Hi All,
I have configed a NPS server on a windows server 2012 r2 OS, the radius client is a cisco hardware vpn device.
there is a custom NPS extension registered for some extra authentication(two step authentication).
theere are two types of authentication method:
1. user submit two passwords use "active directory password" + "some extra password" format, like
"password1_password2", NPS extension split and check both two passwords and NPS itself authorize the user
using netwok policy, both works fine. there're two security events logged into windows event log:
the first event (ID6272) shows Network Policy Server granted access to a user.
the second event (ID6278) shows Network Policy Server granted full access to a user because the host met the defined health policy.
in both two events, i can see the Authentication Details shows Proxy Policy Name and Network Policy Name.
2. user submit the first "active directory password" to NPS, NPS extension check the password and return a radius challenge message to the radius client, then user submit the second "some extra password" to NPS, then NPS extension
check the second password again.
the problem is: when the authentication process complete, NPS bypass the authorize(network policy) process and directly grant access to the network.
there is only one security events logged into windows event log:
event (ID6272) shows Network Policy Server granted access to a user.
in this event, only shows the Proxy Policy Name. Network Policy Name is "-".
because the NPS extesion only registered fo authentication and it's worked fine, so i think this is not a develop related question.
i am not very familiar with NPS, may be i make some wrong configration.
THanks for your help。
=======================================
below are policies, values that i did not mention are all use default :
create a new connect request policy:
add a conditions -- NAS Port Type=virrtual(VPN);
create a new network policy:
add a conditions -- Windows Group=contoso\vpn_access_group;
Authentication Method -- only check unencryptedauthentication(PAP,SPAP)
Ignoreuseraccountdialinpropery
=======================================
we find a problem,
when the authentication extension returrn to radius client a access-challenge message AND a ratState attribute, NPS does not un network policies and diectly let user login.
when the authentication extension returrn to radius client ONLY access-challenge message, NPS can use network policies to authorize the user.