locked
2 almost identical Connection Request Policies, 1 works, 1 doesnt RRS feed

  • Question

  • I have 2 Connection Request Policies in NPS, 1 works and 1 one doesn't. What I don't understand is that the settings are the same (except the one that works has an extra condition including the NAS IPv4 Address). Both were created using the wizards; the 802.1X wired connection policy works, the 802.1X wireless NAP connection policy doesn't. When the wireless policy is enabled, windows keeps saying the user name/password match is incorrect.

    Settings Tab:
    Both have the Override Network policy authentication settings box ticked.

    Both have Microsoft: Protected EAP (PEAP)

    Both have no ticked boxes under Less secure authentication methods.

    If you click on Edit to configure PEAP properties, they both use the same certificate, have enable fast reconnect and enforce NAP ticked.

    So why do 2 policies with the same authentication settings behave differently? Could be I'm just blind ;)

    The log file shows:

    Authentication Details:
        Connection Request Policy Name:    NAP 802.1X (Wireless) - not working
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        DC1.taz.com
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

     

    Excerpt from NPS configuration XML file. Note the EAP Configuration numbers are different. Dont know if that's supposed to be or not. Top entry works.

    <Secure_Wireless_Connections_from_WLC name="Secure Wireless Connections from WLC">  
    - <Properties>
      <IP_Filter_Template_Guid xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{00000000-0000-0000-0000-000000000000}</IP_Filter_Template_Guid>
      <Opaque_Data xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string" />
      <Template_Guid xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{00000000-0000-0000-0000-000000000000}</Template_Guid>
      <msAuthProviderType xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">1</msAuthProviderType>
      <msEAPConfiguration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.hex">1900000000000000000000000000000038000000020000003800000003000000140000006488f086a8d4d0b54f72ac5b178b9d98f6cc44a70100000001000000100000001a00000000000000</msEAPConfiguration>
      <msNPAllowedEapType xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.hex">19000000000000000000000000000000</msNPAllowedEapType>
      <msNPAuthenticationType2 xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">5</msNPAuthenticationType2>
      <msOverrideRAPAuth xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</msOverrideRAPAuth>
      </Properties>
      </Secure_Wireless_Connections_from_WLC>
    - <NAP_802_1X__Wireless____not_working name="NAP 802.1X (Wireless) - not working">
    - <Properties>
      <IP_Filter_Template_Guid xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{00000000-0000-0000-0000-000000000000}</IP_Filter_Template_Guid>
      <Opaque_Data xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string" />
      <Template_Guid xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{00000000-0000-0000-0000-000000000000}</Template_Guid>
      <msAuthProviderType xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">1</msAuthProviderType>
      <msEAPConfiguration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.hex">190000000000000000000000000000003800000002000000380000000300000014000000faf3322146291aa8710dc8f8389359012c4f06620100000001000000100000001a00000000000000</msEAPConfiguration>
      <msNPAllowedEapType xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.hex">19000000000000000000000000000000</msNPAllowedEapType>
      <msNPAuthenticationType2 xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">5</msNPAuthenticationType2>
      <msOverrideRAPAuth xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</msOverrideRAPAuth>
      </Properties>
      </NAP_802_1X__Wireless____not_working>

    Sunday, May 8, 2011 5:43 AM

Answers

  • Ok, uninstalled the NPS role service and re-installed. Problem fixed. Both policies now work.... :)

     

     

    • Marked as answer by oztasdevil Tuesday, May 17, 2011 1:46 AM
    Tuesday, May 17, 2011 1:46 AM

All replies

  • If I copy the msEAPConfiguration value in bold from the working to the NAP 802.1X wireless (not working), then they both work.....

    So I guess is someone able to decipher the msEAPConfiguration for the NAP 802.1X (Wireless) - not working to see what's going on? Why does it not work? What funny option have I ticked somewhere that isn't visible

     

    thanks!

     

    Sunday, May 8, 2011 9:53 AM
  • Hi,

    Thanks for the post.

    I think the NAS IPv4 Address should be the root cause of this issue. If you specify a NAS IPv4 address and NPS receives a connection request from a NAS with a different IPv4 address, the conditions of the policy are not met.

    Thanks,

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 10, 2011 9:37 AM
  • Hi Miles,

    The connection request with the NAS IPv4 address is actually the one that is working....

    Friday, May 13, 2011 6:44 AM
  • Hi,

    Thanks for the update.

    I think you may get me wrong.

    My point is the lack of NAS IPv4 Address cause this connection request policy cannot work.

    Thanks,

    Miles

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, May 13, 2011 6:47 AM
  • Hi. No good still.

    I tried 2 things which would indicate the NAS IPv4 address is not necessary (although I agree I think it should be there):

    1) Added the NAS IPv4 Address to the non-working policy to be the same as the policy that works. This makes the 2 policies identical from what Windows displays in the dialog boxes. Still couldn't get it though.

    2) Removed the NAS IPv4 Address from the working policy. It still worked.

    Any other ideas why? I'm sure its something to do with the msEAPConfiguration tag values being different. 

     

    Maybe is there a troubleshooting/debug guide for authentication? I can compare the two see where it fails


    Cisco Debug when doesn't work:

    *radiusTransportThread: May 16 09:51:05.601: ****Enter processRadiusResponse: response code=3

     *radiusTransportThread: May 16 09:51:05.601: 00:25:9c:dc:a3:45 Access-Reject received from RADIUS server 192.168.19.1 for mobile 00:25:9c:dc:a3:45 receiveId = 12

    Monday, May 16, 2011 9:42 AM
  • Got some more info (From the NPS logs):

     

    When access denied (relevant details):

    Authentication Details:

                    Connection Request Policy Name:  Secure Wireless Connections from WLC

                    Network Policy Name:                   NAP 802.1X (Wireless) Compliant

                    Authentication Provider:                Windows

                    Authentication Server:                  DC1.taz.com

                    Authentication Type:                     PEAP

                    EAP Type:                                     -

     

    EAP Type with the working connection policy:            Microsoft: Secured password (EAP-MSCHAP v2)

    So I went to the non-working policy (which like the working one has the override network policy authentication box ticked), removed all eap types, then clicked Add and selected Microsoft: Protected EAP (PEAP). Clicked on Edit and confirmed secured password (EAP-MSCHAP v2). Clicked oK. None of the less secure methods are ticked.

    Now when I try to connect, I get:

    Network Policy Server discarded the request for a user.
    Authentication Details:
        Connection Request Policy Name:    NAP 802.1X (Wireless) - not working
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        DC1.taz.com
        Authentication Type:        -
        EAP Type:            -
        Account Session Identifier:        -
        Reason Code:            22
        Reason:                The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    So now it doesnt even think it has an authentication type! weird.....

    any ideas?

    Monday, May 16, 2011 10:19 AM
  • Ok, uninstalled the NPS role service and re-installed. Problem fixed. Both policies now work.... :)

     

     

    • Marked as answer by oztasdevil Tuesday, May 17, 2011 1:46 AM
    Tuesday, May 17, 2011 1:46 AM