locked
NPS and ISA2006 VPN authentication w/Radius RRS feed

  • Question

  • We have an ISA 2006 server not on the domain that authenticates users that VPN to it via RADIUS to our Win2k3 server using IAS.  No problems there.  When I point the ISA Radius to our new 2008 DC (and GC) using NPS, the users get error 691.  I checked the RADIUS logs on the 2008 server and I can see the Radius part working, but if I turn on logging for NetLogon, I don't see any type of authentication happening.  I've been over the Policies with a fine toothed comb, but this is a no-go on our 2008 server.  Any ideas?  It appears that the NAP isn't taking the username/password combination being handed to it and properly checking it against the AD domain.  Any clues?  Thanks.

    Wednesday, October 7, 2009 7:20 PM

Answers

  • Does your authentication request contain the MS-Network-Access-Server-Type attribute? The value of this attribute corresponds to the "Type of network access server" setting on the "Overview" tab of the CRP policy's properties. If not, try changing this setting to "Unspecified" in the CRP policy's properties. "Unspecified" is the only setting which will match if the MS-Network-Access-Server-Type attribute is not present in the authentication request. If this attribute is present in the request, make sure it has the value 2 for "Remote Access Service (RAS) server (VPN or dial-in)". For more information on the MS-Network-Access-Server-Type attribute: http://msdn.microsoft.com/en-us/library/cc243442(PROT.10).aspx
    • Edited by Matt McKenzie [MSFT] Monday, October 12, 2009 7:13 PM Technical accuracy
    • Marked as answer by scomeau Monday, October 12, 2009 9:39 PM
    Monday, October 12, 2009 7:03 PM

All replies

  • Have you checked the Event Viewer? What do the NPS events say for the authentication attempts under "Event Viewer -> Custom Views -> Server Roles -> Network Policy and Access Services"?

    Are there any Access-Accept or Access-Reject events present? They should contain a reason why if NPS is rejecting the authentication attempt.
    Wednesday, October 7, 2009 11:59 PM
  • Thanks Matt - nada, nothing, and that is what baffles me.  I see the Radius attempts in the logfiles, but there's nothing in any of the Event Viewers for anything - it's as though once the RADIUS gives over the credentials, the Policies don't exist or don't work.  I've uninstalled and reinstalled NPS, but no go.  I've run the wizard for the RADIUS several times, and still no go. I've turned on netlogon debugging, and I don't see any attempt at logging in.  It's as though RADIUS is working, but things drop off after that.  I can play with the RADIUS settings (mismatch "secret") and see errors (both on the client end and server logs), but if all is good, it's as though the Policies aren't working....
    Thursday, October 8, 2009 11:10 AM
  • Can you run the following command to verify that the success and failure auditing is enabled for NPS?

    auditpol /get /subcategory:"Network Policy Server"

    See if Network Policy Server is set to just "Success" or to "Success and Failure".

    If it is just "Success", run:

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable


    Also, check the NPS settings in nps.msc. Right click on the root "NPS (Local)" node and select "Properties". Verify that NPS is configured to log both "Successful authentication requests" as well as "Rejected authentication requests".

    Lets make sure that is all configured properly and go from there.
    Thursday, October 8, 2009 6:23 PM
  • Ah, good. Are you now able to see rejected authentication events in the Event Viewer when you make your authentication attempt?

    You can post the contents of the event and we can help to diagnose the problem if it is not clear to you.

    Friday, October 9, 2009 9:13 PM
  • Thanks Matt.  All looks good.  The Policy was only set to success, now it is set to both Success and Failure.  The Configuration of NPS was already set to both Successful and Rejected.

    I just checked the log, and now it's telling me this:

     "Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          10/9/2009 5:15:11 PM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      "domain server"
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   NULL SID
     Account Name:   "username"
     Account Domain:   -
     Fully Qualified Account Name: -

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  -
     Calling Station Identifier:  172.31.63.249

    NAS:
     NAS IPv4 Address:  192.168.0.1
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Virtual
     NAS Port:   29

    RADIUS Client:
     Client Friendly Name:  "isaserver"
     Client IP Address:   192.168.0.1

    Authentication Details:
     Proxy Policy Name:  -
     Network Policy Name:  -
     Authentication Provider:  -
     Authentication Server:  "server name"
     Authentication Type:  -
     EAP Type:   -
     Account Session Identifier:  -
     Reason Code:   49
     Reason:    The connection attempt did not match any connection request policy.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>6273</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2009-10-09T21:15:11.370Z" />
        <EventRecordID>4529849</EventRecordID>
        <Correlation />
        <Execution ProcessID="608" ThreadID="2708" />
        <Channel>Security</Channel>
        <Computer>RAC-FS1.sk.rutgers.edu</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">"username"</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="FullyQualifiedSubjectUserName">-</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">-</Data>
        <Data Name="CallingStationID">172.31.63.249</Data>
        <Data Name="NASIPv4Address">192.168.0.1</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">-</Data>
        <Data Name="NASPortType">Virtual </Data>
        <Data Name="NASPort">29</Data>
        <Data Name="ClientName">"isaserver"</Data>
        <Data Name="ClientIPAddress">192.168.0.1</Data>
        <Data Name="ProxyPolicyName">-</Data>
        <Data Name="NetworkPolicyName">-</Data>
        <Data Name="AuthenticationProvider">-</Data>
        <Data Name="AuthenticationServer">"domain server"</Data>
        <Data Name="AuthenticationType">-</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">49</Data>
        <Data Name="Reason">The connection attempt did not match any connection request policy. </Data>
      </EventData>
    </Event>

    Friday, October 9, 2009 9:26 PM
  • Here is why the authentication request was denied:

    Reason Code:   49
     Reason:    The connection attempt did not match any connection request policy.


    The RADIUS request that came in did not match any of the CRP policies you have configured in NPS. A match is made by meeting all of the Conditions configured in the policy with the data from the request. Every incoming RADIUS request must match 1 CRP policy and 1 NP policy to perform authentication and authorization.

    What sort of policy configuration do you have for NPS?

    Friday, October 9, 2009 9:41 PM
  • I saw the reason code, which is what I expected since there was nothing in the netlogon logs.  I used the wizard to configure the RADIUS policies.

    The CRP has a VPN Connection Policy with a RAS/VPN DialUp service, with a Condition NAS Port Type of a Virtual (VPN), and the Settings Tab of: Authentication Method-no override of NPAS, only Authentication = Authenticate Requests on this server (no other settings done on CRP).

    For the NP, Overview shows Policy Enabled, Grant Access, Ignore Dial In Properties, Type is RAS(VPN Dial Up).  For Conditions, I have 2: NAS Port Type of Virtual VPN and Windows Groups must be Domain\Domain Users.  Under Constraints, I only have 1 which is the Authentication method of MS-CHAP-V2 checked off (and they can change password after it has expired).  Finally, under the Settings tab, I have Radius Attributes of Standard: Framed Protocol=PPP, Service Type=Framed; NAP with NAP Enforcement of Allow Full Network Access and Auto Remediation Checked; Under R&RA, Multi-link and BAP has Server settings determine Multilink Usage, Encryption of 40. 56, and 128 bit, and IP Settings of Server Settings Determine IP Address.

    I know this has got to be some simple checkmark somewhere, but I'm at a loss as to which one.....

    I really appreciate all your help!  This is basically my last hurdle in fully migrating our servers over to 2008 (I've been impressed with the integration I've seen so far with my Windows 7 machine and Server 2008 and can't wait to deploy Win7 the coming year)!  Thanks again!

    Saturday, October 10, 2009 2:10 PM
  • Does your authentication request contain the MS-Network-Access-Server-Type attribute? The value of this attribute corresponds to the "Type of network access server" setting on the "Overview" tab of the CRP policy's properties. If not, try changing this setting to "Unspecified" in the CRP policy's properties. "Unspecified" is the only setting which will match if the MS-Network-Access-Server-Type attribute is not present in the authentication request. If this attribute is present in the request, make sure it has the value 2 for "Remote Access Service (RAS) server (VPN or dial-in)". For more information on the MS-Network-Access-Server-Type attribute: http://msdn.microsoft.com/en-us/library/cc243442(PROT.10).aspx
    • Edited by Matt McKenzie [MSFT] Monday, October 12, 2009 7:13 PM Technical accuracy
    • Marked as answer by scomeau Monday, October 12, 2009 9:39 PM
    Monday, October 12, 2009 7:03 PM
  • Excellent Matt!  I had to do that for both the CRP and NP and all is working excellent.  Go figure, I thought for sure Microsoft's ISA would need the MS NAS Type of Microsoft but I guess not.  You're the best!  Now, I'm down to about 160G of 1 department's data to migrate off of 2003 and then I'm 2008 for all my DCs!

    Thanks again!  I'll pass this on to my friends at the ISA Freelist group.
    Monday, October 12, 2009 9:39 PM