Windows 10 clients have suddenly started having connection issues with my Server 2012R2 RADIUS WLAN in that they will not connect automatically to it. Logging on to a laptop/Surface Pro (that previously connected OK) gives a couple of errors:

This popup appears on login:

Then this appears in the list of wireless networks shown when I try and connect:

I've spent a lot of time troubleshooting, following this thread but nothing seems to be fixing it. I've uninstalled AD Certificate Services so that I could upgrade from SHA1 to SHA256 etc., checked and rechecked my GPOs but nothing seems to help. I'm guessing it's a certificate error but can't figure out where.

When I click on connect, the W10 device does connect but it's very inconvenient for my users. Anyone got any ideas how to proceed please?

Good morning everyone. I am hoping by sharing this here some of your brilliant minds can help me solve an issue we are facing. I am configuring 802.1x/DOT1X on Server 2016 using Network Policy Server (NPS). I have the NPS constraints, and settings configured properly. Frames should originate from a wired connection and users should be members of the "Domain Users" group.

On the Authentication Client I am using a Cisco 2960 with the latest commands...

aaa authentication dot1x default group NPS-group

aaa group server radius NPS-group
 server name NPS

radius server NPS
 address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
 key cisco

I have also enabled authentication open, port-control auto, and pae authenticator on appropriate ports. The server is on a virtual machine using an external switch. When I use a protocol analyzer I can see the "Radius-Request" "Radius-Challenge" on the server side. On the host I see the EAP connection, client hello, TLS1.2 handshake and it drops and requests identity again. I have tested fixes such as creating a DWord reg value Tlssetting that forced TLS 1.0, then 1.1, and 1.2, still no luck. Also, the DC and NPS are on different virtual machines. I even tried creating the reg value which disabled client side cert validation. Anyone have a similar issue?

In a lab environment using a physical server where the AD/DS and NPS reside together it works with no issues. 

It was recommended I post this here instead of the Win10 Forum.

https://social.technet.microsoft.com/Forums/en-US/f7d4c0f7-f5cb-4682-ad62-8f594ade76ee/8021x-machine-user-logon?forum=win10itpronetworking

We have been using NAP with Win7 and our 802.1x profile is configured for User OR Computer Authentication.  With the NAP client this resulted in BOTH the User and Computer account being accessible for NAP to validate.

Now with Win10 when a user logs into the machine the machine account is no longer authenticated with the user so you cannot very User & Machine account in your NAP policy.

If this is "by design" then what would be the proper/best practices method of resolving it?

1. Update the 802.1x profile to use Computer/Machine authentication only?
2. Continue using Machine OR User but modify my NAP Policies?

I assume that this isn't just a bug in Win10 but its how Microsoft wanted the 802.1x client to function because less functionality.

Hi,  I'm trying to connect from a Android Phone to a VPN configured con Windows Server 2016 using RRAS. The Windows Computers are working correct but when using a mobile give the next error:

An account failed to log on.

Subject:
 Security ID:  SYSTEM
 Account Name:  VPNSERVER$
 Account Domain:  DOMAIN
 Logon ID:  0x3E7

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  USER
 Account Domain:  DOMAIN

Failure Information:
 Failure Reason:  An Error occured during Logon.
 Status:   0xC00002A1
 Sub Status:  0x0

Process Information:
 Caller Process ID: 0x4ac
 Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
 Workstation Name: -
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  IAS
 Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

The events on the remote Access are the next one:

CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN4-127, UserName: Domain\USER. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

I'm not using RADIUS, is needed to making work with mobiles?.

Thanks.

Hello,

I tried to find solution for my problem, but I used all solutions I knew or could find on the web.

I am running two DC's main one and secondary in second office.

DC on both sites acts also as DHCP, DNS and NPS.

On main site I started to having a problem with accessing the AD. In my log files I found continuously errors

Error 4401

Domain controller contoso.com for domain contosois not responsive. NPS switches to other DCs.

4400

it switches to dc2 but then again domain controller is not responsive...

In that moment I got each times errors:

6274

The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

On secocond DC - DC2 everything works well. I checked and the server is not registered in AD (added to the security group RAS and IAS servers, but even I added domain controller to that group it didn't change anything.

Any idea?

or backup NPS, uninstall NPS and install again and import settings?

thanks for any advice

Andrew

Hi All,

One of my customers has deployed a RADIUS server, and for security reasons, they want to make sure that no employee can access any open SSID destined for guests.

I'm not a GPO expert and I'm looking for the best practice in this situation.

Is there anything else I need to consider (Configuration or Operation wise) ?

Many thanks for your help,

Aka

Hi,

I am trying to configure Windows 2012 R2 NPS Radius Server, i have installed NPS+DHCP+ADCS in one server, i configured NPS policies without VLAN,Its working fine,when i connect to WiFi it prompts for domain credential when enters the same it allows to connect ,at DHCP Server-->at Address Leases i can find the IP distributed to the PC to the Host Name i connected with.

Alike this i created 2 SSID at UniFi Access point and configured the NPS ---> Network Policies (with additional things like) Settings--> Standard Options --> Tunnel-Medium-Type, Tunnel-PVT-Group-Id,Tunnel-Type as per the attached screenshot.

When tries to connect to both the SSID's one after the other it prompts for credentials and gets connected but Network adapter at Client PC shows Unidentified Network, when i verify at DHCP server for Address Leases i do not find any IP distributed to client from the scope VLAN 110 & VLAN 120.

I am using HP 1920-24G manageable switch i configured vlan,vlan interface,dhcp relay,AAA,Radius all properly as depicted in the picture(All at HP Switch-3)

i have firewall ---> connected a uplink cable from firewall to HP Switch-1(at port 1) from that Switch-1 at port 24 connected one more uplink cable which is looped to HP Switch-2 at port 24, from that Switch-2 connected a uplink at port 9 and looped to HP Switch-3 at port 1, and at port no 23 connected the UniFi AP.

Below are the port numbers at Switch side changed the Link type to "Trunk Mode"
Firewall -  Connected a patch cable from firewall LAN Interface to Switch-1 at port 1 (which Link Type at HP Switch is left  default to Access Mode)
Switch(1) - Port 24 Changed the Link type to Trunk
Switch(2) - Port 23 and Port 9 changed the Link Type to Trunk
Switch(3) - Port 1 changed the Link Type to Trunk & Selected Port 23 and entered the VLAN ID 110,120 and selected the port type as Tagged, when i check the port detials it shows hybrid now.

I didn't understand why the DHCP IP are not getting distributed to clients also though having 3 DHCP Scopes only the 1st scope distributes the IP, the other 2 Scope ip ranges are fully available. Since at DHCP Server --> IPV4 Properties --> Network Access Protection --> NAP Setting selected Enable on all Scopes.

Any help please since struggling to find the right option to setup successfully.


Thanks in advance and sorry for such long post!!!!

Mohammed...

Hi,

I am using NPS on Windows server 2016 as the radius authentication server, which is a member server to our domain.

Access points throughout our various sites are all in the 10.112.0.0/14 scope. We have therefore created a single radius client entry in NPS for 10.112.0.0/14.

Our connection request policies and network policies are quite straight forward, allowing access to users which are members of machine groups or windows groups via PEAP.

Quite frequently users and or computers won't be able to connect to the defined 802.1x SSID being broadcast by our access points. This occurs across multiple operating systems and device types, using either certificate or user credentials for authentication. If the access point is rebooted the problem is gone for a few hours, then it resurfaces. Other access points work fine, and the issue is not consistently isolated to a single access point.

On the image below, the gray records are unsuccessful attempts to connect to the ssid, blue are successful. The side by side image below shows the detailed information of a blue record left, compared to a gray record right.Notice the connection result unknown

The image below shows the event viewer record for a failed attempt, to which you can see the user is granted.

After mirroring the access points NIC on the switch we can see the radius exchange.

Whilst also capturing raw 802.11 frames we can see the authentication, association, eap, and death stages take place. Im not sure as to why the eap failure is being sent as NPS granted access.

I do notice that in the raw 802.11 capture, the BSSID has changed completely, yet the wap hostname still reports correctly. This can be seen in the access point controller logs. This may be nothing however as the the library access point which we successfully connected to is the same.

Does anyone have any thoughts or suggestions on what could be going wrong?

Thanks in advance

I have a testing that when i connect a non domain joined PC to an 802.1x wired network and input my domain credentials. it will authenticate. 

then I have a colleague that test this with another non domain joined device input the domain credentials.  and authentication fails.

What will be the setup on client computer side and on NPS side for authentication to be successful.

Does user authentication only requires certificate? root certificate?

NPS Server OS: Windows Server 2016

Client Computer: Windows 10

Thanks!

I am trying to set VPN  MFA with my Meraki firewall to Windows using NPS and Azure MFA server.

I can not find many documents on this and keep getting stuck it seems no matter what configuration I keep 

receiving error does any please have steps on this would greatly appreciate it

On my NPS server, we started having some connection failures this morning. We have them resolved, but the security log would state the reason at the bottom of the log stating:

"An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).  Check EAP log files for EAP errors."

Where are these "EAP log files" located? 

JB

Hoping someone can help me.  I have 2 Meraki wireless networks in two different offices for the same customer.  Both sites have a Windows 2008 R2 domain controller with NPS installed.  Both DCs have new GeoTrust certificates installed to the Personal Certificate store, and the CA Root Certificate installed to the Intermediate CA store.  Both NPS environments have identical Connection Request and Network Policies.

RADIUS is working perfectly at Site A, but not Site B.  The access points at Site B are able to authenticate against NPS at Site A over the VPN tunnel, but the APs at either site are unable to authenticate against NPS at Site B.  Event Viewer returns Reason 22 as the error, and I'm stumped as to why.  

• I’ve confirmed I’m using the correct RADIUS secret on my APs and in NPS.
• I’ve tried removing EAP-MSCHAP v2 and re-ordering them, without any change
• I’ve confirmed I have the correct certificate applied to PEAP in the Network Policy
• I tried removing and re-importing my certificate and the CA Root certificate
• I’ve restarted NPS multiple times

What could I be missing?

Hello, please who can HELP ME with RADIUS ?

Well I have ¨deployed¨ a Radius server on server 2016, I want to use 802.1x for port authentication, the company wants a user per port and no one else access to that port just the configured user

the purpose of this task is when someone connect a device to that port will pop up a message asking user and password (wire connection). I have configured:

-Register server in Active directory

-Start NPS service

-On nps (LOCAL)

-standard configuration

-RADIUS server for 802.1x wireless or wired connections

-On NPS Server Console:

-Radius Client

-friendly name

- Ip address of the device

- Shared secret

-I Created a user account and a group in Active Directory

-I Configured a NPS Connection Request Policy

- NAS port type as Ethernet

-I Configured a NPS Network Policy

-added windows goup

-NAS port type as Ethernet

- Authentication Methods page, (PAP, SPAP).

On clients:

-I Configured the Local LAN connection for 802.1X authentication

-Protected EAP (PEAP)

The test from Switch works perfect

this is the fail:

The devices connects normally, Radius let them access without asking for credentials. What am I doing wrong? how can I configured the pop windows for authentication?

Thank you.

I'm wondering if anyone knows of a way to block all ssid's except ssid x while in the office otherwise don't block any ssid.

I started looking at starting a wmi filter for a gpo and found MSNdis_80211_ServiceSetIdentifier.  However that option is not available any longer.

I'm running windows 10 and server 2016 AD.  The "Domain functional" level is currently 2008.

If anyone has any ideas I'm open to anything at this point.

Thanks for taking the time!

IE

I need some help understanding the basics of IPSec. I don't seem to be setting things up correctly. We are trying to set up an IPSec connection from our Windows 2016 Server to an offsite Non-Windows device. Their IPSec configuration is looking for a handshake with Encryption Algorithm AES_CBC 256, Integrity SHA-256, and DH Group 24. 

No matter how I set up a connection security rule within Windows Firewall and change the IPSec tab of the Advanced Firewall settings, those settings are not respected when also enabling an IP Security Policy in the Local Group Policy, it always transmits the IKE traffic at 3DES, SHA1, DH 2. 

However, whenever we disable the IP Security Policy, thinking the Windows Firewall advanced setting and Connection Rule would apply, the outbound traffic is going un-encrypted as ICMP and not IKE. 

Is there a way to use the IP Security Policy in Windows Server 2016 to send out IKE traffic, but add to the list of options to use security algorithms higher than 3DES in the Integrity and Encryption Security method of the Filter Action? Choices are limited. Or it not, how can the Windows Firewall and Connection Security Rule be leveraged to allow outbound ping and other traffic to transmit over IKE?

Hi,

We have an application which uses paradox database.

The application is installed on a server A on C:\application. This location is mapped with subst command on a shared drive I:\.

On server B, we installed client and mapped the drive I:\ to access Paradow Database. However, the application regularly have errors like .NET / .LCK locks or "Operating system unknown".

We suppose there's something messy with the subst command because if instead of using it we create a physical partition of C:\ we don't ever meet these errors again.

Do you know what in the subst operation which can cause this behaviour?

Zoran Zasovski

Hi,

I have setup Radius Server with ADCS self signed certificate(for NPS Client Authentication) at my lab session, its working fine but the issue is when client gets connected to WiFi Network it authenticate\authorizes but the IP at client network is not getting adopted, though the DHCP Server distributes the IP to that client.

To conquer this when i Stop the NPS service for a while e.g a min or two then the distributed IP gets assigned to that client Network, after it i use to re-start the service again.

The same i use to repeat for all the client who all connects to  my WiFi network.

Do anyone have the idea what might be this issue??Can anyone please help me to solve this!!

Thanks in advance

Mohammed...

Ok I am trying to get NPS setup that will be used for guests to access the Internet but still require a login on our network using PEAP.  I got a trial certificate from GeoTrust/RapidSSL/FreeSSL and it only offers "Digital Signature, Key Encipherment (a0)" but NPS requires a certificate with "Data Encipherment".  I have not found ANY public CA that issue this type of certificate so if Microsoft requires this for PEAP where am I to get a valid certificate for this?

I have check Verisign, and GoDaddy and all of them only offer "Key Encipherment".