locked
am New to NAP and i have been asked to improve security on the wireless network RRS feed

  • Question

  • I have 41 Orinoco ap-4000 that are running on a WAP-Personal Security and I need to move them over to 80211i Station using radius to authenticate so I set up 1 Access point to be a radius Client using its ip address

    Set the Security Profile of my AP to 80211i Station this uses Authentication mode 802.1x   a cipher of AES

    I then setup NPS using the Configure 802.1x Wizard This gives me 1 connection Request policy and 1 Network Policy The NAP server has a certificate

    1 connection policy

    Overview

    Type of network access server = Unspecified

    Conditions set to nas port Type Wireless –other OR wireless – IEEE802.11

    Setting all left a default values

    1 network policy

    Overview

    Grant access

    Ignore user account dial-in properties ticked

    Type of network access server – Unspecified

    Conditions

    NAS Port Type Wireless- other OR wireless – IEEE802.11

    Windows Groups Domain\Global Security Group

    Constraints

    Authentications Method Microsoft Protected EAP(PEAP) with default less secure authentication methods set to default

    Setting

    Standard Framed-Protocol PPP and Service-Type Framed

    All the rest set to default

    We are unable to connect and get the following error in event viewer

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

                   Security ID:                                         NET\ITTECHSLAP01$

                   Account Name:                                   host/ITTechsLap01

                   Account Domain:                               NET

                   Fully Qualified Account Name:          NET\ITTECHSLAP01$

    Client Machine:

                   Security ID:                                         NULL SID

                   Account Name:                                   -

                   Fully Qualified Account Name:          -

                   Called Station Identifier:                    00-00-00-00-00-00:unif1

                   Calling Station Identifier:                   00-00-00-00-00-6b

    NAS:

                   NAS IPv4 Address:                              192.168.255.25

                   NAS IPv6 Address:                              -

                   NAS Identifier:                                    AP-41

                   NAS Port-Type:                                   Wireless - IEEE 802.11

                   NAS Port:                                            9

    RADIUS Client:

                   Client Friendly Name:                         AP41

                   Client IP Address:                               192.168.255.25

    Authentication Details:

                   Connection Request Policy Name:    SWC1

                   Network Policy Name:                       -

                   Authentication Provider:                    Windows

                   Authentication Server:                       Server name

                   Authentication Type:                         EAP

                   EAP Type:                                            -

                   Account Session Identifier:                -

                   Logging Results:                                 Accounting information was written to the local log file.

                   Reason Code:                                      48

                   Reason:                                               The connection request did not match any configured network policy.

    As far as I can see the AP and the NPS match and the user is in the security group

    Please remember this is my first time using NPS so I did use the wizard

    Friday, March 24, 2017 2:39 PM

All replies

  • Hi Donjo,

    Have you configured certificate for users?

    Have you checked if there is related information exist?

    >>Authentications Method Microsoft Protected EAP(PEAP) with default less secure authentication methods

    Please try to configure EAP be MS-CHAP authentication and check again.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 27, 2017 10:26 AM
  • Remove the security group condition in Network Policy and see if it works.

    Friday, April 7, 2017 5:14 PM