hello all,

i have this issue with my radius based wifi authentication.

a multisite domain with 3 dcs. sites are linked with a ptp vpn tunnel (sonicwall), with no filters.

the ca distributed its root certificate in all the domain pcs and servers, 

site A, 192.168.0.0/24:

2 w2008r2 dcs, 1 w2016 nap server with ca onboard; auth policy on domain "unifi" computer group and domain "unifi" user group.

15 ubiquiti access points on same lan, correctly set as radius clients on nps.

in this site the wifi authentication work like a charm; i decided for now to authenticate only domain computers, and everyone is connecting with no doubt with peap ms-chap-v2

site B, 192.168.1.0/24:

1 w2008r2 dc

3 ubiquiti access points on same lan, correctly set as radius clients on nps

in this site the wifi authentication, even if set up with same parameters, does not work.

i can see an audit failure on my nps (id 6273), that let me see no authentication with computer, but with domain user.

the same computer works in site A, not in site B.

i need to authenticate with domain computers on site B; any suggest on what to see?

EVENT:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          05/06/2018 16:08:31
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      nps01.xxx.it
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:XXX\first.last
Account Name:XXX\first.last
Account Domain:XXX
Fully Qualified Account Name:xxx.it/OU/first.last

Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:AA-BB-CC-DD-EE-FF:site2-wlan
Calling Station Identifier:00-11-22-33-44-55

NAS:
NAS IPv4 Address:-
NAS IPv6 Address:-
NAS Identifier:1234567890
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:0

RADIUS Client:
Client Friendly Name:unifi-ap-site2
Client IP Address:192.168.1.5

Authentication Details:
Connection Request Policy Name:Use Windows authentication for all users
Network Policy Name:Connections to other access servers
Authentication Provider:Windows
Authentication Server:nps01.XXX.it
Authentication Type:EAP
EAP Type:-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code:65
Reason:The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Hi all,

I can not believe I am unable to find any definite information about this online !!!!!!!!!!!!!

I have a bunch of sales users that roam around and are not in office. I need to run a logon script for them via GPO. 

I use Microsoft RRAS server for VPN access. Clients are on win7 and win8.1. They use Microsoft VPN Client. I have logon script on user configuration in GPO.

Can in anyway this logon script be applied to these remote users? 

Thanks,

Hi there

according to ms article https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-concurrent-auth it is recommended to increase concurrent authentication if nps is not installed in a DC. However it doesn"t provide more info. My NPS is on another forest,it's not a DC and it is authenticating users from my forest, as well as other trusted crossed forest. Users are currently a few hundreds but soon the number will become a few thousands when it goes to production. What I would like to know is if there is some recommendations on what the maxconcurrentapi value should be, instead of a generic interval 2-5.

Thanks and Regards

Hi,

I don't why I unable to file sharing from windows 10 to windows 7 

\\192.168.1.84, it give me an error

fsze88

صباح الخير ..

صادفت مشكلة حين الاتصال بسطح المكتب البعيد الخاص بنا ..

و هذي الرساله الظاهرة لي " تم قطع اتصال جلسة العمل عن بعد بسبب عدم توفر خوادم ترخيص سطح المكتب البعيد " لتوفير ترخيص الرجاء الاتصال بمسؤول الخادم 

I just installed the NPS for the first time on our domain and authentication fails with message " There is no domain controller available for domain tp.dom" . We have two domain controllers and both are working fine. I ran nltest with various options and all the commands are successfully completed and finds the domain controllers.  Also I can login to NPS server using TP.DOM\username. I tried few different users and it's successfully. I am not sure why NPS can't locate the domain controller.

So I tried on a different machine and getting the same error. Both run windows 2008 R2. Our DCs are 2003 R2.

 Below is the message from NPS trace.

[5424] 07-08 18:54:32:124: Failed to connect to the cached DC, try DC locator ...
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: Retrying LDAP search.
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: No AUTHORIZATION extensions, continuing
[5424] 07-08 18:54:32:124: Added EAP Failure packet

Any help is appreciated.  - thanks.

Hi,

Our freshly installed server 2016 has 2 NIC's: one connected to a private network, one directly connected to the internet. I've noticed the firewall is applying the domain profile to both NICs, exposing AD, SMB, CIFS, ... all to the public WAN. We all know what kind of security risk this is.

I've tried this in PowerShell already: 

Set-NetConnectionProfile -InterfaceIndex 13 -NetworkCategory Public

Which returns with an error, saying it can't be manually changed from from DomainAuthenticated.

I've tried demoting and removing the entire freshly installed AD on our freshly installed Windows Server 2016 aswell, yet at step 1 (removing AD Certificate Services) it returns with an error 0x80073701. As far as i could figure, this means corrupted system files (yes, on a complete freshly installed Windows Server. A round of applause for Windows Update).

I've tried running sfc /scannow, which tells me that it found corrupted files and repaired them (over and over again). I've tried running dism /online /cleanup-image /restorehealth Which returns every time Error 14: Not enough storage available. Yet the system has 150 GB free and 16 GB RAM (of which only 25% is in use). None of these commands worked.

I'm running out of options now. I've already configured a firewall rule that blocks all ports below 1024 with exceptions for other crucial applications, but this is obviously a terrible solution. Telling my customer once again that their entire server must be reinstalled completely (I'm not even gonna bring up what Dell has done) is not option anymore (budget, time, ...). I've tried contacting Microsoft Server Support aswell, where i get a foreigner with a strange accent, demanding money (the great MS recession of 2014 ofcourse). Does anyone have any ideas?

Thanks in advance

Dear All,

I need help to know that how many RADIUS clients (maximum limit) are supported by Windows Server 2016 Standard.

Thanks,

Amit Jogi

Hello ,

I`m using NPAS (Radius) on windows server 2016 for wireless authentication .

I`ve one problem ... everything works perfectly but I need to use certificates and also users and passwords for authencitacion ... Now I`m using EAP - PEAP-MS-CHAP v2 end it asks clients for only user & pass .

My goal is to noone be acceptible to connect wireless network with just user & pass ... I need to everyone asks admins to connect network , and the`ll install certificate on the user`s device .

So, on windows server 2012 EAP - PEAP-MS-CHAP v2 works perfectly , but 2016 is something different .

Thank you.

If possible MacOS Serra 10.12.6 can connect to Wi-Fi 802.1x using authentication NPS Microsoft PEAP(Microsoft smart card or other certificates).
I had MacOS 10.12.6 that want to connect to Wi-Fi 802.1x using the certificate authentication (PEAP). But it cannot connect.
So I want to ask MacOS X can connect to PEAP (Microsoft smart card or other certificates)?

Anyone help me plz!

Hey all,

I'm having an issue attempting to configure WPA2 Enterprise Wireless Network infrastructure. Allow me to give a little background before moving on to details;

Recently following a cybersecurity assessment one of the findings was that my company uses weak WPA2 PSK wireless infrastructure so I had to change it. I'm essentially a one man IT Dept myself and my knowledge is up to MCSA level 1 on Win Server 2012 (I was told RADIUS is taught at level 2 or 3 which is already beyond me). Pardon me for being an idiot in this - all my knowledge on WPA2 Enterprise comes from online articles. 

To the point,

I did many trials and errors trying to get it up and running. I set up RADIUS server using Network Policy Server on Windows Server 2012 R2. I configured RADIUS client before knowing I need a Certificate Authority (CA) so I set that up too.

At first I was setting up PEAP with MSCHAPv2 and all is well. The next move is I wanted to implement EAP TLS instead since PEAP with MSCHAPv2 isn't secure enough. 

When it comes to certificates is when it started getting messy. I needed a IIS apparently, to host CertSrv website for client to request for certificates. I added the role but the CertSrv website won't appear on the IIS default webpage despite all my efforts. So I ended up uninstalling CA and reinstalling and reconfiguring the CA and now the website is working properly.

However, my RADIUS server was configured using the old CA certificate and thus I cannot connect any client except those that had the old CA cert before I reinstalled my CA role. My CA server, NPS and IIS are all set up in one physical machine and I tend to get confused when it comes to certificates. 

Is there a way to change the CA cert without removing and reconfiguring my NPS RADIUS server? I tried the configuration wizard for NPS  but it cannot detect the new CA cert. 

For my testing AP I am using a Linksys router running on DDWRT. 

I would like to configure a Server 2016 NPS deployment to serve RADIUS for WiFi authentication in several offices.  The NPS would be hosted in AWS, as such the only practical way for multiple offices to access it would just be over the public internet.  Can NPS be configured such that this is safe to do?  i.e. only allow PEAP rather than PAP, MSCHAP, etc.?

Thanks

Hello,

I'm trying to get a 2nd NPS server working on our trusted forests.  One server works, but the 2nd one gives me errors like this I've xxx'ed out company specific information:

I have mirrored the configuration from the working server to the non-working server and re-issued all the certs for the non-working server.  I'm not finding anything particularly useful in the In* logs.  Would anyone be willing and able to shed some light on this for me please?

thank you in advance.

We have NPS running on Windows 2012 R2 Server and all of our wireless access points are configured to use it as a RADIUS server without any issues but those access points are at least a few years old. 

We just bought a new wireless access point and it will not work with our existing NPS.

More details: 

-all wireless access points are Cisco WAP

-I have already worked with Cisco tech support and they are convinced it is an issue with NPS after looking at debug logs and wireshark packet capture

- I added NPS role to a test server, configured it with the exact same settings as our production NPS, pointed the new AP to it and that set up worked

-I moved the test server into the same OU as the production NPS, made sure they were both fully patched, had valid certs, etc and the test server still worked and the production server didn't with the new AP

- only error message I can find was in the event viewer: An Access-Request message was received from RADIUS client valid-ip-address with a Message-Authenticator attribute that is not valid. That error makes it seem like it is an issue with the shared password but I verified a hundred times it is correct. even tried a few different simplified versions.

I have no idea what else to check.

Heath

Hi people,

I've been asked by a customer to decommission the only DC in a site, and route logons through a central DC instead. The central server is already being shared with the onsite one as a logon server, so in theory should just take over the login authorisation completely when the onsite server is removed. However when I temporarily disabled the server, all the people onsite were moved from the production network on to the guest network, and subsequently were unable to get any of the company resources, including the central log on servers, files servers etc.

I've since realised that it was the NAP role that caused this issue. So before I can demote this server, I'm going to need to remove the NAP role. Does anyone have a good guide to removing NAP which ensures that the users are able to stay on their existing network?

Regards,

Gareth

Hi folks

We have a very strange phenomenon and maybe some of you guys can help me.

We had a perfect working Network Policy Server 2008 R2 environment. NPS was running on a Domain Controller (2K8R2)
authenticating requests from various sources (Cisco WLAN Controller, Cisco Switches, ...)

People connected to WLAN from Windows 7 computers, MAC Books Pro, iPhones, Android Devices , ...

Everything was working fine until we upgraded our Domain Controllers to Server 2012 (in-place upgrade)
The upgrades went smoothly and error free. Domain Controllers are stable and our domain works fine.

There is one exception: Our Network Policy Server which was upgraded to 2012 as well.

The configuration has been migrated and seems to be exactly the same as before.

The only difference is that Windows 7 clients (notebooks which are not member of the domain)
cannot authenticate anymore. On the Server side I see there is an event log entry (application) :

Source: EapHost
Message: Negotiation failed. Requested EAP methods not available

- Creating the WLAN profile manually doesn't help.
- Windows 7 asks for username/password (this is what we use. no computer/user certificates).
- CA certificate is installed on these computers

The strange thing is that users with Mac Books, iPhones, Android Mobiles have no problem authenticating.
Only when they try connecting to WLAN on Windows 7 it fails.

- The NPS Policies have not changed. 
- The same Windows 7 notebooks can successfully connect to other WLANs without a problem.
   So it seems not to be a client problem.

Why should the NPS server not know the EAP methods when other devices (iPhone, ANdroid, Mac Book) successfully can connect ?

Request from Samsung Galaxy S3

"IKAWA","IAS",06/14/2013,10:00:54,1,"myuser","mydomain.local/Prod/INS/Users/Lastname, Firstname","00-08-30-00-b9-00:ins","5c-0a-5b-38-2e-60",,,"wlc","a.b.c.88",1,9,"a.b.c.88","wlc",,,19,,,2,11,"WLAN Access",0,"311 1 152.96.120.201 06/14/2013 04:13:00 4087",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,13,6,,,,"122",,,,,,,,,,,"WLAN Access",1,,,,
"IKAWA","IAS",06/14/2013,10:00:54,2,,"mydomain.local/Prod/INS/Users/Lastname, Firstname",,,,,,,,9,"a.b.c.88","wlc",,,,,,,11,"WLAN Access",0,"311 1 152.96.120.201 06/14/2013 04:13:00 4087",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,13,6,,,,"122",,,,,,,,"0x01494E534C4F43414C",,,"WLAN Access",1,,,,

Request from Windows 7 Notebook

"IKAWA","IAS",06/14/2013,10:05:17,1,"myuser","MYDOMAIN\MyUser","00-08-30-00-b9-00:ins","8c-70-5a-cd-05-e8",,,"wlc","a.b.c.88",1,9,"a.b.c.88","wlc",,,19,,,2,5,,0,"311 1 152.96.120.201 06/14/2013 04:13:00 4161",,,,"",,,,,,,,,,,,,,13,6,,,,"122",,,,,,,,,,,"WLAN Access",1,,,,
"IKAWA","IAS",06/14/2013,10:05:17,3,,"MYDOMAIN\MyUser",,,,,,,,9,"a.b.c.88","wlc",,,,,,,5,,22,"311 1 152.96.120.201 06/14/2013 04:13:00 4161",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"WLAN Access",1,,,,

This is so strange.

If anybody could help it would be great.

Regards,
Oliver

Hi all,

do you have any solution to be set in the NPS policy to distinguish a request coming from a smartphone or tablet?

my actual configuration is made by a single SSID (for both smartphones and computers) that send the request to the NPS Radius, secured by certificate authentication issued by internal CA.

actually the only way I have found to assign a different vlan on a smartphone then a computer is only to:

• create in AD a specific account for every smartphone, and to that user assign a memebership of a specific AD group. In the NPS, in the conditions, i have added the membership of that AD Group. I have a rule that will assign the vlan (DMZ) for smartphone/tablet if matched the condition.
• for computers (will not match the rule above) will assign the "client" vlan

my question is...how can i avoid to create an AD users for every single device? i would like the NPS to automatically recognize the device (by the conditions rules or any other way), and using only the user account certificate assigning the vlan for smartphone to smartphones and the vlan for clients to computers.

I hope is clear.

thanks in advance for any advice.

Rudy

[Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].

We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.

So... now we are trying Phonefactor.

Our VPN setup is RRAS on a Windows Server 2003 domain controller.

We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone call.

It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really nimble, that is frequently not enough time!

When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."

How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?

Things we have tried:

1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.

2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.

3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.

4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.

5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.

6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.

7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.

8) Try this registry hack: http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.

Any ideas?

thanks!

Hi Guys,

I am running a Gigabit network with SBS 2011 as the domain controller. There are some Window 7 PC's and some Windows 10 PC's.

I recently reinstalled the domain controller as it was very slow.

Anyway, my issue is that a couple of PC's previously running Windows 7 but now on Windows 10, intermittently only see 2 PC's on the network and then sometimes all of them. This was happening before I reinstalled the domain controller and when these PC's were on Windows 7 and now 10.

When these PC's can't view other PC's on the network they can be seen by others. I have checked that all the relevant services are running, checked the inbound and outbound rules on the Windows firewall for network discovery for domain and private connections, which all seem fine.

When this happens if I go to Windows Explorer and type: \\192.168.1.theip it finds some computers but not others.

The computers I want to find can be pinged successfully and can be access by all the other users, apart from two computers at the moment.

This is really bizarre and I was hoping that someone could suggest a fix.

Thanks in advance.