locked
Problem authenticating through NPS RADIUS RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I am setting up a small scale test to see if a Windows 7 device can authenticate logins through RADIUS with pGina w/ RADIUS plugin (replaces Windows logon system with a 3rd party one that allows for RADIUS authentication).


    My set-up includes 3 computers:

    1. Windows 7 comptuer running pGina
    2. Windows Server 2008 computer running the NPS RADIUS Server
    3. Windows Server 2008 computer running as Domain Controller and Active Directory

    All computers are connected on an isolated wired switch. Only these 3 devices are connected together, nothing else on the switch.


    I've configured all 3 boxes to be on the same domain. I am able to authenticate logins through computers 1 and 3 directly with Active Directory; credentials and permissions are accessed fine, everything is dandy.

    I run into problems when I throw the RADIUS server into the mix. I have pGina configured to hit the RADIUS server, which in turn is set up to authenticate against Active Directory on the domain controller. When I try to log in through pGina, the RADIUS authentication request is seen on the RADIUS server (logged events show a RADIUS request was recieved), but I keep getting an error indicating that the credentials i've supplied are incorrect. I've triple checked the account information on Active directory, and i'm certain i'm using the appropriate credentials.

    Under the connection policy, if I click: "Accept users without validating credentials" I am able to login fine, but obviously this isn't what I want to do.


    The exact error message I see is:

    NPS Event 6273, Reason Code 16
    Reason:    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

     


    Has anyone set up RADIUS authentication in this manner and have any idea what might be going on?


    Thanks in advance

    Friday, November 4, 2011 8:14 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    First, I would like to point out this is a duplicate thread to the following link. Maybe we can get the two merged so we don't double our efforts to help:
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dbed7557-1822-4cf4-99e7-4aca210953da

    I haven't used pGina, but I assume it's configured as a RADIUS client to your NPS server.

    Based on the following link, I believe it's an issue with the network policy not allowing the connection attempt, possibly a specific method authenticator attribute, from the pGina solution.

    Event ID 6273 — NPS Authentication Status
    http://technet.microsoft.com/en-us/library/dd316172(WS.10).aspx

    How do you have it configured? Does the pGina documentation say anything about a condition in the policy that you must add to make it work?

     

    Also, it could be based on how the username is being entered. Are you providing the username without a domain name, or in the form of domain\user, or user@domain.local? One solution is (quoted out of the KB article, link below it):

    " To convert a user name to a UPN name, for example, to change user to user@domain.com, type $ in the Find box, and then type @domain.com in the Replace box.

    HOW TO: Configure a Primary Internet Authentication Service Server on a Domain Controller
    http://support.microsoft.com/kb/317588

    Otherwise, I would believe the pGina docs or their support can assist in diagnosing it. For example, when I conifgured a Cisco AP as a RADIUS client with certificate authentication, they assisted me to get it conifgured as part of the support contract.

     

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Saturday, November 5, 2011 10:09 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    I am setting up a small scale test to see if a Windows 7 device can authenticate logins through RADIUS with pGina w/ RADIUS plugin (replaces Windows logon system with a 3rd party one that allows for RADIUS authentication).


    My set-up includes 3 computers:

    1. Windows 7 comptuer running pGina
    2. Windows Server 2008 computer running the NPS RADIUS Server
    3. Windows Server 2008 computer running as Domain Controller and Active Directory

    All computers are connected on an isolated wired switch. Only these 3 devices are connected together, nothing else on the switch.


    I've configured all 3 boxes to be on the same domain. I am able to authenticate logins through computers 1 and 3 directly with Active Directory; credentials and permissions are accessed fine, everything is dandy.

    I run into problems when I throw the RADIUS server into the mix. I have pGina configured to hit the RADIUS server, which in turn is set up to authenticate against Active Directory on the domain controller. When I try to log in through pGina, the RADIUS authentication request is seen on the RADIUS server (logged events show a RADIUS request was recieved), but I keep getting an error indicating that the credentials i've supplied are incorrect. I've triple checked the account information on Active directory, and i'm certain i'm using the appropriate credentials.

    Under the connection policy, if I click: "Accept users without validating credentials" I am able to login fine, but obviously this isn't what I want to do.


    The exact error message I see is:

    NPS Event 6273, Reason Code 16
    Reason:    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

     


    Has anyone set up RADIUS authentication in this manner and have any idea what might be going on?


    Thanks in advance

    Friday, November 4, 2011 7:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    it will be better to ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/threads

     

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Friday, November 4, 2011 8:08 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks very much, I will re-post over there.

    Friday, November 4, 2011 8:14 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    The link to the new thread: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0f8ff771-8f2e-467c-a9a9-619dc27bccdb/#0f8ff771-8f2e-467c-a9a9-619dc27bccdb

     

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Friday, November 4, 2011 8:27 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    First, I would like to point out this is a duplicate thread to the following link. Maybe we can get the two merged so we don't double our efforts to help:
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dbed7557-1822-4cf4-99e7-4aca210953da

    I haven't used pGina, but I assume it's configured as a RADIUS client to your NPS server.

    Based on the following link, I believe it's an issue with the network policy not allowing the connection attempt, possibly a specific method authenticator attribute, from the pGina solution.

    Event ID 6273 — NPS Authentication Status
    http://technet.microsoft.com/en-us/library/dd316172(WS.10).aspx

    How do you have it configured? Does the pGina documentation say anything about a condition in the policy that you must add to make it work?

     

    Also, it could be based on how the username is being entered. Are you providing the username without a domain name, or in the form of domain\user, or user@domain.local? One solution is (quoted out of the KB article, link below it):

    " To convert a user name to a UPN name, for example, to change user to user@domain.com, type $ in the Find box, and then type @domain.com in the Replace box.

    HOW TO: Configure a Primary Internet Authentication Service Server on a Domain Controller
    http://support.microsoft.com/kb/317588

    Otherwise, I would believe the pGina docs or their support can assist in diagnosing it. For example, when I conifgured a Cisco AP as a RADIUS client with certificate authentication, they assisted me to get it conifgured as part of the support contract.

     

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Saturday, November 5, 2011 10:09 PM