Answered by:
Configuring NPS to work with Windows 7 client

Question
-
Hi All,
I have been trying to setup my Windows 2008 R2 server with NPS with a Linksys E3000 router that is running TomatoUSB firmware and I can get clients such as WinXP, iPhone, Android and MAC to connect to the Linksys E3000 router without issue but I am having difficulty getting Windows 7 SP1 client to connect.
This is my RADIUS client setting:
Friendly Name: Radius Server
Address: 10.25.1.229
Shared Secret : Select an existing Shared Secrets template: None
Shared Secret: Manual
Vendor Name: RADIUS Standard
Connection Request Policies: Overview
Policy Name: Use Windows authentication for all users
Policy State: Policy Enabled
Network Connection method: Type of network access server: Unspecified
Connection Request Policies: Conditions
Day and time restrictions: 24x7 Permitted
Connection Request Policies: Settings
Authentication Provider: Local Computer
Override Authentication: Disabled
Network Policy: Overview
Policy Name: Radius Access Policy
Policy State: Policy Enabled
Access Permission
- Grant Access.
- Ignore user account dial-in properties
Network connection method
Type of network access server: Unspecified
Network Policy: Conditions
- Windows Groups
- NAS Port Type: Wireless - IEEE 802.11
Network Policy: Constraints
Authentication Methods
- EAP Types: Microsoft Protected EAP (PEAP)
-- Less secure authentication methods:
----Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), User can change password after it has expired
----Microsoft Encrypted Authentication (MS-CHAP), User can change password after it has expired
NAS Port Type
- Wireless - IEEE 802.11
Network Policy: Settings
- RADIUS Attributes: Standard
--- Service-Type: Framed
- Network Access Protection: NAP Enforcement
--- Allow full network access
--- Enable auto-remediation of client computers
- Routing and Remote Access: Multilink and Bandwidth Allocation Protocol (BAP)
--- Server settings determine multilink usage
--- Percentage of capacity: 50
--- Period of time: 2 min
- Routing and Remote Access: Encryption
--- Strongest encryption (MPPE 128 bit)
- Routing and Remote Access: IP Settings
--- Server settings determine IP address assignment
On my windows 7 machine I configured a network profile as follows:
Security Type: WPA2-Enterprise
Encryption type: AES
Choose a network authentication method: Microsoft Protected EAP (PEAP)
-- No validate server certificate
-- Select Authentication Method: Secured password (EAP-MSCHAP v2)
-- Enable Fast Reconnect
I have allowed UDP ports for 1812,1813, 1645 and 1646 on my Windows 2008 server and have disabled my firewall on my windows 7 machine.
I opened my event viewer and look at the operational log at "Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig" and these are the events logged:
Wireless security started.
Network Adapter: Intel(R) WiFi Link 1000 BGN
Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
Local MAC Address: 74:E5:0B:0D:99:48
Network SSID: Tomato24
BSS Type: Infrastructure
Peer MAC Address: C0:C1:C0:4F:23:6E
Authentication: WPA2-Enterprise
Encryption: AES
FIPS Mode: Disabled
802.1x Enabled: Yes------------------------------------------------
Wireless 802.1x authentication was restarted.
Network Adapter: Intel(R) WiFi Link 1000 BGN
Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
Local MAC Address: 74:E5:0B:0D:99:48
Network SSID: Tomato24
BSS Type: Infrastructure
Peer MAC Address: C0:C1:C0:4F:23:6E
Eap Information: Type 25, Vendor ID 0, Vendor Type 0, Author ID 0
Restart Reason: Onex Auth Timeout------------------------------------------------
Wireless 802.1x authentication failed.
Network Adapter: Intel(R) WiFi Link 1000 BGN
Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
Local MAC Address: 74:E5:0B:0D:99:48
Network SSID: Tomato24
BSS Type: Infrastructure
Peer MAC Address: C0:C1:C0:4F:23:6E
Identity: host/SGOOL042.ong-ong.internal
User:
Domain:
Reason: There was no response to the EAP Response Identity packet.
Error: 0x0
EAP Reason: 0x0
EAP Root cause String:
EAP Error: 0x0
------------------------------------------------
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Intel(R) WiFi Link 1000 BGN
Interface GUID: {604bd8bd-8a9e-4175-ac7d-13bb8eacae3e}
Connection Mode: Manual connection with a profile
Profile Name: Tomato24
SSID: Tomato24
BSS Type: Infrastructure
Failure Reason:The specific network is not available.
------------------------------------------------
The interface setting on my Linksys E3000 router:
Wireless Mode: Access Point
Wireless Network mode: B/G mixed
SSID: Tomato24
Channel: 6 - 2.437GHz
Broadcast enabled
Channel width: 20 MHz
Security: WPA2 Enterprise
Encryption: AES
Group Key Renewal: 3600 seconds
Radius Server 10.25.1.127:1812
Can someone tell me if I have missed out something? Why is it that Windows 7 client cannot connect to my Linksys router?
Thanks & Regards.
Wednesday, February 27, 2013 12:28 PM
Answers
-
Hi,
You can't use the default policies to authenticate 802.1X supplicants unless you edit them manually. I recommend you use the wizard and walk through each step to create a new set of policies.
It looks like this: (choose RADIUS server for 802.1X Wireless or Wired Connections from the drop-down list, then click Configure 802.1X)
Also be sure you configure the identical shared secret on both sides (on the switch for the RADIUS server settings, and on NPS for the RADIUS client settings). You might not quite understand the purpose of the RADIUS client setting on NPS because you have given it a friendly name of RADIUS server when actually this is your switch. A friendly name of E3000 makes more sense. The friendly name can be anything, and doesn't affect whether or not clients connect, but I want to be sure you understand that the RADIUS client is actually the E3000 switch.
-Greg
- Marked as answer by Aiden_Cao Wednesday, March 6, 2013 2:24 AM
Wednesday, February 27, 2013 9:30 PM
All replies
-
Can you provide more information about the group membership:
Network Policy: Conditions
- Windows Groups
Is your computer or user account member of this group ?
Johan Loos
Wednesday, February 27, 2013 2:12 PM -
Hi,
You can't use the default policies to authenticate 802.1X supplicants unless you edit them manually. I recommend you use the wizard and walk through each step to create a new set of policies.
It looks like this: (choose RADIUS server for 802.1X Wireless or Wired Connections from the drop-down list, then click Configure 802.1X)
Also be sure you configure the identical shared secret on both sides (on the switch for the RADIUS server settings, and on NPS for the RADIUS client settings). You might not quite understand the purpose of the RADIUS client setting on NPS because you have given it a friendly name of RADIUS server when actually this is your switch. A friendly name of E3000 makes more sense. The friendly name can be anything, and doesn't affect whether or not clients connect, but I want to be sure you understand that the RADIUS client is actually the E3000 switch.
-Greg
- Marked as answer by Aiden_Cao Wednesday, March 6, 2013 2:24 AM
Wednesday, February 27, 2013 9:30 PM -
Hi Johan,
The Windows Groups are my security group in my domain which contain the users (eg. domain\IT_Dept).
Hi Grey,
I disabled my original manually configured setup and use your recommendation but still I cannot connect from a Windows 7 client. I have also apply this hotfix KB2494172 and KB980295 and still it doesn't resolve my issue.
Btw, how do I get my account verified as I cannot paste pictures?
Regards.
Thursday, February 28, 2013 3:32 AM -
Hi,
See http://social.technet.microsoft.com/wiki/contents/articles/15960.how-to-verify-your-msdntechnet-forums-account-so-that-you-can-post-images-and-links.aspx (I had to look this up myself as I didn't know either).
Please have a look at Event Viewer on NPS and post the error that NPS is displaying when the Windows 7 client tries to connect. Look at Custom Views\Server Roles\Network Policy and Access Services. Look for events numbered 6272 - 6278. There will be lots of information in the event about the client that tried to connect, the router that relayed the connection request (your E3000), and the reason why it was denied. Post this information if you can.
-Greg
Sunday, March 3, 2013 5:09 PM