locked
difference between the way NPS and IAS operate RRS feed

  • Question

  • I am running IAS radius servers on windows 2003

    I have migrated the setting to NPS on 2008.

    When i try to authenticate against NPS, the authentication fails.

    It appears to match the right policy, but the 2008 event log says the username or password is incorrect.

    I am using a 802.1x client to supply  the username/password - i am not typing them in, so it isnt that.

     

    Does NPS evaluate policies, differently to IAS?

    Is there a way to turn on NPS radius debugging?

    (ie like freeradiusd -X -x -x)

     

    thanks for any reply.

     

     

    Monday, November 22, 2010 11:43 AM

Answers

  • Tiger Li/

     

    Some progress.

    In the last example, i was trying to match a username of n**a@ncl.ac.uk (stripping the @ncl.ac.uk realm in NPS)

    When I change to matching n**a (without the realm), it works.....

    As the event log shows the correct username and AD domain in both cases, I guess there is a difference with realm handling and/or realm stripping within NPS that wasnt present in IAS.

     

    event log shows:-

    Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
        Security ID:            CAMPUS\n**a
        Account Name:            n**a
        Account Domain:            CAMPUS
        Fully Qualified Account Name:    CAMPUS\n**a

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        00-0f-24-7f-87-c0:radtest
        Calling Station Identifier:        00-24-2c-5a-fa-33

    NAS:
        NAS IPv4 Address:        10.0.2.10
        NAS IPv6 Address:        -
        NAS Identifier:            w**t-A
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            29

    RADIUS Client:
        Client Friendly Name:        ***.ncl.ac.uk
        Client IP Address:            10..x.y.z

    Authentication Details:
        Connection Request Policy Name:    eduroam test version2
        Network Policy Name:        Newcastle 802.1X
        Authentication Provider:        Windows
        Authentication Server:        vvvvv.campus.ncl.ac.uk
        Authentication Type:        PEAP
        EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
        Account Session Identifier:        -

    Quarantine Information:
        Result:                Full Access
        Extended-Result:            -
        Session Identifier:            -
        Help URL:            -
        System Health Validator Result(s):    -

    Wednesday, November 24, 2010 4:25 PM

All replies

  • Hi,

     

    Thanks for posting here.

     

    Could you discuss how you performed the migration and also post the full error message that you encountered when this issue occurred, like event id ,description ?

     

    You may refer to the article below to start debugigng and troubleshooting this issue:

     

    Authentication Problem on a 802.1x Wireless Network

    http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, November 23, 2010 4:47 AM
  • Hi Tiger Li

     

    Many thanks for your reply.

     

    I migrated from IAS on 2008 to NPS on 2008 using the migration tool.

     

    The full error is:

     

    error 16 - Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    This is not because the username or password is incorrect. If i change my wireless 802.1x client to point to IAS, but leave the username/password untouched on the 802.1x client, I can authenticate.

     

    I am trying to authenticate as n**a@ncl.ac.uk.

    Our active directory  domain is CAMPUS.

    From the event log, i can see my username is mapped to CAMPUS\n**a (which is correct).

    The network and connection policy are being picked up correctly.

    The event log for this auth request is below.

     


    Network Policy Server denied access to a user.


    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            CAMPUS\n**a
        Account Name:            campus\n**a
        Account Domain:            CAMPUS
        Fully Qualified Account Name:    CAMPUS\n**a

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        00-25-84-35-f2-a0:radtest
        Calling Station Identifier:        00-24-2c-5a-fa-33

    NAS:
        NAS IPv4 Address:        10.x.y.z
        NAS IPv6 Address:        -
        NAS Identifier:            xxx
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            29

    RADIUS Client:
        Client Friendly Name:        xxx.ncl.ac.uk
        Client IP Address:            10.x.y.z

    Authentication Details:
        Connection Request Policy Name:    eduroam test version2
        Network Policy Name:        Newcastle 802.1X
        Authentication Provider:        Windows
        Authentication Server:        vvvvv.campus.ncl.ac.uk
        Authentication Type:        PEAP
        EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    Tuesday, November 23, 2010 5:04 PM
  • Tiger Li/

     

    Some progress.

    In the last example, i was trying to match a username of n**a@ncl.ac.uk (stripping the @ncl.ac.uk realm in NPS)

    When I change to matching n**a (without the realm), it works.....

    As the event log shows the correct username and AD domain in both cases, I guess there is a difference with realm handling and/or realm stripping within NPS that wasnt present in IAS.

     

    event log shows:-

    Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
        Security ID:            CAMPUS\n**a
        Account Name:            n**a
        Account Domain:            CAMPUS
        Fully Qualified Account Name:    CAMPUS\n**a

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        00-0f-24-7f-87-c0:radtest
        Calling Station Identifier:        00-24-2c-5a-fa-33

    NAS:
        NAS IPv4 Address:        10.0.2.10
        NAS IPv6 Address:        -
        NAS Identifier:            w**t-A
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            29

    RADIUS Client:
        Client Friendly Name:        ***.ncl.ac.uk
        Client IP Address:            10..x.y.z

    Authentication Details:
        Connection Request Policy Name:    eduroam test version2
        Network Policy Name:        Newcastle 802.1X
        Authentication Provider:        Windows
        Authentication Server:        vvvvv.campus.ncl.ac.uk
        Authentication Type:        PEAP
        EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
        Account Session Identifier:        -

    Quarantine Information:
        Result:                Full Access
        Extended-Result:            -
        Session Identifier:            -
        Help URL:            -
        System Health Validator Result(s):    -

    Wednesday, November 24, 2010 4:25 PM
  • Hi,

     

    Thanks for update.

     

    Never be awarded this , but could be a possible reason , because it worked in your environment ! Thanks for sharing.

    Meanwhile, could you also try “ ncl.ac.uk\n**a”  ? will it also work ?

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, November 25, 2010 2:46 AM
  • Hi Tiger Li

    while my experiements allow a successful authentication, i really need to accept usernames of the form n**a@ncl.ac.uk.

     

    from the event logs above, the username n**a@ncl.ac.uk is mapped into campus\n**a corectly, but it is almost as if the actual passord lookup in the active directory is still using the username n**a@ncl.ac.uk.

     

    (this may seem strange, but i did discover a bug in windows 2003 IAS logging which did exactly this - event logging did log the correct username, but the IAS log recorded a null string)

     

    i shall check with our active directory people what username is being passed to AD for processing.

     

    many thanks for your help.

     

    Ian

     

     

     

     

     

    Thursday, November 25, 2010 11:51 AM
  • i have turned on NPS logging.

     

    it looks like the problem is with realm stripping on the inner eap-peap-mschapv2 processing.

     

    my rule to strip the realm works on the outer identity.

    (so username@ncl.ac.uk is stripped to username).

     

    But logging shows the inner identidy is not stripped.

     

    i can see username@ncl.ac.uk is being used in a active directory lookup. this is not matching, and causing the error 16.

     

    IAS does not suffer from the problem.

    So, can anyone tell me how to perform EAP-PEAP inner identify realm stripping.

     

     

    Tuesday, December 14, 2010 9:28 AM
  • Hi i have the same Problem !!

    Did you find a solution for this Problem?

    I think its a big Bug in NPS.

     

    Friday, May 13, 2011 2:45 PM