I'm currently setting up an NPS link between Azure MFA in Office 365 and my Citrix NetScaler.

The intention is to control MFA from the Cloud to allow for MFA with Office 365 and also MFA with standard logins to Citrix through the Storefront (hosted on the NetScaler).

(So control all from 1 location instead of having Azure MFA and also On-premise MFA Server).

This involves an integrator, NPS and also RADIUS configurations on a dedicated machine.

My question with this is as follows:

Is there a way to get the RADIUS configuration (or any of the others) to query a specific field in Active Directory when doing the authentication?

Since Azure MFA doesn't have an option for 'Static PIN' when authenticating, I thought maybe I could get around this by getting the Authentication process to look at a field in Active Directory for a PIN entry instead.

(This will only apply for on-premise NetScaler authentication, as I'm not fussed about O365 auth. with this method).

Thanks in advance.

I just installed the NPS for the first time on our domain and authentication fails with message " There is no domain controller available for domain tp.dom" . We have two domain controllers and both are working fine. I ran nltest with various options and all the commands are successfully completed and finds the domain controllers.  Also I can login to NPS server using TP.DOM\username. I tried few different users and it's successfully. I am not sure why NPS can't locate the domain controller.

So I tried on a different machine and getting the same error. Both run windows 2008 R2. Our DCs are 2003 R2.

 Below is the message from NPS trace.

[5424] 07-08 18:54:32:124: Failed to connect to the cached DC, try DC locator ...
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: Retrying LDAP search.
[5424] 07-08 18:54:32:124: Could not open an LDAP connection to domain TP.DOM.
[5424] 07-08 18:54:32:124: NTDomain::getConnection failed: The specified domain either does not exist or could not be contacted.
[5424] 07-08 18:54:32:124: No AUTHORIZATION extensions, continuing
[5424] 07-08 18:54:32:124: Added EAP Failure packet

Any help is appreciated.  - thanks.

Hi,

I had 1 network policy in place and now i added anther one.

They are used for authenticating difference devices.

However, the newly added one is not working once I added NAS identifier as a condition but if I remove the NAS identifier, it works fine.

Anyone have an idea why?

Thank you so much.

Just as whats on the tin: Radius packets seeming to be ignored on Server 2016 with Network Policy Server installed and configured for RADIUS. I have a AP setup to use RADIUS to authenticate clients and a Server 2016 setup as a DC with network policy server configured with a policy for Radius wireless clients, In Wireshark the initial access request packet it sent several times with a delay in between each, and with the server not responding. In the Security event log there is nothing involving network policy server and appears to be a firewall issue however the firewall has the allow rules for RADIUS in it.

Feel no hesitation to ask be to send specific screenshots for more info, I thank you for your answer in advanced.

Hi,

I have setup NPS Radius terminology in my test environment with Self Signed Certificate using ADCS MS Certificate Authority, i tested with Windows 10\7 Domain and non-Domain join PC both are working fine with no issues,
for Windows 10 Domain joined PC when i click on WiFi SSID it prompts for authentication and warn on certificate auto installation trust related(since it is self singed certificate) and gets connected but for Windows 7 PC both Domain Joined and Non-Domain Joined PC i have to import the NPS Certificate and Root CA certificate(for workgroup PC) and need to install the certificate and manually add the WiFi SSID and inter-link the SSL by this it is getting connected.

Is there any option like Windows 10 for Windows 7 PC instead of adding the certificate & creating the WiFi SSID manually for both Win-7 Domain & Work group PC it should prompts for certificate and connects automatically???

I read in a article for Workgroup PC if connecting using Custom Signed certificate need to install the Domain Root CA along with NPS Certificate since it is local, when i go for Global Certificate e.g like GoDaddy Certificate,still i need to install the Domain Controller Root CA??

Though i have my global wild card certificate like *.contoso.com i have setup my DC with subdomain name as DC.contoso.com since i didn't created a global Subdomain certificate for DC.contoso.com,by this case even if i create a NPS global certificate still i need to install the local Root CA of DC.contoso.com(since it is internal DC not publically exposed)???

Any help please!

Mohammed...

Hi

We are using NPS with Radius Accounting to monitor the usage time and download/upload bandwidth on our network. RADIUS Acct-Input/Output-Octets rollover over at 4.2GB and so gigawords are required as a counter (as per this linkhttps://www.ietf.org/rfc/rfc2869.txt).

The AP's are sending the necessary data but according to Microsoft's documentation, the logs do not expect this field. This means we are not understanding the true bandwidth usage, in the event the number rolls over.

Is there anything that can be done to resolve this? I'm hoping NPS can get updated at some point to log the Gigawords as well.

Thanks

Matthew

Vulnerability CVE-2000-0649

Hi,

This morning I became aware of the fact that one of our two NAPs (Windows Server 2012 R2) refused to authenticate client machines through our switches -> 802.1X, computer certificate based authentication.

From the logs: Microsoft Windows security autiting | Even-ID: 6273 |  Code 16

The machine in question has just installed the update KB4025335 tonight and seems to have this problem since then. The other machine did not install this update so far and is still working properly. Given the fact are there is a couple of of NPA related things mentioned in the description of the update, I guess Microsoft did screw up something.

Is anybody else facing this problem since the update?

Best,

dialsc

After days of troubleshooting, I need some assistance. We are using a wifi SSID to pass Radius credentials to our AD server (Windows 2008 R2) via EAP. We are trying to access this SSID mostly via iPhone devices. Our NPS Network Policy has the proper network policy on top of the list. Under "Authentication Methods" this policy has "Microsoft: Protected EAP (PEAP)" selected under EAP Types. We are not using certs to these devises not being on the domain. Can we please have some assistance with the below error?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
 Security ID:   NULL SID
 Account Name:   user.name
 Account Domain:   CORP
 Fully Qualified Account Name: CORP\user.name

Client Machine:
 Security ID:   NULL SID
 Account Name:   -
 Fully Qualified Account Name: -
 OS-Version:   -
 Called Station Identifier:  00-0F-7D-BA-68-61:LatP4
 Calling Station Identifier:  08-70-45-D1-45-BB

NAS:
 NAS IPv4 Address:  10.1.1.13
 NAS IPv6 Address:  -
 NAS Identifier:   -
 NAS Port-Type:   Wireless - IEEE 802.11
 NAS Port:   497

RADIUS Client:
 Client Friendly Name:  10.1.1.13
 Client IP Address:   10.1.1.13

Authentication Details:
 Connection Request Policy Name: Secure Wireless Connections
 Network Policy Name:  -
 Authentication Provider:  Windows
 Authentication Server:  servername.corp.company.com
 Authentication Type:  EAP
 EAP Type:   -
 Account Session Identifier:  -
 Logging Results:   Accounting information was written to the local log file.
 Reason Code:   22
 Reason:    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

I am trying to set separate auth policies up per WLAN. The attribute "Called-Station-ID" contains the mac address and SSID of the WLAN a client is connecting from so this seemed an obvious choice. When I specify any kind of regex pattern in the "Called-Station-ID" authentication fails with error 69 stating the Called-Station-ID does not match any policy. I know the policy is fine except for the Called-Station-ID attribute b/c If I enter the exact Called-Station-ID value, as pulled from the logs, which includes the mac address and SSID it works fine. I searched Google first and none of the suggestions I found worked. I would appreciate some help.

Working Called-Station-ID: 00-17-df-34-82-80:RSC-Secure-Wireless

List of attempts:

.*:RSC-Secure-Wireless

.0-17-df-34-82-80:RSC-Secure-Wireless

^00-17-df-34-82-80:RSC-Secure-Wireless$

/00-17-df-34-82-80:RSC-Secure-Wireless/

/^00-17-df-34-82-80:RSC-Secure-Wireless$/

While my first attempt may have been incorrect at least one of my test patterns should have worked. From what I can gather its not processing the value as a pattern at all.

We have separate wireless SSID pointing to NPS servers on separate domains.  They presently handle both user auth (BYOD) and machine auth (official win laptops) requests.  We would like to bring this into one SSID for wireless efficiency.

In a test environment, I have added a NPS proxy - and I'm successful in forwarding the user authentication without issue.

Connection Request Policy #1 condition    Condition = User Name    value = ^domain1\\    match "domain1\samaccountname"
Connection Request Policy #2 condition    Condition = User Name    value = ^domain2\\    match "domain2\samaccountname"
 - or   value = ^domain1\\|@domain1\.org$   match  "domain1\samaccountname"   -or-  "samaccountname@domain1.org"

I need a Policy #3 @ 4    to detect any machine auth request and forward to the appropriate domain NPS.

Question: Can you proxy machine auth?
   - Microsoft Docs - Connection Request Policies  states  "The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in the policy.   - This might suggest you can?

  - however, there isn't a CRP condition for machine name, just user name, which might suggest you can't.

It looks like the request passes the identity of "host/hostname.domain1.org" - I see this in the log entries.  I've tried to make a pattern match for the user name condition for this string without success.  Microsoft Docs "Using Pattern-Matching Syntax in NPS" is confusing, in ways contradictory, and examples I'm using have some syntax that don't appear to be in the document (like | ).

I have recently installed a Radius Server with NPS in a DC in order to provide Radius Authentication for my corporate wireless. It works fine so far, but sometimes I get an event 6273 like "Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.". The point is, these events are always related to a computer account like domain\pc-name$ and always followed by a 6272 Success for the doomain user account of the same computer. What is wrong with this computer? First of all, why shall the coputer try to authenticate to the network, it is about the users.

My NPS settings are configured anyway to ignore user account dial-in properties. And however, both user and computer account have dial-in properties set to controll access through NPS policy.

Can anyone explain this 6273 failures?

kind regards,

Dieter

Experts,

We use 802.1X SSID so users login to the wifi with radius and accounting is pointed to Lightspeed so at same time user is authenticated with content filter with proper policy. That seemed to work with classic and 230 since we did not have any reports about that issue. Now with new setup end users reports issue with "internet issue" when start moving. When user login to wifi lightspeed also recognize that user and place to proper rule set policy. When I start walking and going through the walkway I see a lot of Radius login / logout and finally there is no login back to radius and user is not recognised - when this happens Lightspeed place a user into very limited policy when a lot of sites does not work like GUEST. The work around is turn off wifi and turned back on, then user is properly recognised by Lightspeed. Like I said when we use classic with 230 we did not have that issue. Lightspeed blames radius or and Aerohive . I don't want to judge any parties at this time. One tech said something about NPS timing settings, but for god sake I don't see anything like that in the NPS. The other said too many login - logout. 

The roaming looks ok I mean there is ping time out when I walk on the hallway so I understand when laptop disconnects and connect top another 650 there must be time out so I see login out and then login back to radius and according Lightspeed there should not be so many logins and klog outs. Any idea? 

ME

I have a question re. NPS and Accounting. I have enabled Logging for Accounting (to log-file) by mistake. I'd now like to disable this accounting again. But I don't see (and find with Google) any option where to disable this. I can always just run that wizard, but I don't see an option to deactivate it. Also I am a bit confused since I do not really see what settings I am using at the the actual state.
I am not even sure if this accounting is enabled at any time and logs stuff to C:\Windows\System32\LogFiles by default , however, I am a bit confused, followed a post on how to enable accounting and did not checkout previously what the default settings where. I'd lsimply ike to disable accounting logging again.

kind regards,

Dieter

Hi,

i am currently trying to set up EAP-TLS for Cisco 7841 IP-Phones. I have a RootCA that signed a SubordinateCA certificate for the IP-Phone server. The phones have the certificates signed by this server.

The NPS server throws an event(6273) with the reason code 293 (The certificate is not valid for the requested usage). Currently i have know idea what to do with this information and i don't know anything else i could troubleshoot. The configuration on switch/nps should be ok, since it works for windows clients wired/wireless.

Glad for help/ideas!

Thanks in advance

Hi all!

I need to secure my wifi network, and was tasked with wpa2-eap aes security level.

I'm using NPS on w2008 and everything is fine with domain members, computer authenticates with computer certificate  before user logon and it's accessible through wifi, after logon user reauthenticates by user's certificate.

On non-domain computer it's ok with user certificate, BUT it can't authenticate by computer certificate.

Event logged in security audit:

"Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

I have following configuration:

1) on connection request policy

conditions - wireless-other or wireless-ieee 802.11

setting - attribute cutting realm "host/" and replacing ".mydomain.com" with $.Otherwise non-domain members (computers without cutting realm and replacing suffix with $ and users without cutting realm) get error - "The specified user account does not exist.".

2) on network policies

overview - by default, grant access, ignore dial-in properties.

conditions  - wireless-other or wireless-ieee 802.11

constraints - athentication method PEAP only with eap-type - Smart Card or other certificate. That's only allowed method for me, as one of the most secured, please don't offer me other methods.

I use enterprise CA on w2003 with AD 2008 level and enroll manually certificates for non-domain computers using cloned computer or workstation templates where I can provide names in request, also i've created computer account with similar name which provided in certificate with additional domain suffix. Clients are configured to use computer or user authentication, computer only was tried also. Also i've tried to use certificate mapping on computer account without succes. 

I'm deploying 802.1x on my wired networking and i'm facing a problem on the computers that do not have the cached profile created.

The service works fine when i have cached profiles, but when it comes to create a new profile into a windows machine, it doesnt work because i cant reach my domain server.

So, i went up into the internet and saw that certificate authentication is what i need. I'm trying to set up that but i'm facing a lot of doubts, like:

1) How do i setup the NPS policy to do that?

2) How do i create a computer certificate to my domain computers, so they can authenticate?

3) Do i need to do something on the switch besides set the authentication mode?

What i need to do is, that everyone who plugs a computer into my wired network, falls into a guest network, besides our managed computers, that will access our company VLANs. Thanks in advance for your help.

Hi,

Is there a way to restrict NPS concurrent login using same credentials???
We have some user they misuse their credential by sharing other users and also uses to connects multiple devices.
Is there a way to restrict simultaneous login base on numbers???

Thanks in advance

Mohammed...

Hi,

I have setup Radius Server with ADCS self signed certificate(for NPS Client Authentication) at my lab session, its working fine but the issue is when client gets connected to WiFi Network it authenticate\authorizes but the IP at client network is not getting adopted, though the DHCP Server distributes the IP to that client.

To conquer this when i Stop the NPS service for a while e.g a min or two then the distributed IP gets assigned to that client Network, after it i use to re-start the service again.

The same i use to repeat for all the client who all connects to  my WiFi network.

Do anyone have the idea what might be this issue??Can anyone please help me to solve this!!

Thanks in advance

Mohammed...