Thin clients cannot connect to switch after Domain Controller upgrade. RRS feed

  • General discussion

  • Last Saturday we migrated our 2008 R2 Domain Controllers to 2012 R2 Domain Controllers.
    Apart from a couple of easy to fix issues, we did ran into a big one.

    We have HP thin clients in a seperate VLAN (not domain joined), which connect to a switch which has a NPS IP address and shared secret in it's config. Every thin client has a user in the domain, where they username/password is their MAC address.
    The NPS servers are 2008 R2 and would, based on the Network Policy using CHAP, allow the thin client to receive a, IP address from the DHCP servers.

    For some reason, the NPS server can not verify the thin client in the domain. Not exactly sure it's called that, but something like that. Event ID's are 6273, Reason Code 16, Reason: "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."
    Oddly enough, when forcing the NPS servers to only connect to the 2008 R2 Domain Controller (reinstated) using Windows Firewall rules, it does work.

    As a test, we used a 2012 R2 server and added the NPS role and did a import of the configuration, added the shared secret so the switch could communicate with the NPS server again, but that didn't help either.
    Event logs show NPS setting up a connecting with the 2012 R2 Domain Controller, and the network admin can connect to the switch using his domain credentials.

    Now, I know using CHAP is "less secure" according to NPS 2012 R2, and that makes sense, but right now we need to get it working again. If possible.
    Re-configuring for using EAP and certificated isn't something I can do right now. It would take too much time.

    Obviously we've searched our butts off these last two days, and though I can find a few articles/posts on using MAC authentication using NPS, there are no real how to/setup documents.

    So, is there anyone here that is using NPS that connect to 2012 (R2) Domain Controllers, and use thin clients (and other non-domain joined devices like printers, access points, etc) with MAC authentication?
    And how did you set it up?

    Wednesday, June 7, 2017 1:07 PM