locked
WS2012R2 NPS - reason code 66 RRS feed

  • Question

  • Dear Microsoft!

    I am trying to get NPS work in a test enviroment but i couldn't get it and i need some help!

    The enviroment: 1 Hyper-V host with 4 guests on a private hyper-v switch. 2 win8.1 client, a WS2012r2 Domain controller and a WS2012r2 DHCP and NPS server. All of them are part of the domain called dkaro.

    I set up the dhcp server and its work fine without NAP. If i enable it i keep getting error reason code 66, which means the authentiaction methods doesn't match.

    Here are the configurations of the clients (sorry the guest OS is hungarian):

    And here is the configuration of the server:

    I set the authentiaction method in the Connection request policy but i tried it within the Network policy section. None of them worked. I tried the other 2 method(smart card or other cert/EAP MSCHAP v2) but none of them worked. I install both root CA(dkaro-dkaro-dc-ca) and the nps servers CA(dkaro-dhcp.dkaro.local ) on the client.

    If i turn off the authentication it is working but of course the computers are non-nap capables that time. I never did this before but i need now. Please help! Thanks! Daniel


    Monday, September 14, 2015 9:26 AM

Answers

  • Hi,

    As I understand it, you are testing DHCP enforcement.  You don't need any of the 802.1X settings you are using or the EAP enforcement client to test DHCP enforcement.

    I'm not quite sure what you are doing here -- why are you using 802.1X?

    To test DHCP enforcement, all you need to do is enable the DHCP enforcement client on client computers, enable NAP on the DHCP scope, and configure NAP DHCP policies on the NPS/DHCP server.  Remove all the 802.1X settings and policies.

    -Greg

    Sunday, October 4, 2015 5:02 PM
  • Hi,

    I had to go back and read your first post again. I forgot you are trying to do this with Hyper-V.

    Hyper-V will work fine for DHCP enforcement, but in order for 802.1X to work the switch must support 802.1X client authentication.  The Hyper-V virtual switch does not support this.  To test 802.1X you will need to have a switch that supports 802.1X.

    I used a Cisco 2950 for testing NAP with 802.1X.

    -Greg


    Monday, October 12, 2015 7:53 PM

All replies

  • Sorry, just managed to post the pictures.
    Monday, September 14, 2015 5:34 PM
  • Hi daniel karoczkai,

    According to the reason code 66, we may check the network policy access permission at the beginning, verify if it is configurated as "grant access".

    I tested it in my lab that use EAP mention to authority for the connection, it could work. My configurations are as follow:

    NAP server: enroll a certificate from CA server and store it in local computer\ personal, the certificate is duplicated from web server template, configure the subject name of the certificate with the FQDN of NPS server. A root certificate of the domain stores in local computer\ trusted root certification authorities. In the network policy, EAP edit > certificate issued: the certificate which mentioned above in personal.

    On client:the connection security properties select "use extensible authentication protocol", EAP properties, select “connect to these servers”, trusted root certification authorities: select the domain root certificate. The following configurations are same with you. I didn’t enroll any certificates in local computer\personal on client.

    You may check the configurations as I descripted above, see if it will work.

    Besides, do you add "nap-capable" condition in the network policy, if so, you have to enable nap client. On client, run napclcfg.msc,  enforcement clients>enable EAP Quarantine enforcement client.

    Best regards,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, September 16, 2015 9:52 AM
  • Hello Anne he!

    Thank you for the answer.

    It looks like not just the authentication not ok. I configured now the authentication in the Network policy and i only enabled one where the condition is that the computer is nap-capable. And i got reason code 48 which means none of the np-s Match with the computer.

    The EAP quarantine enforcment is enabdled on the client. What else do i have to set up to get a nap-capable computer?

    Thanks!

    Daniel

    Wednesday, September 16, 2015 12:36 PM
  • Debugging, debugging...

    I managed to get the computer NAP-capable. It looks like it is not enough to enable EAP quarentine enforcment client you have to enable dhcp quarantine enforcement client too.

    But unfortunatelly the authentication still not working. The reason code is still 66.

    Here is the config with AD authentication:
    Server

    Client:

    And here are the configurations for certification:

    Server


    Client:

    None of them worked. Please help, what do i do wrong?

    Thanks Daniel!


    • Edited by dkaro Thursday, September 17, 2015 6:25 PM
    Thursday, September 17, 2015 6:24 PM
  • Hi,

    As I understand it, you are testing DHCP enforcement.  You don't need any of the 802.1X settings you are using or the EAP enforcement client to test DHCP enforcement.

    I'm not quite sure what you are doing here -- why are you using 802.1X?

    To test DHCP enforcement, all you need to do is enable the DHCP enforcement client on client computers, enable NAP on the DHCP scope, and configure NAP DHCP policies on the NPS/DHCP server.  Remove all the 802.1X settings and policies.

    -Greg

    Sunday, October 4, 2015 5:02 PM
  • Hi Greg!

    I want to do both of them. The DHCP enforcement is working but i also want to authenticate all of the client with AD account or with certificate.

    I want to put devices into different vlans.

    Monday, October 12, 2015 8:55 AM
  • You can do both. Did you use the wizard to create policies on NPS?


    Make sure you check which policies are being matched. - both connection request policy and network policy.
    Monday, October 12, 2015 2:07 PM
  • Thats the problem, i thought i used the correct configuration but it is not working. I inserted some screenshots above. Do you see anything that is not configured well?
    Monday, October 12, 2015 2:21 PM
  • Hi,

    I had to go back and read your first post again. I forgot you are trying to do this with Hyper-V.

    Hyper-V will work fine for DHCP enforcement, but in order for 802.1X to work the switch must support 802.1X client authentication.  The Hyper-V virtual switch does not support this.  To test 802.1X you will need to have a switch that supports 802.1X.

    I used a Cisco 2950 for testing NAP with 802.1X.

    -Greg


    Monday, October 12, 2015 7:53 PM
  • Hi Greg!

    But that is mean the NPS server, can't be a virtualized server?

    Tuesday, October 13, 2015 7:27 AM
  • Hi,

    NPS can be virtualized. The 802.1X supplicant (i.e. the client) cannot.

    Let's discuss some 802.1X terms

    • Supplicant = Windows client
    • Authenticator = switch
    • Authentication server = NPS

    The supplicant must be connected directly to the authenticator. In contrast, the authenticator can forward 802.1X packets over a long distance if necessary to an authentication server. This means that NPS can be virtualized if necessary because all it has to do is communicate over TCP/IP with the switch. However, the client machine (the supplicant) must be connected directly to a port on the switch that has 802.1X authentication configured.

    -Greg

    [Client<-->Switch] <-----network---->NPS
    Tuesday, October 13, 2015 7:48 AM
  • Hi Greg!

    Thank you very mutch, i think i got it. I will make a test enviroment and try it.

    Or is there a way to "emulate" a switch so i can use virtual clients to test? 

    Tuesday, October 13, 2015 8:09 AM
  • The Hyper-V switch already emulates a real switch in some ways, but just has not yet added 802.1X emulation. You might be able to purchase virtual switch software with 802.1X support, but I'm not familiar with any offhand.

    There is also a possibility that you could add multiple NICs to the Hyper-V host and dedicate each NIC to a VM but I'm not sure this would work.

    -Greg

    Tuesday, October 13, 2015 2:22 PM