Hi everyone,

I want to add a multiple IP address filter in my NPS policy, allowing only the specific addresses of the devices I'm going to authorize (which are in different ranges).

I have tried different combinations using the official documentation and forum recomendations, however it doesn't work:

^(1.1.1.1 | 2.2.2.2 | 3.3.3.3 | 4.4.4.4)$

^(1\.1\.1\.1 | 2\.2\.2\.2 | 3\.3\.3\.3 | 4\.4\.4\.4)$

^(1.1.1.1)$ | ^(2.2.2.2)$ | ^(3.3.3.3)$ | ^(4.4.4.4)$

^(1\.1\.1\.1)$ | ^(2\.2\.2\.2)$ | ^(3\.3\.3\.3)$ | ^(4\.4\.4\.4)$

The policy is correctly created (if I only set one IP Address it matches and grants access).

I'd appreciate any help you can give!

Regards,

Rafael.

Hi,

My default NPS network policy works fine - allows clients to connect to the VPN - until I add a health policy as a condition.

When I do, clients receive error 691:

"The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol you selected is not permitted on the remote access server."

The health policy is pretty basic - "Client passes all SHV checks."

The default Windows Security Health Validator is basic as well, configured to only check for an enabled firewall.

The firewall is enabled on the client side.

As soon as I remove the health policy from the list of conditions in the network policy, it works fine again.

Has anyone seen this or have any insight into what may be the problem?

Thanks,

The network policy server service will not start. I have narrowed the problem to the ias.xml file. If I remove it and run "netsh nps reset config" a new ias.xml file is created and the service will start. However, all of the RADIUS clients and policies are no longer there. Is there a way that I can fix the old file so that I don't lose the configuration? Or, is there a way to copy the clients and policies out of the old file into the new one?

Hi,

I'm having some problems here to get our Wifi setup working. The setup basically comes down to this, we're using PEAP-MSCHAPv2 as authentication mechanism and the native Windows WZC clients to setup the connection and to provide the credentials.

There would be no problem if we were just using this on our own internal network/domain but because we're a school we want to participate in the Eduroam project which means we have to be able to authenticate users with the following username format: domain.country\username or username@domain.country. The NPS setup I have now only seems to be able to handle logins with the format of: usernam, domain\username or username@domain. This doesn't work with the Eduroam setup because they need the realm part to do the necessary proxying between the participating institutes and so they need the countrysuffix part in the outer identity.

If I use another wirelessclient on the clients (like the Intel PROSet) I'm able to configure the outer and inner identity differently which, technically speaking, would be a solution if it were not that a lot of our students can't use the Intel PROSet becausen they have a non Intel wifichip.

I've also seen that it's possible to do some attribute manipulation in NPS in the CRP but it seems to me that this only manipulates the outer identity part and not the inner part because then the authentication still fails. I tried this on the username by using the pattern ".*\\(.*)" and replacing it with "DOMAIN\$1", the manipulation seems to work according to the eventlogs but the authentication still fails.

Any ideas on how to handle this?

Hi,

We have 2 environments - 1 CA using SHA1 and the other using SHA2.

The one using SHA1, it's working fine i.e. NPS can authenticate the computer device certs.

However, for SHA2, it's not working. I have been troubleshooting for a few days, so before going further, I just wanted to make sure NPS supports SHA256 certificates.

Thanks.

Hello,

I'm running into an issue with Windows 7 connecting to a WPA2-Enterprise Wireless SSID using PEAP Authentication.  I recently set up a NPS on a Windows Server 2014R2 box.  The Radius Client is set to our Sophos Firewall which handles our Sophos AP55's.

I've manually imported the CA on several Windows 7 SP1 and Windows 10 machines.

On the Windows 10 workstations, I manually set up the wireless connection for the SSID and it prompts for the user end authentication.  I enter the creds and I am able to connect to the SSID without any issues.

On the Windows 7 machines, I manually set up with wireless connection the same as the Win10 workstations but I am unable to connect to the SSID.

Below are logs from the WLAN-Autoconfig of the Win 7 Workstation:

-----------------------------------------------------------------------

-----------------------------------------------------------------------

From what I can tell from the NPS logs, I assume that authentication succeeded.

I've come to a road block and don't know where else too look.  And recommendations would be appreciated.  Thanks.


- Tim

Hi all,

I'm trying to achieve the following through attribute manipulation in a connection request policy on an NPS server acting as a RADIUS proxy:

Change user@test.domain.com to user@domain.com and then forward to a RADIUS
authentication server.

Under Specify a Realm Name on theSettings tab, I have tried a number of variations in theFind and Replace
With fields for the User-Nameattribute but have not managed to generate the desired user name. Combinations
I have tried and their resulting outcome according to the NPS log are:

Find: user@test\.domain\.com
Replace With: user@domain.com
Resulting user name: user@test.domain.com

Find: user@test\.domain\.com
Replace With: user@domain\.com
Resulting user name: user@domain\.com

Find: @test(.*)
Replace With: @$1
Resulting user name: user@.domain.com

Find: @test\.(.*)
Replace With: @$1Resulting user name: user@test.domain.com

Find: @test\.
Replace With: @$'
Resulting user name: user@domain.comdomain.com<o:p> </o:p>

Find: @test\.
Replace With: @$
Resulting user name: user@$domain.com

Find: @test\.
Replace With: @
Resulting user name: user@test.domain.com

As I understand it what I'm trying to achieve should be straightforward. Inhttps://technet.microsoft.com/en-us/library/cc731342(v=ws.10).aspx it's stated that you can:<o:p></o:p>

"Change the realm name but not its syntax. For example, the user name user1@example.com is changed to
user1@wcoast.example.com."<o:p></o:p>

This is pretty similar to what I'm after. However, I can't find any specific examples on the web, and have run out of ideas. Can anybody point me in the right direction?<o:p></o:p>

Thanks in advance.<o:p></o:p>

Stuart

Hllo

We got Many Wireless Lan Controllers which each would be one radius client

We are migrating from one  wireless vendor to another wireless vendor, and we would like to do EAP PEAP and EAP TLS on the same server while we migrate.  But the NPS doesnt seems really flexible to do that.... If i put the EAP TLS Network rule first then the EAP PEAP users wont authenticate and viceversa.   Is there a way to have many radius clients to in which i can tell for this group of radius clients use EAP TLS And for the group of radius clients use this EAP PEAP rule???

Cheers
Carlos

Hi!

I am attempting to migrate from Windows Server 2003 IAS to Windows Server 2012 R2 NPS, following the "Migrate Network Policy Server to Windows Server 2012" guide (https://technet.microsoft.com/en-us/library/hh831652.aspx).  Based on the guide I am under the understanding that this is a support migration scenario.

I have prepared the new server as outlined in the migration guide and am able to successfully export the current IAS configuration using iasmigreader.exe without any problem.  I am not making any edits to the ias.txt file to address EAP as it is my understanding that the issue caused during the export was resolved in the Server 2012 R2 version of iasmigreader.exe (if I am mistaken, please let me know).

When attempting to import the ias.txt file on the new server using "netsh nps import filename=c:\temp\ias.txt" I receive the oh-so-helpful "Unspecified error" and some basic syntax for the import command.  If I attempt to import the configuration from the NPS GUI (right-click on NPS (Local), select "Import Configuration") I receive an error box labeled "NPS Configuration Import Failure" with "Error HRESULT E_FAIL has been returned from a call to a COM component".

In both cases I have attempted to restart the server to see if that helps and I have found that the Network Policy Service fails to start and I get the following error box labeled Services, "Windows could not start the Network policy Server service on Local Computer.  Error 0x80070057: The parameter is incorrect."

I have noticed that after the failed import attempt, if I look in RADIUS Clients I see the entries I would expect to see, but I do not see that any policies have been imported.  Note also that I have run "netsh nps reset config" between import attempts so that NPS is back to its default configuration (and the service starts cleanly).  My guess is that the ias.txt file is not being formatted correctly, or is being corrupted in some way.

Any assistance would be greatly appreciated!

Hi experts,

I want to setup a proxy server to use testing. One require is that need provide the user name and password when access that proxy Server. Can you give me help on this? I am confusing that which Role/feature should i install?

Network Policy and Access Services ->Network Policy Server

Remote Access -> DirectAccess and VPN

Remote Access -> Routing

Remote Access -> WebApplication Proxy

I am having a problem with user authentication using NPS on Server 2012 with Peap.  I have 2 Radius servers one running 2008 R2 and this one in a round robin setup using a Cisco 5508 wireless controller.  When a user gets the 2008 server for authentication in the logs everything is good.  I have two lines saying that they are using Peap and what policy they match in the access request.  The next line is the access accept allowing them in.  If they get the 2012 server it will allow them in but it takes longer and in the logs I see the same access request but instead of authentication type of 11 for peap they are using a type of 5 for eap.  Then the server will challenge them since it does not use this type of authentication and eventually the client will change to peap and it will work with out me having do do anything.  I have checked my policy against the one on the 2008 server and they are the same.  I have tried to regen the server cert on the 2012 server with the same proboem.  I have tried to install the server cert on a client machine to see if that would help and it does not.  I am not sure what is happening when the same client can use the 2008 server and auth fine but if they get the 2012 server I am seeing this.  I will put the access request log line and the access challenge line in this post so you can see it.  Thanks for any help that can be provided.

Request

10.10.10.78,username,04/26/2016,11:52:03,IAS,servername,131,0x00000001,31,60:92:17:30:3c:47,30,bc:f1:f2:91:55:c0:ssid,5,13,44,571f9cb3/60:92:17:30:3c:47/2501902,4,10.10.10.78,32,StuWifi,26,0x00003763010600000013,6,2,12,1300,61,19,64,13,65,6,81,131,4108,10.10.10.78,4116,0,4128,StuWifi Controller,5000,audit-session-id=0a0a0a4e002612f9571f9cb3,5000,mDNS=true,4154,Use Windows authentication for all users,4155,1,4129,username,25,311 1 10.10.16.42 04/21/2016 10:55:14 189,4130,user OU,4127,5,4149,test,8136,0,4136,1,4142,0

Challenge:

10.10.10.78,username,04/26/2016,11:52:03,IAS,servername,25,311 1 10.10.16.42 04/21/2016 10:55:14 189,27,30,4130,user out,44,571f9cb3/60:92:17:30:3c:47/2501902,8136,0,4149,test,4127,5,4108,10.10.10.78,4116,0,4128,StuWifi Controller,4129,username,4155,1,4154,Use Windows authentication for all users,4136,11,4142,0

I'm having issues blocking internal users accessing a SSID (eduroam) -the same users are allowed access when not on campus. 

I've two Network Policies enabled and in processing order they are as follows:

The first Network Policy is set to deny access. Its conditions are "User Groups = [domain]\default staff group OR [domain]\default student group" and Client IPv4 Address with all the 9 Wifi controllers (Ruckus Zone Directors) IP's (as per RADIUS clients)

I have also tried using Client Friendly Name, and changing the "User Groups" to equal "[domain]\Domain Users" only but these changes had no affect (I restarted the NPS service after each change).

The second Network Policy grants access with condition of "User Groups = [domain]\default staff group OR [domain]\default student group"

For both policies Constraints and Settings are identical.

This setup initially worked to block internal users but some time in the last few months has stopped.

Viewing logs I can see that internal users are accessing the SSID with the NP Policy name in the log being the second policy i.e. the conditions of the first policy are not being met. Yet the Client IP Address / Client Friendly Name are the ones in the first policy meant to disable access.

Any ideas?

I am encountering a strange issue that I am struggling to figure out. I have installed the NPS Role on a W2k12R2 DC and configured a RADIUS Client, Connection Policy, and Network Policy. I have deployed Wi-Fi settings via AD GPO using Computer and User Authentication and all works great upon bootup (Computer Account authenticates to WiFi successfully). Also, when I logon with a domain user account, I can see that reauthentication occurs against the user account successfully.  No issues to this point.

However, when I logon with a local Windows account (that also exists in AD with a different password) I can see in the NPS log that attempts are made to authenticate to AD with the DOMAIN\user account rather than the PC\user account.  I also see event 4625 logged in the Security Event Log on the NPS/DC Server.  The result is that failed authentication attempts are made about 3 mins apart and the account is eventually locked out.

Has anyone ever seen this or have any idea how I might further debug this?  I have been digging through online threads for several days with no luck.  Thank you in advance for any suggestions.

Setup:

Unifi AP's connected to NPS running on Server 2012 R2.

Goal:

1. Laptop users to be able to connect to the production wireless network simply by having their computer accounts in an authorized group egCompany/Laptops

2. If your device is not in the said group (not an AD object in essence), promote for credentials from eg.Company/Authorized Users.

What so far:

I created a Network Policy with one of its conditions being that you have to be a member ofCompany/Laptops to be granted access to the wireless network. This works fine as laptop connect directly if authorized.

A second policy was created where the condition was you have to be a member ofCompany/Authorized Users.

Problem:

1. After implementing the second policy, which is 2nd in the processing order, even authorized laptop are prompted for credentials.

2. Devices not in the Company/Laptops group are not granted access at all.

I have been given the task to convert our 80+- asset network from static to DHCP. Management wants the change to not only be cost effective but secured so that employees cannot just plug in devices into network ports at their cube and obtain an IP address. We have the hardware capabilities of going to 802.1x however the owners decided to lower the cost of network drops by installing 10 port switches under the beginning of each cube row which won't allow us to control all the ports on each switch.

A brief description of the network.

Two DC's running 2012R2. 
DC1 is running the following roles: CA enterprise, AD, DNS GPO

DC2 is replicating from DC1 for the following roles AD, DNS, GPO. CA enterprise is not installed. It also serves as our WDS/MDT server.

Serv5 only used for WSUS services.

What my idea is:

I would like to install the DHCP role with NAP on DC1 with failover on DC2 with a scope of 192.168.0.x. Move the WSUS server from Serv5 to DC2 and move the WDS/MDT role to serv5. Now there is where I get myself confused with best practice, I'm not sure where the NPS service should go. The reason I want to move WSUS to DC2 and MDT/WDS to serv5 is because I fear that once I enable NAP/NPS devices that are to be re-imaged and boot off of PXE will not be able to authenticate DHCP because they do not meet the health check requirements so I would have to put serv5 on a different scope (192.168.10.x) that does not have outbound (internet) traffic capabilities so that any device that needs to be re-imaged can still obtain a DHCP lease but is limited to what resources it can access (I'm wanting WDS/MDT being the only reachable resource). 

If I was able to buy more server 2012r2 license I would but unfortunately, that is not an option here. I must complete this with no cost to the company other than my time unless of course there is a much faster route that could justify the cost for time.

Thanks in advance!

Hi,<o:p></o:p>

no windows 7 or 10 computers both domain and non-domain can't connect to Wi-Fi, while android iOS users have no problems<o:p></o:p>

windows users get the error can’t connect conect to this network, NPS event log shows:<o:p></o:p>

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.<o:p></o:p>

those anyone had this problem, I found a few articles about enrolling domain pc's with certificated, but that would not fix the issue on non-domain pc's<o:p></o:p>

Greetings,

Not sure if I'm in the correct category, but here it goes.

Have 10 work stations (public) and 2 servers (private) on a large network with multiple subnets. What I am attempting to accomplish (via AFW) is set up rules on each workstation so they only communicate with each other and the servers.

I am (was) attempting to use AFW and configure rules based on IP address.  I would think the following would be possible.

Turn off all communications on all Work Station so all traffic incoming and outgoing is blocked. Then Assign the designated IP addresses that are allowed to accept and receive ALL traffic. 

Currently I have 5 of the WS's benched on a mini network with addresses 10.10.10.2 -10.10.10.6.  been attempting different settings with no success, a lot of helpful articles have been read, but I think I'm missing something very basic.

Perhaps some one can point me in the right direction?

A million thank you in advance

David

Defeated does not begin to describe my current situation, to a point wordings will not assist my cause. So here are screen shots (apologies in advance):

Radius Client:

Connection Request Policy (Processing No. 1)

Network Policy Settings:

NB:The user certificate as been successful autoenrolled to intended users.

Result:

NB: I am assuming if we have been prompted for credentials, the communication process is so far ok.

However:

I hope the pictorial illustration can successful substitute my word, for I have completely no idea what is wrong here.

Hi 

I am seeking the following windows server 2012 R2 firewall behavior: when the all the server cores are used 100%, the firewall doesn't get assigned any resources. Thus all traffic is blocked. trafic gets reestablished when the server slows down.

I was planning to use a hyperV VM which doesn't have priority access to compute resources to create this behaviour. 

Am I creating a security vulnerability by using the firewall in this way? I understand I won't have VPN access while the firewall is not running.

Thanks