Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 9, 2016 3:14 PM
I have been playing with NPS now for a few days and I get the basics.. but it's not going like planned.
What I wanted to achieve is that this NPS server is used as a radius authentication server in our Aerohive (wired & wireless) solution. I want to prevent access to our network for all unauthorized devices. Therefor we whipped up a basic VLAN category.
VLAN 1: Servers
Every server is wired on a fixed location. These switchports would be defined on VLAN 1.
VLAN 2: Trusted Devices
Devices that need network access like the printers, access control devices, MFC's, etc. Verified by MAC address
VLAN 5: Domain Computers
The computer account has to be a member of Domain Computers. These would be verified by there computer object name.
VLAN 6: Trusted Alien Computers
Other computer devices that are not a member of our domain but that need access to our network. Verified by MAC address.
VLAN 10: IP Phones
Hardware phones that need to access the PABX. Could be by MAC or by switchport. If possible, i'd prefer MAC because then people could use the patch port at the back of the phone to get a wired connection.
VLAN 20: Guest
Every other request should be placed in VLAN 20. Kind of like a fall back. These have access to 'the internet'.
So every device that requests access to our network, if it's wired or wireless should pass by the NPS server. It's this server that should return it's VLAN.
The list of trusted devices could get long. We currently have roughly 100 network printers & MFC's and about 30 - 50 people working with a non domain laptop. This should be manageable.
In my Aerohive router / access point I have the option for MAC Authentication and if it should first authenticate by MAC or SSID. Currently I have MAC first.
I've tested a lot of different set-ups but I have no idea if what I would like is even possible in NPS? When trying to allow an alien computer by it's MAC address it still asks me for a username and password?!
First I see this in the NPS Log:
Network Policy Server granted access to a user.
User:
Security ID: WGIT\B8-86-87-E3-55-58
Account Name: b88687e35558
Account Domain: WGIT
Fully Qualified Account Name: WGIT\B8-86-87-E3-55-58
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 08-EA-44-0B-13-4C:Willemen Groep
Calling Station Identifier: B8-86-87-E3-55-58
NAS:
NAS IPv4 Address: 172.18.120.1
NAS IPv6 Address: -
NAS Identifier: HOME-TDC-1
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: Aerohive Branch Routing
Client IP Address: 172.18.120.1
Authentication Details:
Connection Request Policy Name: Trusted Devices
Network Policy Name: Trusted Devices
Authentication Provider: Windows
Authentication Server: dc-sccm.WGIT.local
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Quarantine Information:
Result: Full Access
Session Identifier: -
If I have entered 'ok' as username I would get this:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: WGIT\B8-86-87-E3-55-58
Account Name: ok
Account Domain: WGIT
Fully Qualified Account Name: WGIT.local/BE/Vlaanderen/Willemen Groep/Resources/B8-86-87-E3-55-58
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 08-EA-44-0B-13-4C:Willemen Groep
Calling Station Identifier: B8-86-87-E3-55-58
NAS:
NAS IPv4 Address: 172.18.120.1
NAS IPv6 Address: -
NAS Identifier: HOME-TDC-1
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: Aerohive Branch Routing
Client IP Address: 172.18.120.1
Authentication Details:
Connection Request Policy Name: Accept All
Network Policy Name: Guest
Authentication Provider: Windows
Authentication Server: dc-sccm.WGIT.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
WHY?!
Why is it asking for a username while it already gained access?
All replies (3)
Monday, March 14, 2016 7:16 AM âś…Answered
Hi Tiele,
>When I put this as the second connection request, an unknown device will still fail to connect because no network policy was able to validate his credentials.
I tested it in my lab, and got the similar result with you. I create two connection request polices, policy1 forward request to another NPS which can't pass authentication, policy2 authenticate locally which can pass authentication.
When I put policy1 in first order, every request failed authentication, since the request will not be authenticated locally using policy2, so, the issue in your lab is normally, once the request is matched with connection policy1, it will not use policy2 any more.
The way I could think to work around this issue is setting up another NPS server, since NPS role can be simply add to any windows server, you may set up another NPS server for those "unauthenticated devices".
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, March 10, 2016 6:32 AM
Hi Tiele Declercq,
According to your description, you are deploying NPS for authentication.
The key point of deploying NPS is configuring "Connection Policies" and "Network Polices".
In "network polices">"Conditions" we may select different conditions based on our requirements. In "Constraints", we may configure the authentication method and other things.
>Why is it asking for a username while it already gained access?
You may check what is the condition in the policy for those clients, check if you have selected "User Group" in that policy.
Here is the detailed information about NPS policy conditions:
Network Policy Conditions Properties:
https://technet.microsoft.com/en-us/library/cc731220%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Configure NAP Conditions in Network Policy:
https://technet.microsoft.com/en-us/library/cc731560(v=ws.10).aspx
If you still have something unclear, feel free to ask. And it will be better if you can post your detailed configuration of your NPS server.
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, March 10, 2016 10:54 AM
Thanks for your reply. However what I seem to be missing is how to create a fallback for unauthenticated devices.
If no other network policies match, I want this device in VLAN 20 (= Guest).
I have created a second Connection Request with 'Accept users without validating credentials' and I have put my VLAN info in the RADIUS Attributes.
When I put this as the first connection request, everything & everyone is put into VLAN 20 (duh)
When I put this as the second connection request, an unknown device will still fail to connect because no network policy was able to validate his credentials.