locked
Windows 7 clients are non-nap capable or Radius authentication doesn't work RRS feed

  • Question

  • We have Connection Request Policy with condition Day and time restrictions set to anytime of day and week. In authentication method the parameter Override network policy authentication method is not checked.

    We have Network policy with conditions: 1) Machine Group. 2) Nap-Capable - Computer is NAP-capable.

    The radius authentication on networks device works fine but windows 7 computers are evaluated as non-nap capable.

    If I check Override network policy authentication method and set EAP authentication the Windows 7 computers are evaluated as nap capable but radius authentication doesn't work (access denied and nothing in network policy and access server logs). How to troubleshoot the problem and make radius and windows client work?


    • Edited by egoncharov Friday, August 17, 2012 2:22 PM
    Friday, August 17, 2012 2:10 PM

Answers

  • Hi,

    You must have the checkbox enabled to override network policy authentication settings, or clients will always be evaluated as non NAP-capable, as you have seen. This is expected.

    With the checkbox enabled we need to understand why clients are denied and why there are no events. Are you saying there are no events at all under Event Viewer\Custom Views\Server Roles\Network Policy and Access Services? See this topic to troubleshoot no events being displayed: http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/064f3e68-42fa-4669-aede-838e7cc7df92.

    If there are events displayed here, they should tell you which policy is matched. It is possible that clients are matching one of the default network policies instead of one of your policies with health conditions.

    Can you also provide the output from a client computer of the command: netsh nap client show state

    -Greg

    • Marked as answer by egoncharov Monday, August 20, 2012 7:52 AM
    Saturday, August 18, 2012 6:31 PM
  • Hi,

    You can try using NAS Port Type as a condition and create one for clients and one for devices. It looks like clients always have a NAS port type of Ethernet and devices have a NAS port type of Virtual.

    In the CRP with NAS Port Type condition = Virtual you can un-check the Override network policy authentication settings checkbox.

    Let me know if this works.

    -Greg


    Sunday, August 19, 2012 7:13 PM

All replies

  • Hi,

    You must have the checkbox enabled to override network policy authentication settings, or clients will always be evaluated as non NAP-capable, as you have seen. This is expected.

    With the checkbox enabled we need to understand why clients are denied and why there are no events. Are you saying there are no events at all under Event Viewer\Custom Views\Server Roles\Network Policy and Access Services? See this topic to troubleshoot no events being displayed: http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/064f3e68-42fa-4669-aede-838e7cc7df92.

    If there are events displayed here, they should tell you which policy is matched. It is possible that clients are matching one of the default network policies instead of one of your policies with health conditions.

    Can you also provide the output from a client computer of the command: netsh nap client show state

    -Greg

    • Marked as answer by egoncharov Monday, August 20, 2012 7:52 AM
    Saturday, August 18, 2012 6:31 PM
  • Thanks for the answer!

    If check box enabled the Windows 7 computer works fine. But a user can not authenticate on network device. The event logs are below:

    From Windows 7:

    Network Policy Server granted access to a user.
    User:
    Security ID: Domain\compter$
    Account Name: host/computer.domain.com
    Account Domain: DOMAIN
    Fully Qualified Account Name: DOMAIN\COMPUTER$
    Client Machine:
    Security ID: NULL SID
    Account Name: computer.domain.com
    Fully Qualified Account Name: DOMAIN\COMPUTER$
    OS-Version: 6.1.7601 1.0 x64 Workstation
    Called Station Identifier: e4-11-5b-6f-b3-00
    Calling Station Identifier: f0-de-f1-b6-06-c6
    NAS:
    NAS IPv4 Address: 10.0.200.11
    NAS IPv6 Address: -
    NAS Identifier: hv-as-1-48-PoE
    NAS Port-Type: Ethernet
    NAS Port: 33
    RADIUS Client:
    Client Friendly Name: hv-as-1-48-poe
    Client IP Address: 10.0.200.11
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: Department_of_information_technologies_vlan120 Compliant
    Authentication Provider: Windows
    Authentication Server: nps-02.domain.com
    Authentication Type: PEAP
    EAP Type: Microsoft: (EAP-MSCHAP v2)
    Account Session Identifier: -
    Logging Results: .
    Quarantine Information:
    Result: Full Access
    Session Identifier: {BF0F304A-0D7F-47E7-B741-B049EC8D477F} - 2012-08-17 14:20:07.520Z

    From network device:

    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: Domain\user
    Account Name: user
    Account Domain: DOMAIN
    Fully Qualified Account Name: domain.com/DOMAIN/Department of information technologies/Users/User
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: ip:source-ip=10.0.200.254
    NAS:
    NAS IPv4 Address: 10.0.200.61
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: Virtual
    NAS Port: 60
    RADIUS Client:
    Client Friendly Name: hv-fw-1
    Client IP Address: 10.0.200.61
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: HP Access Switch Login
    Authentication Provider: Windows
    Authentication Server: nps-02.donetsk.com
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results:
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

    If I uncheck mark Override network policy authentication method the windows 7 client became non-NAP-capable but radius authentication works fine. The logs are below:

    From Windows 7:

    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: DOMAIN\COMPUTER$
    Account Name: host/computer.domain.com
    Account Domain: DOMAIN
    Fully Qualified Account Name: domain.com/domain/Department of crop/Computers/COMPUTER
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: e4-11-5b-6f-b3-00
    Calling Station Identifier: f0-de-f1-b6-06-c6
    NAS:
    NAS IPv4 Address: 10.0.200.11
    NAS IPv6 Address: -
    NAS Identifier: hv-as-1-48-PoE
    NAS Port-Type: Ethernet
    NAS Port: 33
    RADIUS Client:
    Client Friendly Name: hv-as-1-48-poe
    Client IP Address: 10.0.200.11
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: Connections to other access servers
    Authentication Provider: Windows
    Authentication Server: nps-02.domain.com
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results:
    Reason Code: 65
    Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

    And from network device:

    Network Policy Server granted access to a user.
    User:
    Security ID: DOMAIN\User
    Account Name: user
    Account Domain: DOMAIN
    Fully Qualified Account Name: domain.com/domain/Department of information technologies/Users/User
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: ip:source-ip=10.0.200.254
    NAS:
    NAS IPv4 Address: 10.0.200.61
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: Virtual
    NAS Port: 51
    RADIUS Client:
    Client Friendly Name: hv-fw-1
    Client IP Address: 10.0.200.61
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: HP Access Switch Login
    Authentication Provider: Windows
    Authentication Server: nps-02.domain.com
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results:
    Quarantine Information:
    Result: Full Access
    Session Identifier: -



    • Edited by egoncharov Sunday, August 19, 2012 6:43 AM
    Sunday, August 19, 2012 6:15 AM
  • Hi,

    When you say "network device" what are you referring to?

    Have you used the wizard to create NAP policies? This is the simplest method to configure the settings that are needed. It looks like you are using the default policies and perhaps changing some of the settings. This can work but it's difficult.

    If possible, please start over and create brand new policies using the wizard. Either delete or disable the current policies, or move them to the bottom of the processing order.

    -Greg

    Sunday, August 19, 2012 11:40 AM
  • "Network device" is our Cisco or HP switches and routers. They use EAP authorization but after checking Override network policy authentication doesn't work.

    We created CRP and network policies with the wizard.

    Sunday, August 19, 2012 2:07 PM
  • Hi,

    Normally a switch or router does not authenticate to the network. It does something called a pass through.

    With 802.1X authentication, the switch (or router) receives client computer credentials and using the RADIUS configuration (also known as AAA commands) it forwards these credentials to the RADIUS server (NPS in this case). The RADIUS server checks Active Directory and then replies to the switch with an accept, deny, or reject message. The switch will then either let the client computer on the network or not. The switch itself is connected to the RADIUS server on an interface that does not have 802.1X enabled. If you have it enabled here, you should turn this off.

    The policies "Use Windows authentication for all users" and "Connections to other access servers" are default policies. It looks like one of these is being matched above and really should not be used for 802.1X authentication.

    For the Windows 7 computer with the "override network policy authentication settings" checkbox enabled, you are matching these policies:

    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: Department_of_information_technologies_vlan120 Compliant

    The result is that the computer is granted full access. This actually looks like it is working right now, but it would be better to use the connection request policy that you configured using the wizard. Is that connection request policy higher or lower in processing order?

    -Greg

    Sunday, August 19, 2012 4:33 PM
  • Thanks for the answers Greg. They are very helpful.

    We have single CRP and multiple network policies.

    We deployed NPS to authenticate on network devices with AD credentials. It works without checking "override network policy authentication settings". And I can not underestand why it doesn't work with the option checked. May be I need to create another CRP for authentication on network devices with AD credentials. But I don't know what condition to set.

    Sunday, August 19, 2012 6:33 PM
  • Hi,

    You can try using NAS Port Type as a condition and create one for clients and one for devices. It looks like clients always have a NAS port type of Ethernet and devices have a NAS port type of Virtual.

    In the CRP with NAS Port Type condition = Virtual you can un-check the Override network policy authentication settings checkbox.

    Let me know if this works.

    -Greg


    Sunday, August 19, 2012 7:13 PM
  • Hi Greg!

    Thank you very much for excellent answers! The NAS Port Type is the solution. All works fine! Thanks again!

    Monday, August 20, 2012 7:51 AM