I would like to configure a Server 2016 NPS deployment to serve RADIUS for WiFi authentication in several offices. The NPS would be hosted in AWS, as such the only practical way for multiple offices to access it would just be over the public internet. Can NPS be configured such that this is safe to do? i.e. only allow PEAP rather than PAP, MSCHAP, etc.?
Thanks
Hi Support Team!
I have been update server 2008 R2 to 2012 R2, Configured VPN on Server then connected VPN from clients but cannot access folder share but can ping.
Please help to check this problem.
Thank you
BUNDITH
Hello,
Maybe the doubt is not directly to the forum, but since there are many people who specialize in Microsoft products, maybe someone has an idea or a tip to help me.
I have an environment with samba4 ADDC and freeradius for eap-tls / peap authentication.
For computers that are in the domain, eap-tls authentication with personal certificate is already running.
I would like to get an idea of how to EAP-TLS authentication for computers that are not in our domain, ie, which are private computers, but the user has user in our domain?
Hi there,
I've configured NPS to authenticate workstations based on their machine certificates when plugged in to a Cisco switch. Radius is set up on the switch and the policies are set up on the server. It's been working in a test environment but when implementing the solution on our production environment the workstations report an 'Explicit EAP failure' with an error code of 0x8009030c.
I've tried several combinations of policies within NPS or within the authentication tab on the workstation and can't get it to work. Any help would be much appreciated.
Many thanks.
Dear All,
I need help to know that how many RADIUS clients (maximum limit) are supported by Windows Server 2016 Standard.
Thanks,
Amit Jogi
Hi,
I had RADIUS in windows 2003 server which had also DNS & DHCP. Then I added another Domain Controller to it as Windows 2016 Server and migrated all FSMO roles from 2003 to this and made it primary Domain controller. After That I configured DHCP and NPS with all RADIUS clients as it was before. Then I removed all the roles from 2003 (DNS, DHCP) and checked that I can connect through all the RADUIS clients successfully. When I unplugged the network cable of server 2003 (as I am planning to remove this machine) I have got an error in NPAS Server 2016 that says "There is no Domain Controller available in Domain"Now I can not connect though the clients but if I plug network cable back, Everything works fine.
How can I fix this problem? Thanks in advance.
Regards
RasKhan
Hi,
I am using a Radius server for the PPPoE user to authenticate network.
please let me know if it's possible to bind MAC Address to user id into Radius configuration or any other solutions to bind mac address.
Thanks in Advance - vishal
Hi Team,
Currently encountering an issue, recently deployed 802.1x with AD authentication, running perfectly for few weeks.
However just noticed that when i RDP on a remote device connected to the wifi, the wifi gets disconnected automatically on the device im attempting to remote desktop.
Ill have to login again on the device to authenticate, but as soon as i try to connect via RDP again it disconnects instantly.
This is just weird, kindly advise if there is a setting ive missed, i checked everywhere and no forum online is helping out.
Many thanks.
Travis, A+, N+, MCTS/MCP, MCSA 2008, MCSA 2012
NPS Server Reason Code 22 The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I cannot get my wireless devices to log into an SSID utilizing Unifi Access Points using RADIUS with a server 2012 NPS server. I have literally copied all settings from a friends working environment and even the same type of self made SSL cert for the PEAP
config, but I constantly get this error in the event logs when I try to connect.
It can tell when I am entering a username that does not exist on a test laptop when connecting. It gives me the same error above whether I use the correct or incorrect password.
I'm thinking this is unique problem as I've been searching google all day and talking to several others and nobody can seem to figure out the issue.
Does anyone have any ideas of things I can try next?
This was posted in the 2012 R2 GPO forum, but I was advised to move it here as more relevant.
[all the below is running on WS2012 R2 & Windows 10 clients]
Hi,
I have an internal PKI with clients autoenrolled - all working fine.
I have an RADIUS/NPS Server setup for authenticating users on a wireless network - all working fine.
The NPS server has two Network Policies; one for 'Domain Computers' using EAP type "Microsoft: Smart card or other certificate". The other policy is for 'Domain Users' using EAP type "PEAP".
This works well. From a Windows 10 client, which is domain-joined, I can search for wireless networks, find the SSID I have configured (Unifi APs, WPA2, with RADIUS pointing to the above NPS server), click connect and get authenticated without being prompted for anything.
On a non-domain joined client, I can search for the same wireless network, connect, get prompted for username/password and authenticate with any domain user credentials (I also have to accept to trust the certificate presented by the NPS/RADIUS server).
My NPS policy for domain computers uses "Microsoft: Smart card or other certificate" but my NPS policy for domain users uses "PEAP" so I'm not sure what to put in this box to cover both situation?
Or should I simply create two profiles on the previous screen?
I have tried putting in the RADIUS FQDN under "connect to these servers", tried toggling "verify the servers identity", tried toggling the ticked CAs under "Trusted root CA". Basically everything.
When trying to connect from the domain-joined client, I am getting either "Can't connect because you need a certificate to sign in" or "can't connect because the sign-in requirements for your device and the network aren't compatible".
If I change the overall network authentication to PEAP, then on the Advanced page, I see options which look like they cover both user and computer connections, but I just get the same errors as mentioned above.
Help greatly appreciated.
Setup:
Unifi AP's connected to NPS running on Server 2012 R2.
Goal:
1. Laptop users to be able to connect to the production wireless network simply by having their computer accounts in an authorized group egCompany/Laptops
2. If your device is not in the said group (not an AD object in essence), promote for credentials from eg.Company/Authorized Users.
What so far:
I created a Network Policy with one of its conditions being that you have to be a member ofCompany/Laptops to be granted access to the wireless network. This works fine as laptop connect directly if authorized.
A second policy was created where the condition was you have to be a member ofCompany/Authorized Users.
Problem:
1. After implementing the second policy, which is 2nd in the processing order, even authorized laptop are prompted for credentials.
2. Devices not in the Company/Laptops group are not granted access at all.
hi out there
I have a small problem - I need to match a network policy in a 2012 or 2016 Windows server with NPS on for a Cisco Anyconnect
I can in the logfile see that f.ex "Service-type" == "<some number> probably would be a good thing to match on - if I can find the option in the offered optins in the policy - can I this - and if so - what is the name of the option?
The problem here is because we are using the same NPS to authenticate management access - trough the same NAS ID so I have to find other options to match on...
br ti
Hello everybody!
We are having some problems here in my office after a 802.1x implementation.
There is our setup:
Cisco ISE 2.2 version
Windows Server 2012
End user machines with Win 10, 8 and 7.
So, the problems start's when some end users machines starts to give us this error affter when we try to log in the Windows:
"There are no logon servers available to service the logon request"
We are using EAP-PEAP with the cisco ISE. This is a strange kind of problem, because sometimes the same machine works well, but after a user made de logoff and other user wants to try to use the same machine, the problems starts to appear. Sometimes, after some minutes the PC start's to answer the EAP switch requests and starts the comunication with the Cisco ISE.
The problem occurs with windows 10, 8 and 7 OS's.
We already try open a TAC with Cisco and they tell us that it seens a problem with a Operational system.
Above, some logs of one of our end users pc's.
After some attemps, the end users starts to answer the switch for start the comunication with the Cisco ISE
3 2017-06-20 14:56:14.238130 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
10 2017-06-20 14:56:24.515473 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
17 2017-06-20 14:56:34.806629 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
22 2017-06-20 14:57:21.134357 HewlettP_0c:3f:02 Nearest EAPOL 19 Start
24 2017-06-20 14:57:21.143090 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
114 2017-06-20 14:57:31.427023 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
137 2017-06-20 14:57:41.713613 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
166 2017-06-20 14:57:52.009953 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Failure
168 2017-06-20 14:57:52.221115 CiscoInc_89:9b:85 Nearest EAP 60 Request, Identity
174 2017-06-20 14:58:02.507756 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
176 2017-06-20 14:58:12.794231 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
180 2017-06-20 14:58:25.553836 HewlettP_0c:3f:02 Nearest EAP 34 Response, Identity
181 2017-06-20 14:58:25.571353 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Identity
182 2017-06-20 14:58:25.571773 HewlettP_0c:3f:02 Nearest EAP 34 Response, Identity
183 2017-06-20 14:58:25.592516 CiscoInc_89:9b:85 HewlettP_0c:3f:02 EAP 60 Request, Protected EAP (EAP-PEAP)
184 2017-06-20 14:58:25.637677 HewlettP_0c:3f:02 Nearest TLSv1.2 202 Client Hello
Any solutions or some north for resolve this issue?
Thanks all for the help
Dear Sir,
As we are using Windows Server 2016 & server 2008, “How can I provide authority for RDP & Local Users toaccess, copy/paste or delete the folder/File from that windows server ?”
Kindly help me for the same asap.
Awaiting for your urgent assistance.
I am wondering whether it is possible to use Windows Server with Network Policy Server + Google (https://en.wikipedia.org/wiki/Google_Authenticator) or Microsoft Authenticator (https://www.microsoft.com/en-us/store/apps/authenticator/9wzdncrfj3rj) to get two-factor authentication. I found description how to configure it for linux based RADIUS http://www.supertechguy.com/help/security/freeradius-google-auth
There are also some guides how to configure Windows Server with NPS + licensed appliance which support two-factor authentication
http://www.techworld.com/tutorial/security/how-to-implement-two-factor-authentication-with-windows-server-2008-nps-3223170/
but this require user licenses.
We plan to get rid of RSA hardware tokens used for Citrix external access and Cisco VPN two-factor authentication
Sometimes you want to add a condition in NPS for check Vendor-Specificattribute. For example, when authenticating connection requests from Ruckus ZD controller, it is very useful to be able to check value of Ruckus-Location attribute, but NPS allow you to add such condition in their MMC consoles.
So, I make dump between WireShark and MS Radius, found VSA.
\
Then add condition to NPS via export/import xml radius config.
<msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("Vendor-Specific=01000061DD0506LCHS")</msNPConstraint>
Make request in console to check "netsh nps sh np"
But it does not work.
I tried to add terms ".*" to check validation NPS. It works.
<msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("Vendor-Specific=.*")</msNPConstraint>
|
|
|
|
How to set the condition for the NPS to check the VSA?
Dears,
Does Radius Accounting log IPV6 traffic ?
Best Regards,