none
clients on other site fail to authenticate on wifi via radius on NPS w2016

    Pregunta

  • hello all,

    i have this issue with my radius based wifi authentication.

    a multisite domain with 3 dcs. sites are linked with a ptp vpn tunnel (sonicwall), with no filters.

    the ca distributed its root certificate in all the domain pcs and servers, 

    site A, 192.168.0.0/24:

    2 w2008r2 dcs, 1 w2016 nap server with ca onboard; auth policy on domain "unifi" computer group and domain "unifi" user group.

    15 ubiquiti access points on same lan, correctly set as radius clients on nps.

    in this site the wifi authentication work like a charm; i decided for now to authenticate only domain computers, and everyone is connecting with no doubt with peap ms-chap-v2

    site B, 192.168.1.0/24:

    1 w2008r2 dc

    3 ubiquiti access points on same lan, correctly set as radius clients on nps

    in this site the wifi authentication, even if set up with same parameters, does not work.

    i can see an audit failure on my nps (id 6273), that let me see no authentication with computer, but with domain user.

    the same computer works in site A, not in site B.

    i need to authenticate with domain computers on site B; any suggest on what to see?

    EVENT:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          05/06/2018 16:08:31
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      nps01.xxx.it
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: XXX\first.last
    Account Name: XXX\first.last
    Account Domain: XXX
    Fully Qualified Account Name: xxx.it/OU/first.last

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    Called Station Identifier: AA-BB-CC-DD-EE-FF:site2-wlan
    Calling Station Identifier: 00-11-22-33-44-55

    NAS:
    NAS IPv4 Address: -
    NAS IPv6 Address: -
    NAS Identifier: 1234567890
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 0

    RADIUS Client:
    Client Friendly Name: unifi-ap-site2
    Client IP Address: 192.168.1.5

    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: Connections to other access servers
    Authentication Provider: Windows
    Authentication Server: nps01.XXX.it
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 65
    Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.


    • Editado dobricchi martes, 5 de junio de 2018 16:02
    martes, 5 de junio de 2018 15:55

Todas las respuestas

  • Hi,

    Have a nice day! Thanks for your question.

    This error event 6273 might be caused by one of the following conditions:

    The user does not have valid credentials;

    The connection method is not allowed by the network policy;

    NPS does not have access to the user account database on the domain controller.

    Reason code 65 means that network policy was not grant access to the authentication requests, especially during the initial setup of a new SSID or Policy: The connection attempt failed because network access permission for the user account was denied.

    Please check this “Connections to other access servers” policy ,is this policy you using to authenticate?

    Please also check NPS logs under the system path Windows\System32\LogFiles if there is any more clue for the issue.

    Here is an article about NPS accounting and logs for your reference.

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure

    Hope this helps. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    miércoles, 6 de junio de 2018 7:18
  • hello,

    thanks for your reply.

    i do undestand that i have issues with the user account because the user is not granted to access. the only objects that are allowed to be authenticated for now are computer objects.

    when this computer tries to authenticate in the site-A, it goes smooth, the computer authenticates and work fine.

    when the same computer is moved to site-B, it doesn't authenticate; i can't see any computer authentication tentative in eventviewer log, i can only see that is the user that is trying to connect, but correctly fails because only computers are allowed to do it.

    the only policy i configured in nps is the one that work smooth in site-A but not in site-B:

    - condition: computer groups

    - authentication PEAP with certificate present in each dc and computer in each site

    - no restrictions

    the domain in both sites is the same; each site has its own dc replicated. radius clients (access points) are configured in the same way in both sites.

    in other words the radius client (access point) in site-A is configured to use the radius server in site-A., the radius client (access point) in site-B is configured to use the radius server in site-A (the nps).

    the radius server (nps) ask for authentication to domain controllers in site-A.

    ad network topology says that clients in site-A authenticate on dc in site-A, clients in site-B auth in site-B.

    maybe something regarding this network topology?

    maybe something confusing in a client on site-B that would authenticate to dc in site-B but radius server tries to do it in site-A?

    maybe some restrictions about network segments specified in active directory sites and services?

    miércoles, 6 de junio de 2018 8:22
  • no other ideas?
    jueves, 21 de junio de 2018 9:22