Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, March 2, 2018 5:01 AM
Hi guys,
I have Network Policy Server that acts as a RADIUS server for wireless network users. Currently users (when they try to connect to wireless network) are authenticated by Pre-2000 Windows logon name DOMAIN\logon_name.
Since an organization underwent re-branding, new UPN suffix was added and now I need users to be able to authenticate against RADIUS server using UPN name logon_name@_new_domain_name.com
Could you please explain how to configure Network policy Server to meet new requirement.
Regards
All replies (10)
Monday, March 5, 2018 5:50 AM
Guys,
Please help me to write user name expression that would match UPN suffix [email protected].
Monday, March 5, 2018 9:01 AM
Hi Nightwolf,
Thanks for your question.
Please try to type "^\w+\\w+@fabrikam\com$" on this "User Name" dialog box.
Here is a link refer to Use regular Expressions in NPS, it may be helpful.
/en-us/windows-server/networking/technologies/nps/nps-crp-reg-expressions
Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.
Wish you have a nice day!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, March 5, 2018 11:08 AM
Hi Michael,
Thank you for your reply.
Just a couple of questions.
1) The syntax you advised, is it applicable for 2008 Server?
2) Once I create new Connection Request Policy, the new policy will be used first (because policy by default has processing order 999999). If for some reason a new rule cannot process user's logon name will the rule by default be used for processing?
Thank you.
Tuesday, March 6, 2018 2:28 AM
Hi Nightwolf,
Thanks for your update.
1) For your first question, yes! The syntax is also applicable for Windows Server 2008 and later version.
2)>> If for some reason a new rule cannot process user's logon name will the rule by default be used for processing?
Based on my understanding, would you like to process user's logon name with the rule first by default? You can right click the new created policy and move down it as the following figureļ¼and it will obey the policy up to down.
Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.
Wish you have a nice day!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, March 7, 2018 2:19 AM
Hi,
Now authentication works for laptops but not for mobile devices.
Here is the log entry below that shows successful authentication from a laptop.
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: CONTOSO\testj
Account Name: [email protected]
Account Domain: CONTOSO
Fully Qualified Account Name: CONTOSO\testj
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 6cfa.8990.2500
Calling Station Identifier: 6067.206e.7b30
NAS:
NAS IPv4 Address: 192.168.10.101
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 49579
RADIUS Client:
Client Friendly Name: ap1.cisco.CONTOSO
Client IP Address: 192.168.10.101
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Wireless
Authentication Provider: Windows
Authentication Server: NPSARC1.CONTOSO.local
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
Here is the log entry that shows failed attempt to authenticate from iOS/Android mobile device.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CONTOSO\testj
Account Name: [email protected]
Account Domain: CONTOSO
Fully Qualified Account Name: CONTOSO\testj
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 6cfa.8990.2500
Calling Station Identifier: 2400.bac0.02cb
NAS:
NAS IPv4 Address: 192.168.10.101
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 49711
RADIUS Client:
Client Friendly Name: ap1.cisco.CONTOSO
Client IP Address: 192.168.10.101
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Wireless
Authentication Provider: Windows
Authentication Server: NPSARC1.CONTOSO.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 300
Reason: No credentials are available in the security package
How can I figure out whether the issue lies between mobile device and NPS server or between access point (Cisco Aitonet 2600) and NPS server?
Wednesday, March 7, 2018 3:22 AM
This happens only on some mobile devices. Not all of them.
Wednesday, March 7, 2018 8:52 AM
Hi Nightwolf,
NPS authentication for mobiles related third party devices. There are many potential causes of the issue. It looks like out of the scope. Nevertheless delighting our customer is our top priorities. I will try my best to assist you.
Here's a link refer to NPS reason code 300 on TN, it may be helpful of you.
It's solved finally by reinstalling NPS role, although I recommend you not to do.You may ask the vendor for support concurrently.
Highly appreciate your effort and patience. If you have any questions and concerns, please don't hesitate to let me know.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Friday, March 9, 2018 11:52 AM
Hi Nightwolf,
How are things going on? Was your issue resolved?
Please let us know if you would like further assistance.
Wish you have a nice weekend!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, March 13, 2018 7:43 AM
Hi Michael,
Thank you for following up the issue. At the moment it was put on hold so no updates can be provided.
Once resume I will let you know.
Regards
P.S. I would definitely like to avoid NPS reinstalling.
Wednesday, March 14, 2018 10:07 AM
Hi Nightwolf,
Thanks for your message. I will keep standing by with you. If there is anything else we can do for you, please feel free to post in the forum.
Highly appreciate your effort and time. Thanks for your understanding and support.
Wish you have a nice day!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]