none
WPA2-Enterprise Radius Authentication Windows Server 2008 R2

    Question

  • Hello,

    I have tried a few online tutorials for providing secure wireless access.  I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it.  My goal is to create a wireless SSID that utilizes WPA2-Entperise for users to connect.  Their AD credentials would need to belong to my "Wireless Users" group.  I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies, and then added the settings to the router.  When I've tried both ways, the wireless network never connects to the network.  If I un-check the "Use Windows login credentials" a username/password field pops up.  I enter the credentials (tried both username and domain\username) of an account that is part of "Wireless Users".  When I hit OK it sits for a few moments, and then pops back up again.  When I do check "Use Windows login credentials" it says it can't connect.

    I have tried different firmware on the router, and I know the router is not the issue.  This server is joined to my domain controller.  It feels like the NAP server is not reaching the domain to authenticate credentials.  Am I doing anything wrong that I should be made aware of?  In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.

    I appreciate any help you can provide.

    -Ken


    • Edited by Coopercentral Tuesday, August 20, 2013 1:40 AM change title
    Tuesday, August 20, 2013 1:39 AM

All replies

  • Hi,

    According to  your description, you have problem with authentication.

    But I wonder which authentication method you are using?

    Otherwise, you can follow the checklist below to see if any helps:

    Checklist: Configure NPS for Secure Wireless Access

    http://technet.microsoft.com/en-us/library/cc771696.aspx

    Thank you.

    Wednesday, August 21, 2013 11:12 AM
    Moderator
  • Hi,

    I followed this tutorial:

    http://medicblog.net/?p=792

    I set this up using PEAP.  On the NPS server, I opened MMC -> Certificates -> Computer.  Under Personal -> Certificates I requested a new one.  I checked "computer" then enroll.

    Then back in NPS, I configured Wireless 802.1X wireless connection.  My Cisco AP has IP of 172.16.4.2...so I named it Cisco AP and provided the IP.  I added the security group "Wireless Users" that I add to all users that are able to connect.  In the authentication, I chose PEAP, and then goto Edit, and make sure the certificate is the one that I Just created.  Finally, I set it up on the access point.  I did WPA2-Enterprise AES, input the secret key, and inputted the NPS server IP.  Saved, and rebooted AP.

    On the Windows 7 client, added the network manually, set it to WPA2-Enterprise.  I made sure PEAP was selected, I unchecked validate server certificate, and unchecked "Use WIndows Credentials".  Under authentication method, I checked the box and chose "User Authentication".  When I tried to connect, it asked for username password.  I put in domain\username then password.  It would try to connect for a few seconds, and then re-prompt for credentials.

    Can anyone tell me what the problem is?

    Saturday, August 24, 2013 3:16 PM
  • I've searched in "Event Viewer" on the NPS server, and came across an interesting error.  I have Google'd the error, and there are only a select few articles about it.  If I try to connect, often times I will get two information events:

    Event ID 4400 "A LDAP connection with domain controller DC-VPN-IIS-01.dc.cooper.org for domain COOPER is established."

    And now...the issue

    Event ID 6273

    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
        Security ID:            COOPER\LAPTOP3-W7$
        Account Name:            host/laptop3-w7.dc.cooper.org
        Account Domain:            COOPER
        Fully Qualified Account Name:    COOPER\LAPTOP3-W7$
    
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        c0c1c074bfb6
        Calling Station Identifier:        00216a902b70
    
    NAS:
        NAS IPv4 Address:        172.16.4.2
        NAS IPv6 Address:        -
        NAS Identifier:            c0c1c074bfb6
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            11
    
    RADIUS Client:
        Client Friendly Name:        CiscoAP
        Client IP Address:            172.16.4.2
    
    Authentication Details:
        Connection Request Policy Name:    Use Windows authentication for all users
        Network Policy Name:        Connections to other access servers
        Authentication Provider:        Windows
        Authentication Server:        dc-vpn-iis-01.dc.cooper.org
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            65
        Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.


    Clearly, when I try to connect, it's completely bypassing the network policy I created, but going to the "Connections to other access servers", which by default denys access.  I've tried everything....removed and re-added the security policy...added 2 network policies for wireless.  Does anyone know why the network policy I create for wireless is not being recognized?


    • Edited by Coopercentral Sunday, August 25, 2013 11:51 AM Added code
    Sunday, August 25, 2013 11:48 AM
  • Just to add a little more information.  I've tried it a few more times, and each time when I try to connect to my wireless SSID, for some reason it completely skips over the "Secure Wireless Connection" under network policy, and defaults to "Connections to other access servers".  I've read online how someone suggested you disable that policy.  I did that, and then when I tried to connect, it said something like no policies were found.

    I even tried checking "validate server" in the client settings when setting up wireless network, added the full server name, and checked the certificate, and still nothing.  I've troubleshooted this as much as I know how.  I have no idea why the NPS server is completely skipping over "Secure Wireless Connection" policy.  In the conditions I've removed the NAS Port as wireless, and just had the Windows group.  I've removed that and changed it do User group, but still no good.

    I've looked at every online article, but nothing has helped yet.

    Tuesday, August 27, 2013 5:25 PM
  • I see to be having the exact same issue.  Did you ever find a resolution to this?
    Friday, November 22, 2013 1:15 AM
  • The reason why NPS does not take your policy is because all the conditions in your network policy are not met. The NPS server will take the next policy in the list.

    Check the conditions in your network policy, maybe you've specified multiple groups and the user is not a member on one of them. Try to remove all groups and add only your wireless users group (in your network policy on NPS).


    Johan Loos

    Monday, November 25, 2013 12:17 PM