locked
Configuring NPS to work with Windows 7 client RRS feed

  • Question

  • Hi All,

    I have been trying to setup my Windows 2008 R2 server with NPS with a Linksys E3000 router that is running TomatoUSB firmware and I can get clients such as WinXP, iPhone, Android and MAC to connect to the Linksys E3000 router without issue but I am having difficulty getting Windows 7 SP1 client to connect.

    This is my RADIUS client setting:

    Friendly Name: Radius Server

    Address: 10.25.1.229

    Shared Secret : Select an existing Shared Secrets template: None

    Shared Secret: Manual

    Vendor Name: RADIUS Standard

    Connection Request Policies: Overview

    Policy Name: Use Windows authentication for all users

    Policy State: Policy Enabled

    Network Connection method: Type of network access server: Unspecified

    Connection Request Policies: Conditions

    Day and time restrictions: 24x7 Permitted

    Connection Request Policies: Settings

    Authentication Provider: Local Computer

    Override Authentication: Disabled

    Network Policy: Overview

    Policy Name: Radius Access Policy

    Policy State: Policy Enabled

    Access Permission

    - Grant Access.

    - Ignore user account dial-in properties

    Network connection method

    Type of network access server: Unspecified

    Network Policy: Conditions

    - Windows Groups

    - NAS Port Type: Wireless - IEEE 802.11

    Network Policy: Constraints

    Authentication Methods

    - EAP Types: Microsoft Protected EAP (PEAP)

    -- Less secure authentication methods:

    ----Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), User can change password after it has expired

    ----Microsoft Encrypted Authentication (MS-CHAP), User can change password after it has expired

    NAS Port Type

    - Wireless - IEEE 802.11

    Network Policy: Settings

    - RADIUS Attributes: Standard

    --- Service-Type: Framed

    - Network Access Protection: NAP Enforcement

    --- Allow full network access

    --- Enable auto-remediation of client computers

    - Routing and Remote Access: Multilink and Bandwidth Allocation Protocol (BAP)

    --- Server settings determine multilink usage

    --- Percentage of capacity: 50

    --- Period of time: 2 min

    - Routing and Remote Access: Encryption

    --- Strongest encryption (MPPE 128 bit)

    - Routing and Remote Access: IP Settings

    --- Server settings determine IP address assignment

    On my windows 7 machine I configured a network profile as follows:

    Security Type: WPA2-Enterprise

    Encryption type: AES

    Choose a network authentication method: Microsoft Protected EAP (PEAP)

    -- No validate server certificate

    -- Select Authentication Method: Secured password (EAP-MSCHAP v2)

    -- Enable Fast Reconnect


    I have allowed UDP ports for 1812,1813, 1645 and 1646 on my Windows 2008 server and have disabled my firewall on my windows 7 machine.

    I opened my event viewer and look at the operational log at "Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig" and these are the events logged:

    Wireless security started.
    Network Adapter: Intel(R) WiFi Link 1000 BGN
    Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
    Local MAC Address: 74:E5:0B:0D:99:48
    Network SSID: Tomato24
    BSS Type: Infrastructure
    Peer MAC Address: C0:C1:C0:4F:23:6E
    Authentication: WPA2-Enterprise
    Encryption: AES
    FIPS Mode: Disabled
    802.1x Enabled: Yes

    ------------------------------------------------

    Wireless 802.1x authentication was restarted.
    Network Adapter: Intel(R) WiFi Link 1000 BGN
    Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
    Local MAC Address: 74:E5:0B:0D:99:48
    Network SSID: Tomato24
    BSS Type: Infrastructure
    Peer MAC Address: C0:C1:C0:4F:23:6E
    Eap Information: Type 25, Vendor ID 0, Vendor Type 0, Author ID 0
    Restart Reason: Onex Auth Timeout

    ------------------------------------------------

    Wireless 802.1x authentication failed.

    Network Adapter: Intel(R) WiFi Link 1000 BGN
    Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
    Local MAC Address: 74:E5:0B:0D:99:48
    Network SSID: Tomato24
    BSS Type: Infrastructure
    Peer MAC Address: C0:C1:C0:4F:23:6E
    Identity: host/SGOOL042.ong-ong.internal
    User:
    Domain:
    Reason: There was no response to the EAP Response Identity packet.
    Error: 0x0
    EAP Reason: 0x0
    EAP Root cause String:
    EAP Error: 0x0

    ------------------------------------------------

    WLAN AutoConfig service failed to connect to a wireless network.
    Network Adapter: Intel(R) WiFi Link 1000 BGN
    Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
    Connection Mode: Manual connection with a profile
    Profile Name: Tomato24
    SSID: Tomato24
    BSS Type: Infrastructure
    Failure Reason:The specific network is not available.
    ------------------------------------------------

    The interface setting on my Linksys E3000 router:

    Wireless Mode: Access Point

    Wireless Network mode: B/G mixed

    SSID: Tomato24

    Channel: 6 - 2.437GHz

    Broadcast enabled

    Channel width: 20 MHz

    Security: WPA2 Enterprise

    Encryption: AES

    Group Key Renewal: 3600 seconds

    Radius Server 10.25.1.127:1812

    Can someone tell me if I have missed out something? Why is it that Windows 7 client cannot connect to my Linksys router?

    Thanks & Regards.


    Wednesday, February 27, 2013 12:28 PM

Answers

  • Hi,

    You can't use the default policies to authenticate 802.1X supplicants unless you edit them manually. I recommend you use the wizard and walk through each step to create a new set of policies.

    It looks like this: (choose RADIUS server for 802.1X Wireless or Wired Connections from the drop-down list, then click Configure 802.1X)

    Also be sure you configure the identical shared secret on both sides (on the switch for the RADIUS server settings, and on NPS for the RADIUS client settings). You might not quite understand the purpose of the RADIUS client setting on NPS because you have given it a friendly name of RADIUS server when actually this is your switch. A friendly name of E3000 makes more sense. The friendly name can be anything, and doesn't affect whether or not clients connect, but I want to be sure you understand that the RADIUS client is actually the E3000 switch.

    -Greg

    • Marked as answer by Aiden_Cao Wednesday, March 6, 2013 2:24 AM
    Wednesday, February 27, 2013 9:30 PM

All replies

  • Can you provide more information about the group membership:

    Network Policy: Conditions

    - Windows Groups

    Is your computer or user account member of this group ?


    Johan Loos

    Wednesday, February 27, 2013 2:12 PM
  • Hi,

    You can't use the default policies to authenticate 802.1X supplicants unless you edit them manually. I recommend you use the wizard and walk through each step to create a new set of policies.

    It looks like this: (choose RADIUS server for 802.1X Wireless or Wired Connections from the drop-down list, then click Configure 802.1X)

    Also be sure you configure the identical shared secret on both sides (on the switch for the RADIUS server settings, and on NPS for the RADIUS client settings). You might not quite understand the purpose of the RADIUS client setting on NPS because you have given it a friendly name of RADIUS server when actually this is your switch. A friendly name of E3000 makes more sense. The friendly name can be anything, and doesn't affect whether or not clients connect, but I want to be sure you understand that the RADIUS client is actually the E3000 switch.

    -Greg

    • Marked as answer by Aiden_Cao Wednesday, March 6, 2013 2:24 AM
    Wednesday, February 27, 2013 9:30 PM
  • Hi Johan,

    The Windows Groups are my security group in my domain which contain the users (eg. domain\IT_Dept).

    Hi Grey,

    I disabled my original manually configured setup and use your recommendation but still I cannot connect from a Windows 7 client. I have also apply this hotfix KB2494172 and KB980295 and still it doesn't resolve my issue.

    Btw, how do I get my account verified as I cannot paste pictures?

    Regards.

    Thursday, February 28, 2013 3:32 AM
  • Hi,

    See http://social.technet.microsoft.com/wiki/contents/articles/15960.how-to-verify-your-msdntechnet-forums-account-so-that-you-can-post-images-and-links.aspx (I had to look this up myself as I didn't know either).

    Please have a look at Event Viewer on NPS and post the error that NPS is displaying when the Windows 7 client tries to connect. Look at Custom Views\Server Roles\Network Policy and Access Services. Look for events numbered 6272 - 6278. There will be lots of information in the event about the client that tried to connect, the router that relayed the connection request (your E3000), and the reason why it was denied. Post this information if you can.

    -Greg

    Sunday, March 3, 2013 5:09 PM