We have Wireless using NPS/Radius working fine.. where or how would I go about creating a Domain Group that I can add users to the "blacklist"for any NPS/Radius access.  In other words.. I need an quick and dirty way to restrict one single AD user from connecting to our WIFI that uses NPS...

Hi,

I have been breaking my head for almost two weeks. I cannot make the NPS work for dot1x authentication from wired clients. The initial setup i had was 

A Win 2008 DC edition acting as my AD.

A Win 2008 DC edition acting as my NPS Server. 

The authentication did not work.

Now i moved to the following setup,

A Win 2012 server R2 acting as DC and NPS server and i have the following Error.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          03-06-2015 08:53:28
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      WIN-CCLR2FCE3NG.taclab.coma
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: TACLAB\dot1x_1
Account Name: dot1x_1
Account Domain:TACLAB
Fully Qualified Account Name:TACLAB\dot1x_1

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
OS-Version: -
Called Station Identifier:f8-b1-56-18-33-ed
Calling Station Identifier:f8:b1:56:b7:33:f2

NAS:
NAS IPv4 Address:10.16.212.2
NAS IPv6 Address:-
NAS Identifier:f8-b1-56-18-33-eb
NAS Port-Type:Ethernet
NAS Port: 10

RADIUS Client:
Client Friendly Name:PCT8132
Client IP Address:10.16.212.2

Authentication Details:
Connection Request Policy Name:Secure Wired (Ethernet) Connections
Network Policy Name:Secure Wired (Ethernet) Connections
Authentication Provider:Windows
Authentication Server:WIN-CCLR2FCE3NG.taclab.com
Authentication Type:EAP
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-06-03T03:23:28.697755300Z" />
    <EventRecordID>3006</EventRecordID>
    <Correlation />
    <Execution ProcessID="500" ThreadID="588" />
    <Channel>Security</Channel>
    <Computer>WIN-CCLR2FCE3NG.taclab.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-787183095-3794202171-781640536-1105</Data>
    <Data Name="SubjectUserName">dot1x_1</Data>
    <Data Name="SubjectDomainName">TACLAB</Data>
    <Data Name="FullyQualifiedSubjectUserName">TACLAB\dot1x_1</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">f8-b1-56-18-33-ed</Data>
    <Data Name="CallingStationID">f8:b1:56:b7:33:f2</Data>
    <Data Name="NASIPv4Address">10.16.212.2</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">f8-b1-56-18-33-eb</Data>
    <Data Name="NASPortType">Ethernet</Data>
    <Data Name="NASPort">10</Data>
    <Data Name="ClientName">PCT8132</Data>
    <Data Name="ClientIPAddress">10.16.212.2</Data>
    <Data Name="ProxyPolicyName">Secure Wired (Ethernet) Connections</Data>
    <Data Name="NetworkPolicyName">Secure Wired (Ethernet) Connections</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">WIN-CCLR2FCE3NG.taclab.com</Data>
    <Data Name="AuthenticationType">EAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">22</Data>
    <Data Name="Reason">The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>

Any help is much appreciated !!

Hey folks.

I'm trying to troubleshoot authentication failure of some Ubiquiti AP. I've been able to set up NPS with Radius authentication, and the system works flawlessly for 4 wireless access points set up in my main site. Trouble is on a secondary site, which while it does have IP connectivity to the NPS and the access points are configured identically, they simply fail to authenticate. I am attaching some screenshots describing my NPS setup.

There are no visible failure events on the radius server, not on the Server Role/Network Policy and Access Services, neither on the Windows Log/Security. However, checking the log file of the NPS Service (C:\Windows\System32\LogFiles), I was able to confirm that the failing access points are indeed hitting the server. The following registry is from a failed auth attempt:

"10.0.21.10,vrg,06/04/2015,14:14:53,IAS,ITSYSMGMNT,25,311 1 10.0.1.47 06/04/2015 16:27:40 628,27,30,4108,10.0.21.10,4116,0,4128,WAP Cuvier2,4154,Secure Wirless 2,4155,1,4129,CIMEX\vrg,4130,CIMEX\vrg,4136,11,4142,0"

while this registry is from a successful attempt:

"10.0.11.10,jme,06/04/2015,14:14:48,IAS,ITSYSMGMNT,25,311 1 10.0.1.47 06/04/2015 16:27:40 627,4132,Microsoft: Secured password (EAP-MSCHAP v2),4127,11,8100,0,4120,0x0143494D4558,4108,10.0.11.10,4116,0,4128,WAP EjeNal1,4154,Secure Wirless 2,4155,1,8153,0,4129,CIMEX\jme,4149,WiFi"

Can anybody help me make sense of the log? Better yet, can anybody point me out why some APs are authenticating, and why two of them are not?

I'm trying to setup an IKEv2 VPN on Server 2012 R2 to replace my old PPTP VPN. I have the Remote Access and NPS roles installed. 

When I try to connect from my Windows Phone I'm getting Error Code 13801 on the phone and on the server I'm seeing Event ID 20255 from source RemoteAccess and it says:The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: <Unauthenticated User>. Negotiation timed out

When I try to connect from my Windows 8 machines I'm getting "Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for the IPsec, negotiation might not be configured properly."

Can someone explain to me what I'm missing? I have the following ports open in the perimeter firewall.

UDP: 500, 4500, 1701 and protocol ESP

When I get back to the office I will try connecting directly to the server to rule out the firewall as an issue but I'm fairly certain that is not my problem.

Vincent Sprague

Hi,

I have two Windows 2012 servers which recently assessed by a Security audit firm and they outlined the below Risks (LOW)

Server A --  running a SFTP server ( https://www.bitvise.com/ssh-server )

Server B -- Installed a SQL 2012 database, reporting service

Server A will import data to Server B SQL database via VB6 program

Some Windows 7 workstations will use https://ServerB/Report.aspx to view SQL report from Server B

As we don't need the RDP access to these two servers, can we just simply uninstall the Terminal Server then the security risk could be fixed on item 2,3,4,5... ??

Please further advise ... Thanks in advance ... 

Hi ,

I have created 2 Network policies on Windows 2008 NPS using Radius server for 802.1X Wireless or Wired Connection. My Local Desktops and Laptops are working fine, but my thin clients are communicating to  the RDS server

1. Ncomputing ----{ Processing order 1} .This policy is created using  blog http://blogs.technet.com/b/teamdhcp/archive/2008/06/15/nap-enforrcement-exemption-for-printers-and-other-network-appliances.aspx

2. Secure Wired (Ethernet) Connections  ---- {Processing order 2}

, but my client which is a thin client ,jumps the 1st network policy and 2nd network policy is applied by default.

Please find event details below. 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: TESTCK\000fe0349220
Account Name: 000fe0349220
Account Domain:TESTCK
Fully Qualified Account Name:TESTCK\000fe0349220

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
OS-Version: -
Called Station Identifier:5C-8A-38-26-6E-C9
Calling Station Identifier:00-0F-E0-34-92-20

NAS:
NAS IPv4 Address:192.168.110.57
NAS IPv6 Address:-
NAS Identifier:blu_nw2_cat_jupiter07
NAS Port-Type:Ethernet
NAS Port: 16781400

RADIUS Client:
Client Friendly Name:CAT
Client IP Address:192.168.110.57

Authentication Details:
Connection Request Policy Name:Secure Wired (Ethernet) Connections
Network Policy Name:Secure Wired (Ethernet) Connections
Authentication Provider:Windows
Authentication Server:cktest.testck.local
Authentication Type:PAP
EAP Type: -
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Kindly help me out!!

Hi,

I have setup dot1x with NPS and it is working correctly when the system is in local mode.If I join it to domain,I can`t login with domain credentioal and this error will appear:"there are currently no logon servers available to service the logon request"and I can just login in local mode(with local administrator credential)and setup the dot1x setting,and it connect to network,after that I can not log in by domain user again.please help me:(

Thanks alot,

We had an intermediate certificate about to expire. We renewed it and everything went fine. The new CA cert was added to the domain controller, the same PKI was used, the cert was cross published to forest with certutil's crossCA capability.

Strangely enough RADIUS did not like the cert. Even more strange: NAP RADIUS authentication stopped working on all domain controllers, even those that did not use the renewed root CA for authentication.

Eventually we requested a new certificate for 802.1x specifically and everything worked again. I'm just curious if anyone can explain what went wrong? Why would RADIUS break because of a root CA change when RADIUS isn't pointing at that root CA?

The VPN connection is successful, but access to shared folders is not. Running Windows Server 2003 and connecting from Lenovo ThinkPad T440s Windows 8.1. Identical VPN setup and user credentials are successful from other computers, including a Surface running Windows RT 8.1, so I believe the problem is laptop specific.

I have turned off my firewall, still no success. I have turned off my antivirus. No success.

I have restored the PC back one month, prior to the last software change.

From outside the network, I can connect to the VPN successfully, but attempts to view or map shared folders receives a Windows Security error dialogue box stating the network password is not correct. I know I'm connected as I can type the office local IP of a network printer and view its status pages. I cannot do that when the VPN is not connected.

I have reset my user password on the server. I have deleted and recreated the VPN network connection in Network and Sharing Center multiple time. I have adjusted the VPN security settings. I have tried using the just the server name and just the IP address in the VPN setup.

The network admin ID and password are also not VPN successful from this laptop.

Any suggestions or ideas why identical VPN setup is successful from other machines and worked on this machine until one week ago?

Thanks.

Hi,

I have a windows server 2008 R2 with 2 LAN card and a wireless adapter connection. But only using 1 LAN and wireless connection. I use my wireless connection (192.168.1.x) for internet connection and 1 of the LAN (10.1.1.x) for internal connection. My server internet connection will not be able to connect when I enable the internal LAN. But the server internet connect will be working when I disable the LAN card.

Any advice on this?

Thanks in advance.

Good day.

I have two Win 2008 r2 servers. S1 is a production server with a database. S2 is a backup server for the database. On S1 i have a scheduled task that executes a procedure which copies the database to the S2 server. The task runs as NT Authority\System account. On S2 there is a share (\\S2\Backup) with modify permission for the computer name S1$. Everything looks fine on the surface. However the scheduled tast reports that \\S2\Backup is inaccessable. At the same time Windows security log on S2 gets an entry:
Success Audit
Event id 540
Anonymous logon
Workstation name S1 (notice the name)

Interesting thing - there is no Login failed record in the log.

What baffles me is that i have the same arraingement between S2 and other database servers and not a single problem.

If i reconfigure both servers to use a user login (not NT Authority\System) then backups are created correctly.

Regards
Kamil

Hi,

We have a setup with a cisco controller connected to 2 cisco APs that use Windows Server 2012 NPS for 802.1x authentication. This works 100%, users can connect and can get to local resourses, DC, printers, Gateway etc...

However we use a fortigate 60D as our firewall and when setting user based access polices on the fortigate, wireless machines and devices (cellphones, ipads) do not get access to the internet. What I have discovered is the fortigate requires the NPS server to forwards accounting messages to it on UDP 1813. I have added the fortigate to the "Remote RADIUS server groups" on the NPS and set the "Connection request policy" to forward accounting messages to said "Radius group"

However when monitoring with wireshark, when a user joins the wireless the server does not send any packets destined for UDP 1813, i can only see messages being sent to the cisco kit on UDP 1812.

The only way i have gotten this to work is by setting the cisco controller to send the accounting messages instead. Any help as to why the NPS server is not sending these messages would be greatly appreciated?

Regards

Hi,

I need to configure NAP feature in already running SCCM 2012 R2. I understand that I need to chose the ARCHITECTURE of NAP first and configure NPS server etc and then include the remediation servers which can be sccm dp, antivirus dat updates etc.

Question is which NAP architecture to chose. Based on my research it seems that IPSEC is the way to go to address a client base which contains VPN and LAN clients. Is it possible to achieve this by a mix of DHCP and VPN NAP infra.

Which is the best way to go and it will be great if you could share any step by step/prerequisites docs/links for this.

Regards..

A simple question for a newbie - If I patch a laptop (Win7) into my network without adding any credentials in active directory on my domain controller for internet access only can a virus still get onto my server. I like to run a test machine that loads a lot of garbage applications and I just need web access access. load and try. I also do not want to incur the cost of another TrendMicro seat. Is my server just as protected if i add virus protection (Free) to the workstation. We have of course an ASA between the net and the switch but how much that can protect me. I also don't care if the laptop itself has a virus/malware issue - I will take care of that. Just want my Windows 2008 and 2012 servers protected.

Thanks

Hi

Following is my environment.

NPS policy configured on windows server 2012 R2 standard and logging configured on SQL server 2012.

Following are my queries.

How many radius clients can server 2012 R2 support?

How many users can connect to the radius server simultaneously?

Does SQL 2012 server support NPS logging ?

While configuring SQL accounting , is there anything else to be done on SQL server other than creation of database?

I'm aware of the configuration to be done on NPS server to point to SQL server but cant find enough resources what needs to be done in SQL server 2012. Can you share a suitable link on what all things to be done in SQL 2012 server for configuring accounting logs.?

Does all the tables and stored procedures get created automatically on sql server 2012 server ?

Kindly guide.

Thanks

Shiva

This case happened in Windows server 2008

A user logs on to his machine locally. He proceeds to work on his projects. After a few hours of work he
attempts to save the work to a network location, but whenever he tries to access it, he gets a prompt to enter
a username and a password. He tried a few combinations and they did not work, preventing him from saving
the work on a network share.

So explain in details what you will do to accomplish these tasks.

Hi,

We have four NPS servers that are not registered in AD. We use NPS servers for WiFi authentication; we have only one network policy for granting access to the network, the authentication option is PEAP.

My question is: will be the peap-authorization broken if I'll register all of the NPS servers in AD? Should the NPS server start verifying user credentials by default?

Dears,

I have applied NAP enforcement with IPsec, unfortunately I am facing below problems:

• My VMware Vcenter Server lost communication with ESXI Hosts
• 15 Linux Cento OS Client computer are now not able to communicate with Windows servers /clients
• Windows 7 that have ERP Clients lost connectivity with 2 Red hat servers that host ERP
• I have some MacBook air which lost connectivity with Exchange Server...

SO, how to do exemption for this non-nap capable clients and servers?

Thanks