Our NPS server is not authenticating domain users to the wireless network. It was previously working but the certificate expired. Since then we've had issues with the server.
Currently the error is:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
myid
Account Domain:domain
Fully Qualified Account Name:domain\myid
Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:-
OS-Version:
-
Called Station Identifier:-
Calling Station Identifier:-
NAS:
NAS IPv4 Address:xx
NAS IPv6 Address:-
NAS Identifier:xx
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:
-
RADIUS Client:
Client Friendly Name:Ruckus
Client IP Address:192.168.xxxx
Authentication Details:
Connection Request Policy Name:xxxxx
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:xxxxxx
Authentication Type:MD5-CHAP
EAP Type:
-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code:
19
Reason:
The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy
or the password settings on the user account.
We do not have CHAP as an allowed authentication protocol in the Network Policies' Authentication Methods.
Our primary authentication method is PEAP-MSCHAP-V2. We also have MS-CHAP-V2 and MS-CHAP checked.
http://i.imgur.com/tv4sx6O.jpg
The server hosting NPS is part of the domain, the server also hosts our ADCS service.
We've issued a new, valid 'Server Authentication and Client Authentication' certificate to the computer's personal certificate store.
Why is CHAP being used for when we don't have it selected as an allowed authentication method? How can I get it to use the more secure authentication methods that are set to be used?