locked
The connection attempt did not match any network policy RRS feed

  • Question

  • I get this error "The connection attempt did not match any network policy" when client try authenticate via RADIUS.

    There's one custom network policy which defines authentication type (PEAP) in Network Policies.
    There's only default policy in Connection Request Policies.

    When I change default or add a new policy in Connection Request Policies which enable PEAP, I get internal error in Event Viewer.
    Monday, September 14, 2009 1:00 PM

Answers

  • Hi,

    To clarify what "did not match any network policy" means: When a client computer attempts to connect to the network, it will send identity information. If you are doing NAP, it also sends health information. The identity information is used to authenticate the client (validate who they are) and authorize the client (grant a certain level of access).

    Authentication is typically done using settings in connection request policies.
    Authorization is typically done with settings in network policies.

    To match a policy, the client's access request must match policy conditions and constraints. These can be things like the type of authentication method used by the client, the time of day of the access request, security groups the client belongs to, the type of access method used (802.1X, DHCP, etc), the RADIUS client that the client computer connected to, and so on.

    If a client doesn't match the connection request policy, you will never get "didn't match network policy" because you must match a connection request policy before you attempt matching a network policy. If the client doesn't match a network policy, then examine the conditions and constraints in your network policies. It is often helpful to use the wizards to create policies if you aren't sure what settings to use. To access the wizard, click NPS in the NPS console tree, and then under Standard Configuration choose Network Access Protection (NAP), or choose RADIUS server for Dial-Up or VPN Connections, or choose RADIUS server for 802.1X Wireless or Wired Connections. Click Configure and answer the wizard questions.

    If you already have configured these policies using the wizard, or you have custom policies and don't want to use the wizard, you can try configuring a policy that has a very simple condition such as time of day. Make sure the client matches this, and then begin adding conditions to the policy as needed.

    I hope this helps,
    -Greg
    • Marked as answer by Miles Zhang Thursday, September 24, 2009 1:24 AM
    Tuesday, September 22, 2009 7:59 PM

All replies

  • Hi,

    Please check the following things.

    1. Check the " Type of Network Access Server" under the overview tab of the Network policy you created. It should correctly mention the type of the radius client you are using.
    2. Are there any other conditions in the network policy
    3. Is your client using PEAP authentication type?

    Thanks,
    Srinivasulu.
    Monday, September 14, 2009 5:08 PM
  • "Type of Network Access Server" is set to "Unspecified".

    I've got Cisco Aironet.
    Wednesday, September 16, 2009 9:57 AM
  • Okay I know this sounds completely nuts, but I've had similar issues with this exact error message (I think this error message pops up a lot).  And I spent a long time trying to track it down without luck, eventually I just rebooted the NPS server which resolved it.  Maybe I got lucky but this has happened to me multiple times and each time when I reboot it it starts working again.  I doubt it'll fix you, but I figured I'd share my results.
    Wednesday, September 16, 2009 6:56 PM
  • Hi,

    To clarify what "did not match any network policy" means: When a client computer attempts to connect to the network, it will send identity information. If you are doing NAP, it also sends health information. The identity information is used to authenticate the client (validate who they are) and authorize the client (grant a certain level of access).

    Authentication is typically done using settings in connection request policies.
    Authorization is typically done with settings in network policies.

    To match a policy, the client's access request must match policy conditions and constraints. These can be things like the type of authentication method used by the client, the time of day of the access request, security groups the client belongs to, the type of access method used (802.1X, DHCP, etc), the RADIUS client that the client computer connected to, and so on.

    If a client doesn't match the connection request policy, you will never get "didn't match network policy" because you must match a connection request policy before you attempt matching a network policy. If the client doesn't match a network policy, then examine the conditions and constraints in your network policies. It is often helpful to use the wizards to create policies if you aren't sure what settings to use. To access the wizard, click NPS in the NPS console tree, and then under Standard Configuration choose Network Access Protection (NAP), or choose RADIUS server for Dial-Up or VPN Connections, or choose RADIUS server for 802.1X Wireless or Wired Connections. Click Configure and answer the wizard questions.

    If you already have configured these policies using the wizard, or you have custom policies and don't want to use the wizard, you can try configuring a policy that has a very simple condition such as time of day. Make sure the client matches this, and then begin adding conditions to the policy as needed.

    I hope this helps,
    -Greg
    • Marked as answer by Miles Zhang Thursday, September 24, 2009 1:24 AM
    Tuesday, September 22, 2009 7:59 PM
  • OK, we eliminated "The connection attempt did not match any network policy", but new error occured: "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
    There's no value in EAP type in error message.
    In policy as well as in client we use "Secured password (EAP-MSCHAP v2)".
    Client runs Windows XP Professional SP3.

    Tuesday, October 6, 2009 11:13 AM