Hi,

I'm facing a weird problem. I've installed both Active Directory, CA & NPS in a single machine.

I've generated user-certificate & also copied CA certificate to Client Windows-XP machine and installed them onto "Personal" and Trusted root CA locations.When I create a profile and connect through WZC,  radius server rejects with reason:"An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors."

To debug, I've setup another client machine with Windows-7. I did install same certificates which I installed in Windows-XP client and create profile to connect. And it just connects with-out any issue.

I'm not sure what's the above error meant for Win-XP case. And how do I check EAP log files for EAP errors. I've tried enabling tracing for ras and looked for logs c:\windows\tracing. But I see all files were almost 0KB and no useful information at all.

Can you help me debug this problem? Please see the snippet from eventviewer.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            NULL SID
    Account Name:            wifiuser@qcsr.com
    Account Domain:            QCSR
    Fully Qualified Account Name:    QCSR\wifiuser

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        00904c130f31
    Calling Station Identifier:        00037f104912

NAS:
    NAS IPv4 Address:        192.165.122.1
    NAS IPv6 Address:        -
    NAS Identifier:            00904c130f31
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            11

RADIUS Client:
    Client Friendly Name:        BROADCOM
    Client IP Address:            192.165.122.1

Authentication Details:
    Connection Request Policy Name:    NAP 802.1X (Wireless)
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        BANRADSVR01.qcsr.com
    Authentication Type:        EAP
    EAP Type:            Microsoft: Smart Card or other certificate
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            23
    Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Hi, I started having problems with NPS. Not sure if someone has changed something in NPS server but I started receiving errors when trying to authenticate. The same is for all NPS policies - wifi users and network device login authentication.

Cannot find on internet enough information what the reason could mean. Does NPS server has not enough permissions or user?

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            NULL SID
    Account Name:            xxxx
    Account Domain:            XXX
    Fully Qualified Account Name:    XXX\xxxx

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        -
    Calling Station Identifier:        -

NAS:
    NAS IPv4 Address:        192.168.10.254
    NAS IPv6 Address:        -
    NAS Identifier:            -
    NAS Port-Type:            Virtual
    NAS Port:            388

RADIUS Client:
    Client Friendly Name:        Cisco_xxx
    Client IP Address:            192.168.10.254

Authentication Details:
    Connection Request Policy Name:    NW device login
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        DC-01
    Authentication Type:        PAP
    EAP Type:            -
    Account Session Identifier:        -
    Reason Code:            2
    Reason:                There are not sufficient access rights to process the request.

We have a Network Access protection server on a windows server 2012 box configured against 20 devices. and it works perfectly for all but 2 devices that won't work with it no matter what we do. these use a configuration Template that is the same as 13 of the working devices (cisco meraki devices).

The testing we have done. is as follows

From a working Device.

• tested a valid account , followed the traffic across our network to the server ,at each stage we can see the Valid Traffic, on NAP logs we can see the Request  being approved and in Event Viewer we can follow the request policies . and we can follow the traffic back.
• tested a invalid account , again we can see all stages and in the NPS log the deny in event viewer the Deny event.

from the not working device.

• testing a valid account We can see the request traffic across the network we can see it reach the server , but neither the NAP log or Event viewer show request completed or failed. and no traffic is returned to the device.
• test from a invalid account. We can see the request traffic across the network we can see it reach the server, and we can see the invalid request in the logs and event viewer.

As you can see this is an oddity that we currently can't explain we know the traffic can respond to invalid requests so communication is there. the device uses a default configuration that works else where and all the same firewall rules are applied to working sites and the broken sites. I've had Microsoft investigate the server and they say the configuration is correct and there is nothing wrong and CISCO have confirmed the device configuration is valid and correct.

so basically we are at wits end has anyone come across anything similar and if so how did you resolve.

thanks in advance.

I have NPS running on a pair of 2012 servers, and it's authenticating 802.1x wireless connections for multiple user types for one SSID (switching vlan's, based upon user group memberships, etc.), and I'm prepending sub-domain information as necessary based upon username patterns.  but I'd like to restrict one class of user from logging into one specific access point without disabling the other types of users for that site.

Server 2012 Standard

The roles currently installed on the server are:

AD CS

AD DS
DHCP
DNS
File and Storage Services
IIS
NAP
Print Services

I am currently trying to setup 802.1x wireless.

When I go through the wizard.  I select PEAP under Type. I get to Specify User Groups.  I click add.  I search for the group I want to add.  I then click okay.  After a couple of seconds of computer thinking the following error appears. "Windows cannot process the object with the name "Teacher Group" because of the following error:  The specified Domain either does not exist or could not be contacted.  

Which shouldn't happen since I am on the domain server making these changes.  I have checked to to confirm if there was an issue in DNS or DHCP.  I can't find any issue.  If I do a NSLOOKUP the server name comes up with the correct IP address and domain.  I was also able to find it using the ip address.  (The server has a static IP.)  

What is causing this issue?  How do I rectify this?

I just installed the NPS for the first time on our domain and authentication fails with message " There is no domain controller available for domain tp.dom" . We have two domain controllers and both are working fine. I ran nltest with various options and all the commands are successfully completed and finds the domain controllers.  Also I can login to NPS server using TP.DOM\username. I tried few different users and it's successfully. I am not sure why NPS can't locate the domain controller.

So I tried on a different machine and getting the same error. Both run windows 2008 R2. Our DCs are 2003 R2.

 Below is the message from NPS trace.

[5424] 07-08 18:54:32:124: Failed to connect to the cached DC, try DC locator ...
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: Retrying LDAP search.
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: No AUTHORIZATION extensions, continuing
[5424] 07-08 18:54:32:124: Added EAP Failure packet

Any help is appreciated.  - thanks.

We have a Server 2012 R2 NPS server setup using certificate authentication.

Currently, I've got it working so domain computers auto-enrol to our CA server. Each client enrolls and gets a cert, this then shows up an an issued certificate on the CA.

I'm struggling to find a way to get iPads and non domain windows PCs to request a certificate from our CA. Since the CA allows domain computers to request a certificate - I can't see how a non domain pc or a non windows device could work with this system.

Any suggestions would be greatly appreciated!

Thanks!

DG

I am testing the 802.1x Enforcement functionality using EAP-TLS method.

My Test environment is as given as below

NPS server, Subordinate Root CA   ----> Windows Server 2008 

Domain Controller                              ----> Windows 2003

Root CA                                           ----> Windows 2003

Authenticator                                      ---->   802.1x Switch

Client                                                 ----> Windows Vista

Problem status is that, in EAP-TLS method NPS server is sending Finish message, and then response of EAP and then after EAP-Failure. (802.1x Switch is receiving Radius-Reject message from NPS server)

I need help on following

1) Could any body suggest me any tutorial or step by step guide for 802.1 enforcement using EAP-TLS method.

2) Windows VISTA client is using the certificate at the time of registration that certificate is published by Enterprise root CA of Active directory, Could any one teach me what is the importance of certificate (issued by Standalone CA on NPS server to VISTA client) in EAP-TLS method.

3) The radius-Reject message received by 802.1x switch is having the following setting in VSA code,

length = 6  type = 54  value = 1

The RFC 2548 does not contain this type VSA code setting, could any one teach me what is the meaning of this code, I can not understand the reason for failure of certificate because of this Data. Kindly help me in this regard,

Thanks to read my question

Regards

Brijesh Shukla

Not sure which is the right forum for this as unsure where the problem is

If I can describe the environment first. We use a lot of domained laptops running various OS 8.1/10 that connect to a hidden SSID that is protected by Radius Server. The laptops get the name of the SSID to connect to via a Wireless Group Policy setting. The laptops authenticate to radius using their computer account. We then find it's usually connected to an open network instead and people complaining it isn't working :)

Fairly often we are finding that these laptops are no longer connecting to the Wi-Fi SSID specified and under networks rather than seeing its name you now see "Unknown". The only way to get it back on is to connect to a pass worded SSID or plug in wired and then gpupdate /force.

I am looking to find some ideas of what the problem might be and a potential fix? Thoughts anyone?

Thanks

Robbie

Hi,

I'm trying to get SMS2 2-Factor working securely with NPS.

I have a Domain Controller with user accounts and a 2FA group. RADIUS and SMS2 are running on the Domain Controller.

I have added the NPS feature, and registered it in Active Directory. I then created a RADIUS client with the IP of my NetScaler. The NetScaler is configured appropriately.

The problem is that I want to lock down access to the 2FA group. However, any user in the domain can authenticate.

I have found that I can remove my Network policy (leaving the default policies untouched), and I can still authenticate. It seems that the connection request policy is the only policy being evaluated (if I disable it or the client definition, no one can authenticate).

Any ideas on what could cause this, or how to troubleshoot this further? There is nothing of interest showing in the event log.

Thank you for your help

Hello,

I recently implemented an NPS deployment within an enterprise environment, with the ultimate goal of using certificates and an NPS server to authenticate an 802.11x wireless network. I added the NPS role to one of the domain controllers, and created a GPO with the wifi and certificate configuration. Unfortunately, client computers with the GPO deployed cannot access the wireless network. I don't see rejections on the NPS server, it's almost like they are dropped. I tested domain username/password authentication by added my user account to the AD group, and that bounced back as approved (I'm using Meraki APs). When a computer tries to connect to the wifi, it's almost like the attempt is dropped. I've run through Technet articles for the last few weeks reviewing my configuration, but I can't find a reason for why this would be happening. Could someone help provide some insight?

Below is an outline of what I did.

1.	Added APs as radius clients to the NPS server
2.	connection request policy
     a.	Processing order 1
     b.	Conditions: NAS Port Type – Wireless – Other OR Wireless – IEEE 802.11
     c.	Authentication Provider Local Computer
3.	Network Policies
     a.	Processing order 1, grant access
     b.	Condition: windows groups (the group contains Domain Computers and Domain Users)
     c.	EAP Configured
     d.	Ignore User Dial-In Properties: True
     e.	Access Permissions: Grant Access
     f.	EAP Method: Microsoft: Protected EAP
     g.	Authentication Method: EAP or MS-CHAP
     h.	NAP Enforcement: Allow full network access
     i.	Updated noncompliant clients: False
     j.	Framed Protocol: PPP
     k.	Service type: Framed

And added a GPO with an 802.11x wifi configuration, and a trusted root certificate authority GPO for a certificate issued by the domain CA to the NPS Server.

Thanks!

Hello all;

Probably a redundant question, but I have an NPS Server being used for Radius Auth (802.11x) on one of our local sites but also want to build one at a remote site on other side of the country but in the same domain servicing different IP ranges. I assume these would be stand-alone NPS servers in the same domain and not use a NPS Proxy server since I only want the server in its site handling auth requests local to that site. Is there anything special I need to do for this type of configuration other than just standing up the new NPS server in the remote site and configuring Radius Clients (IP Ranges) unique to that site on it?

Thanks.

Hi, Everyone.

I ran across this question while studying for my 411 exam. I am may have an idea on how this would be setup, but I'm hoping someone can validate my thinking or maybe point me to a resource that would explain it.

The question:
You are going to implement a health check to make sure hat clients have Windows Updates enabled. You want this to take place in two weeks. Those that have Windows Updates disabled should still be allowed access for the two weeks. How would you set this up?

My conclusion:
Would you set this up in the remediation groups? As in those that pass the health check get full access normally, but those that fail would go to the remediation server group which still has full access. Or am I completely wrong in this?

::- T.I.A. -::

Hello Guys,

I already doing an NPS with EAP certificate based authentification with AD computer's.

That's work fine.

But now, i would add MAC address based authentification on same Wifi, for printer or non domain computer.

That's does not work ... :)

I try to add a user with the mac address as login name and same for password. But change nothing. 

I don't saw the login attempt on the NPS event logs. That's me, for me, the Connection Request Policy does not match.

I already tried to add the "User Identity Attrivute" registry key to 31. Change nothing.

I need help. :(

Best Regards

I have a ASUS RT-R66N that is sharing a flashdrive in the Windows workgroup "WORKGROUP". My LINUX Mint computer and my Raspberry Pi access the shared flash drive just fine using their file explorers. My Windows 10 Pro v1607 (OS Build 14393.321) will not allow access to the shared flash drive using the Windows Explorer via the "network workgroup". My Windows 10 machine will report:

\\NETDISK is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permission.  A specified logon session does not exist. It may already have been terminated.

:) the network administrator, me, didn't setup permissions on the router for either LINUX machine or the Windows machine. ASUS is clueless about this permission. The LINUX machines don't need permission or logon sessions. Why does Windows 10 want permission& logon sessions that don't seem to be needed?

Hi,

I'm currently converting a wifi setup with PEAP (client auth using MSCHAPv2) to TLS-EAP and I'm wondering how exactly the server verifies the client certificate.

I have a private CA, which I selected in the wireless profile pushed to clients. So the client won't accept a server certificate issued by any other CA, even if it matches.

All domain computers autoenroll for a computer certificate and the wireless profile is setup so the computer certificate is used.

The NPS server has as condition in its policy that the client is in the "Domain Computers" group to be granted access.

Now, how does the server verify the certificate sent by the client? I don't see an option to "lock" the accepted certificate to an issuing CA like the one present in the client profile. So I came up with the following possibilities:

1. The server only accepts certificates from the same CA its own certificate was issued by, and then either uses the username sent by the client, the one in the certificate, or both (if so, which does it use/check?).

2. The server trusts any certificate that is issued by any locally trusted root CA (including the commercial ones). This seems unlikely, since in the past commercial CA's would issue certificates for *.local DNS names. So in that case anyone could just procure a certificate from a commercial CA that matches one of my domain computers.

3. The domain computer's certificate is published in AD, and the NPS server matches the certificate it gets from the client to the one in AD.

Option 3 makes the most sense to me, since that way the server will only accept the one certificate that was issued to the computer/client and nothing else. However, I can't seem to find any details in the documentation, only that "if the server trusts the client certificate the client is granted access" with no elaboration on what "trusts" means exactly.

Can someone tell me which of the options is correct, or whatever other option I didn't think about?

Lastly, I'd also like to know how I can debug the entire authentication process on a low level (eg. every step taken), so if someone knows how to do this please tell me :) Both for the server side (2012R2) and client side (Win8.1 & Win10).

Thank you in advance!

PS. I'm wondering something else, and since someone that can answer the above is likely to know this as well, I figured I'd ask it here: Currently in the NPS policy I have selected "Strongest Encryption" 128-bit MPPE on the Settings tab->Encryption. Is MPPE even used in a wireless setup such as mine? As far as I know MPPE is used for PPP connections as main encryption of data after authentication, and the wireless connection will be encrypted using AES/CCMP as setup on the access point (and not with MPPE).

However, I noticed in the latest RFC defining EAP-TLS that the Pairwise Master Key (PMK) was previously named a "MS-MPPE key", so perhaps this setting controls the entropy in the generated PMK sent to, and then used by, the access point to use for its AES/CCMP? Does this encryption setting have any bearing on a wireless authentication setting such as mine, and if so, how exactly?

If not, how does the NPS generate the PMK that the access point is to use for encryption? I know a random PMK should somehow be generated by the NPS, which is what makes WPA2-Ent so much more secure relative to WPA2-PSK (which always uses the same PMK generated from the PSK and the SSID as salt). I'd like to understand how this part works ;)

We have some workstations connected to 2012 R2 Essentials server that's configured as:domain/dns/dhcp/application server. We noticed that users can get in the folder properties window and view all the users and groups through the security tab.

Does that represent a vulnerability? How can we prevent that? We want to keep some accounts and groups unknown..

ATTENTION MODERATORS: I do indeed mark responses as answers after I have had time to test said response and verify that it works. Please do NOT assume you speak on my behalf by marking responses to my questions as answers. Mass-proposing responses as answers gets on my nerves, too. Thank you.

Hi All,

I have NPS running on Server 2008 R2 Datacenter. The only other service running on the box is IIS and File services (it is not used as a file server).

We have a Cisco WiFi network using a Cisco 2500 Wireless LAN Controller (WLC) with dozens of APs.

We have several hundred IOS devices (mostly iphone 6 and 6S and 7 and Ipad and Ipad Pro) connecting to the wifi using certificates issued to the users from our internal CA.

This was all working fine when we set it up a year ago.

Suddenly, several months ago I started noticing that some Ipads were not connecting to the wifi. For example a user would have both an iphone and ipad and the iphone would connect fine and the ipad using the same user cert would not connect.

I should mention that we use Airwatch as our MDM platform and The user certs are applied to the user profile in Airwatch.

The ipads that aren't working follow no specific pattern. They are all different IOS versions and different models. Some are even wifi and Cellular data models.

I have involved Cisco tech support and the conclusion was that the WLC and its setup is fine and the Logs on the WLC show that the authentication is being rejected by the NPS.

the NPS logs show Event ID 6273; Audit Failure;

Description: Network Policy Server denied access to a user;

Reason code: 23;  

Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

I can't identify what changed except a certificate on the server. 

Any help is very much appreciated.