locked
WAP 561 - NPS role - Problem for get a domain profile RRS feed

  • Question

  • Hi everyone,

     

    Today, i get a problem with the autentication of a Cisco WAP 561 and the role network policy server.

     

    My Cisco WAP 561 is connected to the Radius Network Policy Server role with EAP MD5.

     

    When a user of the domain want to connect to the captive portal, the authentication is success.

     

    But when i check the profile of my connection, it show me a Private Network, and i want to have a domain network profile.

     

    When i desactivate the NPS, i get a domain network profile.

     

    Do you have any idea ?

     

    Thank you.

    Sunday, September 3, 2017 8:17 AM

All replies

  • Hi jostir,

    Thanks for your posting here.

    It looks like the query is more related to Cisco product , you may have this asked in Cisco forum to get more efficient support.
     

    It is also appreciated that the other members in our forum can share their experience with us about this scenario.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 4, 2017 6:19 AM
  • Hi,

    I think is as problem of the NPS role because when i deactivate it, I get the domain profile through my WAP 561.

    So, I have posted my message to this section.

    Do you have any ideas ?

    Thank you.

    Monday, September 4, 2017 7:07 AM
  • Hi jostir,

    Please check the event log to see if there are something useful for us to troubleshooting.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 4, 2017 7:38 AM
  • Two informations log appears next to a user connexion but i think my configuration doesn't right:

     First message → 6272 - Network Policy Server granted access to a user.

    User:
    Security ID: DOMAIN\surname.name
    Account Name: surname.name
    Account Domain: DOMAIN
    Fully Qualified Account Name: DOMAIN.com/Utilisateurs/Surname NAME

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: -

    NAS:
    NAS IPv4 Address: 192.168.2.181
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: -

    RADIUS Client:
    Client Friendly Name: Cisco WAP 561 - WAP01
    Client IP Address: 192.168.2.181

    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DOMAIN-Interne_Basé sur AD
    Authentication Provider: Windows
    Authentication Server: SRV-NPS.DOMAIN.com
    Authentication Type: EAP
    EAP Type: MD5-Challenge
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.

    Quarantine Information:
    Result: Full Access
    Session Identifier: -


    -----------


    Second message  →  6278  - Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
    Security ID: DOMAIN\surname.name
    Account Name: surname.name
    Account Domain: DOMAIN
    Fully Qualified Account Name: DOMAIN.com/Utilisateurs/Surname NAME

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: -

    NAS:
    NAS IPv4 Address: 192.168.2.181
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: -

    RADIUS Client:
    Client Friendly Name: Cisco WAP 561 - WAP01
    Client IP Address: 192.168.2.181

    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DOMAIN-Interne_Basé sur AD
    Authentication Provider: Windows
    Authentication Server: SRV-NPS.DOMAIN.com
    Authentication Type: EAP
    EAP Type: MD5-Challenge
    Account Session Identifier: -

    Quarantine Information:
    Result: Full Access
    Extended-Result: -
    Session Identifier: -
    Help URL: -
    System Health Validator Result(s): -

    Monday, September 4, 2017 7:49 AM
  • Hi,

    The following hotfix might apply

    https://support.microsoft.com/en-us/help/2524478/the-network-location-profile-changes-from-domain-to-public-in-windows

    But it's also possible that you are losing connection to your domain controller. When a computer is able to connect to a domain controller on port 389, it will have a domain profile. If that connection is not available, the network profile will change.

    Thanks,

    -Greg

    Thursday, September 7, 2017 5:44 AM
  • Hi jostir,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 19, 2017 8:41 AM
  • Hi Candy,

    The Hotfix haven't resolve my problem.

    Tuesday, September 19, 2017 8:44 AM
  • Please verify that you have a connection to your domain controller.

    Losing the connection to a DC is usually why the connection type changes.

    Tuesday, September 19, 2017 5:02 PM
  • Hi Greg,

    I can ping my domain controller.

    How can I rearm the connectivity with the domain controller when i'm connected with NPS ?

    Thank you

    Tuesday, September 19, 2017 5:05 PM
  • This depends on what is blocking. It could be a firewall or it might be a routing problem.

    You said that you can ping the domain controller. Is this possible when the connection shows as Private Network, or is it only possible when the connection is Domain?

    What operating system are you running? I need to know this so that I can determine if you have the Windows PowerShell commands that will help to troubleshoot.

    Thanks,

    -Greg

    Tuesday, September 19, 2017 5:18 PM
  • I can ping the domain controller when i'm in private network and in domain network.

    I use Windows 10.

     
    Tuesday, September 19, 2017 5:21 PM
  • Please open a Windows PowerShell prompt and try the commands below. 

    The first command will tell you the name of your domain controller.

    cmd /c echo %logonserver%

    In the next command, replace "dc.contoso.com" with the name of your domain controller. Do not use the IP address. We also need to verify that you can resolve the name properly.

    Test-NetConnection -ComputerName dc.contoso.com -Port 389 -InformationLevel Detailed

    You should see something like the following:

    ComputerName            : DC
    RemoteAddress           : 2001:4898:2001:4:2e76:8aff:fe54:d634
    RemotePort              : 389
    NameResolutionResults   : 2001:4898:2001:4:2e76:8aff:fe54:d634
                              10.222.110.47
    MatchingIPsecRules      :
    NetworkIsolationContext : Internet
    InterfaceAlias          : Ethernet 
    SourceAddress           : 2001:4898:d8:404:45b:e3c9:3ae:3de5
    NetRoute (NextHop)      : fe80::8a75:56ff:fe3c:c200
    TcpTestSucceeded        : True


    Tuesday, September 19, 2017 5:42 PM
  • Thank you for your advice.

    I test this command as soon as possible.

    Tuesday, September 19, 2017 5:48 PM
  • Hi jostir,

    Did you have any updates?

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 22, 2017 2:03 AM