none
2008R2 - Network Policy Server Bug

    Question

  • I'm setting up a Network Policy Server on Server 2008R2 for an SSL VPN on a fortigate firewall. I just installed the role, added the radius client and added a new network policy called "VPN Users" as the 1st policy.  At this point, I'm unable to connect unless I disable the two polices that are created by default.   I don't understand why I have to do this when the VPN Users policy is #1 on the list. It appears that the NPS checks all polices and is not just going down the list until one is matched (as it states in Microsofts documentation). Is this a bug?  I'd like it if someone can explain how this works for me.

    Tuesday, September 10, 2013 5:38 PM

All replies

  • Hi,

    That’s not a bug but by design.

    A default connection request policy is created when you install NPS. The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally. If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy. However, at least one connection request policy must be running on your NPS server for it to authenticate and authorize connection requests from RADIUS clients.

    Quote from:

    NPS: Network Policy Server (NPS) should have at least one connection request policy enabled

    http://technet.microsoft.com/en-us/library/ee922629(v=ws.10).aspx

    More information:

    Verify NPS Configuration

    http://technet.microsoft.com/en-us/library/cc772246.aspx

    Hope this helps.


    Alex Lv

    Wednesday, September 11, 2013 9:56 AM
    Moderator
  • I have the default connection request policy in place.  It hasn't been changed.  My issue is not with the connection request policy but the Network Policy.  Please see the pictures above.  The Network Policy doesn't seem to be processing correctly.  It doesn't start on policy 1 and then move its way up, looking for a policy that matches.  It seems to be working in a way that it needs to match all policies.
    Monday, September 16, 2013 3:29 PM
  • Hi,

    Please notice the "Access Type" , if the client network action accord with the two  default policy and and the two default policy is enable it will do the action "Deny Access".


    Alex Lv

    Tuesday, September 17, 2013 7:15 AM
    Moderator

  • Hi,

    I would like to check if you need further assistance.

    Thanks.


    Alex Lv

    Monday, September 23, 2013 7:53 AM
    Moderator