locked
NPS grants access, but users are connecting and disconnecting then connecting intermittently RRS feed

  • Question

  • Hi,

    i'm after some help with an NPS server I manage

    I've setup a NPS server (without NAP active) on a 2008r2.

    I'm seeing events 6278 and 6272 pairs for users as they connect.

    I have Machine or user authentication running.

    What is happening is the connection drops every now and then, sometimes after a few seconds, sometimes longer. But it will always happen within 2 minutes.

    If I just used wpa2 I didn't have the issue.

    I've created a separate certificate for machine authentication and one for user authentication

    Output from netsh nps show config follows.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>netsh nps show config

    Client configuration:
    ---------------------------------------------------------
    Name                = wx3010
    Address             = 10.0.8.2
    State               = Enabled
    Shared secret       = AdelaidePremiers1997-1998 (not really password)
    Require auth attrib = No
    NAP capable         = No
    Vendor              = RADIUS Standard

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Use Windows authentication for all users
    State            = Enabled
    Processing order = 1000001
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Curric Secure Wireless Machine Connections
    State            = Enabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^18$|^19$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Guest Network Secure Wireless Connections
    State            = Disabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^18$|^19$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Monthly logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to other access servers
    State            = Enabled
    Processing order = 1000001
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:0
    0; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Enabled
    Processing order = 1000000
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1033      "^311$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Allowed-EAP-Type                     0x100a      "1A0000000000000000000000000
    00000" "0D000000000000000000000000000000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9
    "
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Filter                               0x102f

            ===============================================================
            IPFILTER_IPV4INFILTER   Action: DENY
            ---------------------------------------------------------------
            Address . . . . . : 0.0.0.0
            Mask. . . . . . . : 0.0.0.0
            Protocol. . . . . : 0
            Source Port . . . : 0
            Destination Port. : 0
            ---------------------------------------------------------------

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Curric Secure Wireless Machine Connections
    State            = Enabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^18$|^19$"
    Condition1                              0x1023      "S-1-5-21-3373441940-3891712
    694-2128681551-3133;S-1-5-21-3373441940-3891712694-2128681551-1632"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    EAP-Configuration                       0x1fa2      "190000000000000000000000000
    000004C030000020000004C0300000100000014000000D80BFA95CB1FBCC8027A7233C1DD0C3162A
    D61870100000001000000240300001A0000000000000003000000040000000200000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000"
    MS-Extended-Quarantine-State            0x1fd9      "0x0"
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-EAP-Type                     0x100a      "190000000000000000000000000
    00000"
    NP-Authentication-Type                  0x1009      "0x5" "0x3" "0x9" "0x4" "0xa
    "
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Link-Utilization-Threshold           0xffffffaa  "0x32"
    MS-Link-Drop-Time-Limit                 0xffffffa9  "0x78"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Guest Network Secure Wireless Connections
    State            = Disabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^18$|^19$"
    Condition1                              0x1023      "S-1-5-21-3373441940-3891712
    694-2128681551-1632"
    Condition2                              0x100c      "10.0.16.3"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-EAP-Type                     0x100a      "190000000000000000000000000
    00000"
    NP-Authentication-Type                  0x1009      "0x5" "0x3" "0x9" "0x4" "0xa
    "
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Server registration:
    ---------------------------------------------------------
    Status = Registered

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator
    Vendor                         = Microsoft Corporation

    Description                    = The Windows Security Health Validator defines t
    he policy that client computers must be compliant with.

    Version                        = 1.0


    Policy server unreachable      = Noncompliant
    Remediation server unreachable = Noncompliant
    System Health Agent failure    = Noncompliant
    NAP server failure             = Noncompliant
    Other errors                   = Noncompliant

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     =
    Description                    =
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 20

    Ok.


    C:\Windows\system32>

    Tuesday, October 30, 2012 11:39 PM

Answers

  • After much searching it turned out to be a setting in the H3C wx3002 controller config.

    Specifically, the controller was performing dot1x handshake authentication.

    Removing it from the controller config made things normal.

    • Marked as answer by Aiden_Cao Thursday, December 6, 2012 1:10 AM
    Wednesday, December 5, 2012 11:49 PM

All replies

  • Hi,

    You need to analysis the detailed NPS event logs under location Event Viewer\Custom Views\Server Roles\Network Policy and Access Services, to determine why user authentication failed.

    Event ID 6278 — NAP Client Health Status

    http://technet.microsoft.com/en-us/library/cc735338(v=ws.10).aspx

    Event ID 6272 — NPS Authentication Status

    http://technet.microsoft.com/en-us/library/cc735388(v=ws.10).aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Thursday, November 1, 2012 6:22 AM
  • I think I have a certificate conflict arising.

    I have a dev network that I replicated the process and that came good after sorting out a few issues with the controller.

    However, the main network still won't behave.

    Consequently, I'd have to say its my fault.

    Over the holidays I'll pull back the certificates and reapply them without all the learning experiences that I suspect have confounded how NPS is supposed to work.

    Saturday, November 17, 2012 5:33 AM
  • After much searching it turned out to be a setting in the H3C wx3002 controller config.

    Specifically, the controller was performing dot1x handshake authentication.

    Removing it from the controller config made things normal.

    • Marked as answer by Aiden_Cao Thursday, December 6, 2012 1:10 AM
    Wednesday, December 5, 2012 11:49 PM