Hello everyone,
I'm deploying a new RADIUS infrastructure in an organization, but we are facing a problem with the Authentication, when an user, with a domain-joined PC connects to the network, it requests the user credential, but we don't want this to happen, I expect that Windows uses the current session credential before asking for them,
Is it possible to apply this configuration?
Thank you in advance
Hello, about a month ago i renewed the certificate from my subca for the clients to connect to our wireless network using eap-tls. Yesterday the old cert expired and about half the users in the enterprise are not able to connect to the wireless network. All of the users have the new certificate installed on their computers but it is still not working. In the event viewer i am getting error code 36887 from schannel and it says "A fatal alert was received from the remote endpoint. The tls protocol defined fatal alert code is 49". When i looked that up it said Received a valid certificate, but when access control was applied, the sender did not proceed with negotiation. This message is always fatal.
The only solution i have found that works is plugging the computer into the network and performing a gpupdate and restarting the computer but i can't do that for 1000+ computers. I have also tried removing the old expired cert from the subca and that
did not work either. is there something that could be changed on the nps server to all users to connect temporarily to download the new cert? We are using group policy to push out the wireless configuration.
Any suggestions would be much appreciated. Thank you!
I am not sure what the best practice to give a user permission to join to the domain?
Is it just giving delegate permission (Take Ownership or WRITE_DAC) on the Computer Object? or some other way which is also Microsoft Best Practice?
Or is there any Security Group, other than Domain Admin, which will allow this user ability to join to the Domain?
Hello. Hope you'll doing good.
We have RADIUS Server Microsoft Windows Server 2012 and Cisco switch as authenticator.
In debug messages on the switch we see that switch send's access-request message, but cannot get the access-accept in order to authenticate the user.
On the server that we have RADIUS we also have AD2, Certificate Authority. We added group from AD to RADIUS server and configured the port-based authentication.
But when entering credentials of the user from the indicated group the authentication fails.
We have contractors that connect to our network using their own computers. The computers are Windows 7 or higher. The computers are NOT domain members.
I recently read where NAP is deprecated in Windows Server 2012 R2 and not included in Windows 10. Shame.
What would be the best way to allow these contractors to connect to us and still perform a health check on their computers to ensure updated anti-virus and patches?
JamesNT
ATTENTION MODERATORS: I do indeed mark responses as answers after I have had time to test said response and verify that it works. Please do NOT assume you speak on my behalf by marking responses to my questions as answers. Mass-proposing responses as answers gets on my nerves, too. Thank you.
Hello,
I've update (with windows update) a windows server 2012 and reboot it.
After that, NPS server does not work.
When i stop the NPS service, WIFI clients connects to another server but when i launch it, WIFI clients can't connect.
In event viewer, i just have event 4400 : ldap connection for domain is established.
Nothing more.
Can you help me?
I have been trying to setup a Wireless network using EAP-TLS on a Server 2012R2 machine with Win7 and Win 10 clients in a domain environment. The setup is as follows:
Cisco WAP321 AP - Configured radius settings, secret and setup an SSID.
Two tier Internal PKI that auto enrolls both computers and users with certificates via group policy. The templates they use are duplicates of the computer and user templates with no changes. The NPS server uses the RAS and IAS Server template with no
changes. I also push out the Root and Sub CA and NPS certificates using Group Policy to the trusted root. I have verified that all 3 of these certificates plus the user and computer certs are on the client and host computers.
The NPS server is on the the Sub CA server. NPS Settings (changes from default)
RADIUS Clients
-Settings: Shared Secret and IP of Cisco WAP321
-Advanced: Vendor name = Cisco
-Advanced: Checked Access-Request messages must contain the Message-Authentication attribute
Connetion Request Policies
- Conditions: "NAS Port Type = Wireless - Other or Wireless- IEEE 802.11"
Network Policies
- Overview: Ignore User account dial-in policies
- Conditions: "NAS Port Type = Wireless - Other or Wireless- IEEE 802.11"
- Conditions: "Windows Groups = Domain\Domain Users OR Domain\Domain Computers"
- Constraints: Authentication Methods: EAP Types has "Microsoft: Smart Card or other certificate" configured with the "NPS Server" certificate. All other methods are unchecked.
- Settings: Encryption: Strongest Encryption is the only one checked
Health Policies
- None
Wireless settings are pushed out via Group Policy with below settings.
I am continually getting this error
Log Name: Securityhello, my wireless policy condition is NAS Port Type Wireless - IEEE 802.11 and Wireless - other. with EAP (PEAP) constraints.
I would like to filter out anything that is not a domain device. I tried domain computers group but that didn't work. I do have auto enrollment of my CA certs if we can somehow use that.
What is the best way to go about this?
Current setup:
An NPS server which implements NAP Wireless 802.1X using computer certificates.
Certificates are distributed through GP to all machines.
This works fine in that domain machines all get a certificate and can therefore connect to the wireless network which has been setup with WPA-2 Enterprise.
Problem
I have frequent users who are not domain users, and have laptops and smart phones.
For now, I have also implemented PEAP, where I create a generic account on the AD and give them those credentials to connect to the wireless. However, due to its nature, they are allows prompted for credentials and can be a bit of a bothersome.
So my next alternative is finding a way to distribute a user certificate to the device so that that certificate can be used to authorize access to the network.
1. Is this possible. (I was think of a form of web enrollment scenario where a user can input credentials as a certificate request or somethin)
2. If possible and not through the my above suggestion, how else.
NB: Please be as detailed as possible or direct me to sites that are.
Thanks in advance.
I have some questions dealing with MAC authorization, PAP, and PEAP. At my company our current wireless configuration is using a Win2k3 IAS server with certificate based EAP-PEAP authentication using MSCHAPV2 but also unencrypted authentication via PAP. The individual responsible for this configuration has long since left the company and I am responsible for implementing a new wireless network using a similar config, which leads me to posting on this forum.
In this config we have two factors of authentication. The first would be mac authorization, which requires unencrypted authentication using PAP and the other is AD authenticated using PEAP-MSCHAPv2. I can actually check the logs and see the clients authenticating with the AD user account and AD MAC account. Here are the questions.
PAP is selected as the authentication method and PEAP as the EAP type in the same policy to hopefully force both forms of authentication. The first question is which form of authentication is actually being implemented, PAP, PEAP-MSCHAPv2, or both? Second if it is PAP my concern is that will the AD authentication be sent across in plain text as the mac authorization is? And is the MAC authorization accompanying the AD authentication providing further security at all or is it superfluous?
If you need me to clarify the situation further let me know.
On another note I couldn't verify my account to upload images or include any links.
Hello, My name is Linh.
Could you help me the problem as below:
My VPN server configure on Window server 2012 R2 standard, im also opened port 1723 on router, turn off all firewall on my server, allow access for all domain users which i want to use for VNP connect. In internal network i can connect from client computer to VPN server by domain user but from outside network i can not connect to my VPN user, it's say that " Window could not connect using user name & password you provided, maybe i'm missing something? could you please help me to fix it
thank you so much.
Hi.
i am using windows server 2008 R2 as a domain controller and another machine with windows server 2008 R2 also as file sharing server and when i am accessing domain users`s share folders by their credentials from non domain computers it opens .
my question is How To prevent non-domain computers from accessing domain share folders by using domain users`s credentials ?
Hi all,
I need some assistance with configuring NPS to validate cisco switch. I am trying to implement NEAT technology with wired 802.1x authentication. My supplicant sw 2960 is unable to authenticate against authentication swtich 4510, and log in RADIUS server which runs on win 2008r2 server says:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: <removed>\switch
Account Name: switch
Account Domain: <removed>
Fully Qualified Account Name: <removed>\switch
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 44-D3-CA-F1-23-94
Calling Station Identifier: 1C-17-D3-AA-CF-99
NAS:
NAS IPv4 Address: 10.1.1.254
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50205
RADIUS Client:
Client Friendly Name: CISCO-L3
Client IP Address: 10.1.1.254
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections 2
Network Policy Name: Authentication supplicant switch
Authentication Provider: Windows
Authentication Server: <removed>
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I have created EAP profile on supplicant to athenticate itself against authenticator switch with EAP method md5.
On RADIUS network policy->policy name->tab Conditions I have those parameters:
NAS port type: Ethernet
Windows group: supplicant switch where is added "switch" account
Authentication type: EAP
On Constraints tab I have selected "Microsoft: Protected EAP using EAP-mschapv2
Can anyone help?
Hello,
We have a Windows RADIUS Server and multiple sites that connect using VPN tunnels. At one site we are unable to connect to the RADIUS SSID. I've verified in the Windows 2012 Radius log that connections are getting the status 11 (access challenge) then 1 (access request) but at this problem site they never get 2 (access granted).
We've attempted to restart the server.
We also have found that if you drive to one location and connect the the RADIUS SSID there, then drive back to the problem location you will be able to connect, until you reboot (which destroys the security token?). The RADIUS server is set to authenticate using Secure Password (EAP-MSCHAP v2) then Protected EAP (PEAP) finally Smart Card or Other certificate.
Verified that the RADIUS client addresses at problem site have not changed.
Any help or ideas that you may have are greatly appreciated.
Thank you,
Chris B
When reading about nps, radius always comes around, I do know Radius is something completely different, but i never found a tutorial that explains the difference.
Anyway who knows the answer? When should i use nps, when radius and when both?
Also, should i install nps/radius on the vpn server or on a clean memberserver?
Thanks in advance.
Hi,
customer has two AD Forests with 2-way forest-wi
de trust and suffix routing enabled for all suffixes.
On-premises users from both forests are synced with Azure ADConnect to Azure AD.Users from these two forests with Azure MFA configured and enabled can access SAAS apps with MFA.
Customer has deployed a NPS Server on ForestA (on the child1.forestA domain) and NPS extension for Azure MFA was installed and configured.
The customer needs his users (from both forests) to be able to authenticate on a Pulse published apps while performing strong authentication using Azure MFA.
Issue description :
- ForestA users succeed to authenticate on the apps (are prompted by the pulse portal and pass the Azure MFA )
- ForestB users fail this step and are reprompted for authentication (are not even prompted to enter their MFA)
Event ID : 3 is recorded / Source : AuthZ /
NPS extension for Azure MFA: User not found in On Premise Active Directory. Exception retrieving UPN for User::[userXYZ@domainXYZ] Radius::[156] exception ErrorCode::username_canonicalization_error Msg:: User Login name to UPN conversion failed Enter Error_Code @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed Troubleshooting steps.
Has anyone deployed NPS with extention for Azure MFA in a multi-forest environment ?
Are there any specific network flow requirements ...?
Any help would be much appreciated.
Thanks.
If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration
Is there a known issue with using SHA256 certificates with NPS Server?
We swapped our SHA1 keys and only Win7 clients could not connect. Phones and Win10 systems had no issues.
David Jenkins
I’m doing a restructuration of my domain network, and I was thinking about creating two networks, one for the servers and the other for the workstation, allowing only the communications of the necessary protocols, AD services, SMB, SMTP, SQL…
I’m just over thinking or is it a good idea?
Hi All
I have 2 wireless networks for my company:
Guest – non employees use this and is secured by WPA2 shared key. This network has no access to company resources and just has internet access
User – for employees. This network is secured via WPA2 Enterprise with an NPS server and a network policy further filtering by Windows AD sec group (users and computers). This all works nicely.
I don’t currently have anything in place to filter out non work provided equipment on the user network so in theory anyone could join the user network which has access to all company IT resources. Far from ideal.
I want to implement some form of MAC filtering at the NPS server. Company provided laptops don’t need MAC filtering as they are trusted by default (they are in the sec group). But non work devices (laptops/iphone etc) would need to be mac address filtered.
Does anyone have an suggestions on how can I achieve this? My server environment in 2012R2 and my work provided endpoints are Windows 10 Pro or I devices
Thanks!
Hi,
im trying to set up RADIUS authentication for wireless access but somehow it would not work if the RADIUS server is in a different VM with the AD and CA. it worked when the RADIUS, AD and CA were in one VM. i have a hunch that it has something to do with the certificates because when i use a mobile phone that has an option to ignore the certificate it would be able to connect. if you have a guide on how to setup RADIUS if it was in a separate VM it would be very helpful.
Regards,