locked
NPS - Network Policy Conditions RRS feed

  • Question

  • I'm using NPS on Server 2008 R2.

    Setting up network policies for wireless connection using peap-mschapv2.

    I want to authenticate via Machine for wireless connections but if that fails I'd like it to authenticate via User.

    If I use a separate network policy with it's own conditions for each, (Machine Policy order first), and if the machine password expires authentication will not succeed.  According to this article http://support.microsoft.com/kb/904943/en-us

    If I have another policy for User authentication  it should workaround that.. but it seems to be not doing that.  It looks as though the first policy matches first and doesn't try the second policy (user auth).

    My question I guess is that can I combine both policy but include in the conditions Windows Groups\Domain Computers (for machine authentication) and Windows Group\Wireless Users (for user auth).  If I do that, does that mean both conditions have to be meet rather than an OR condition?

    Or what would be the best way to tackle the workaround in the article besides using Eap-tls

    Wednesday, April 23, 2014 4:02 PM

Answers

  • Hi,

    Yes, if you combine conditions it means the authentication request has to meet both of them. This will never happen because the computer authentication and the user authentication are sent separately. The computer authentication is sent when the computer boots up and the network connection becomes active. Re-authentication might also occur periodically based on settings in Group Policy or on the network access device.

    When a user signs in, their credentials are sent and this will trigger another authentication attempt. Even if the first (computer) authentication fails, the second (user) authentication can grant network access if it succeeds. By default, 802.1X will perform exactly what you want.

    I recommend running the wizard on NPS to create the appropriate secure wireless policies.

    -Greg

    • Marked as answer by Alex Lv Thursday, May 8, 2014 9:44 AM
    Thursday, May 1, 2014 10:30 PM
  • Hi,

    You are correct that it only matches one connection request policy and one network policy. However, 802.1X always issued two separate authentication attempts - one when the computer starts and one when a user logs in. You can change this to be two computer logins or two user logins, but it will still be two separate attempts.

    Perhaps there is a problem with the user based policy.

    Look at the events on NPS in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services and check when a computer starts and when a user logs in. Do you see two separate authentication attempts?

    Thanks,

    -Greg

    • Marked as answer by Alex Lv Thursday, May 8, 2014 9:44 AM
    Friday, May 2, 2014 5:19 PM

All replies

  • Hi,

    I didn’t found the related information about your question, in general the NPS authentication can use the Password-Based Authentication and Certificate authentication.

    The related KB:

    NPS Authentication Methods

    http://technet.microsoft.com/en-us/library/cc731694(v=ws.10).aspx

    Hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, April 28, 2014 9:30 AM
  • Hi,

    Yes, if you combine conditions it means the authentication request has to meet both of them. This will never happen because the computer authentication and the user authentication are sent separately. The computer authentication is sent when the computer boots up and the network connection becomes active. Re-authentication might also occur periodically based on settings in Group Policy or on the network access device.

    When a user signs in, their credentials are sent and this will trigger another authentication attempt. Even if the first (computer) authentication fails, the second (user) authentication can grant network access if it succeeds. By default, 802.1X will perform exactly what you want.

    I recommend running the wizard on NPS to create the appropriate secure wireless policies.

    -Greg

    • Marked as answer by Alex Lv Thursday, May 8, 2014 9:44 AM
    Thursday, May 1, 2014 10:30 PM
  • Hi,

    Thanks for the reply.

    I do have 2 network wireless policies.. one for computer authentication and the second as user authentication.   The idea is so that the user can logon and authenticate via wireless with or without cache credentials.  However what I am finding is that when the machine password expires (after 30 days) a user cannot authenticate via the second policy as the first policy failed. 

    I assumed that according to your comment it should authenticate and grant access via the second policy if the first one fails.

    My understanding was that if a policy is matched in NPS it won't go to the next policy, but you are saying that is not the case.

    Any idea what I may be configuring wrong?


    Thanks

    Friday, May 2, 2014 5:09 PM
  • Hi,

    You are correct that it only matches one connection request policy and one network policy. However, 802.1X always issued two separate authentication attempts - one when the computer starts and one when a user logs in. You can change this to be two computer logins or two user logins, but it will still be two separate attempts.

    Perhaps there is a problem with the user based policy.

    Look at the events on NPS in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services and check when a computer starts and when a user logs in. Do you see two separate authentication attempts?

    Thanks,

    -Greg

    • Marked as answer by Alex Lv Thursday, May 8, 2014 9:44 AM
    Friday, May 2, 2014 5:19 PM