
Sent: 02-24-2022 11:28
From: bfaltys
Subject: ERS4900 Enhanced Secure Mode & RADIUS
Has anyone gotten this to work? I've enabled enhanced secure mode, configured 2 radius servers, set cli password telnet radius. However, when I go to login it says authentication failed, but on the Windows server it shows audit success. Wireshark also sees the radius accept message. We have other Extreme/Avaya switches (VSP & ERS) and we can login to anything not running in enhanced secure mode. Is there some additional attribute we need to send back to the switch?