none
NPS Wireless - login failure RRS feed

  • שאלה

  • I have been struggling with our NPS implementation. I would greatly appreciate any assistance or suggestions anyone might have!

    Goal: set up AD-authenticated security for our wireless network. 

    Plan: Configure NPS (dedicated Windows Server 2016) to use RADIUS to authenticate users in a specific AD security group. Use a wildcard cert from a 3rd party cert authority. 

    Status: Non-Windows devices can connect, so I know that NPS and the Cisco wireless controller are "talking" to each other (no problems with the preshared key). However, Windows wireless devices always kick back the same error: "Can't connect to this network."

    Steps I have taken:

    1. I have confirmed that the cert is installed on the client, and I have confirmed the subject lines match. 

    2. Tried different types of authentication (PEAP, MS-CHAPV2, etc) no effect. 

    3. Tried using broader groups (domain users), no effect.

    4. Checked the error log. I get an Event ID of 16, user name doesn't match or PW is incorrect. Here is the full error log, with identifying information about my organization replaced/removed: 

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NULL SID
    Account Name: DOMAIN\user
    Account Domain: DOMAIN
    Fully Qualified Account Name: DOMAIN\user

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    Called Station Identifier: 20-bb-xx-xx-xx-80:CASD_802.1x
    Calling Station Identifier: f8-xx-xx-xx-cc-46

    NAS:
    NAS IPv4 Address: 198.x.x.x
    NAS IPv6 Address: -
    NAS Identifier: wirelesscontroller#1
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 13

    RADIUS Client:
    Client Friendly Name: wirelesscontroller#1
    Client IP Address: 198.X.X.X

    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: -
    Authentication Provider: Windows
    Authentication Server: server.example.com
    Authentication Type: PEAP
    EAP Type: -
    Account Session Identifier: 35643233383131382F66383A3539xxxxxxxxxx3A63633A34362F3135363038323031
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 16
    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.


    יום שני 08 יולי 2019 18:20

תשובות

כל התגובות

  • Hi,

    I did not see the network policy name in the log.

    How did you configure the NPS policy? what conditions did you use? 

    Have you tried using a different account? Please check the domain name and the password.

    Is server.example.com your DC?

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום שלישי 09 יולי 2019 07:33
    מנחה דיון
  • Travis - thanks for the response!

    I think I used a default template and started manually configuring it, so it had the default name. I went ahead and renamed it but that won't be reflected in the log of course. 

    Would it be worth creating a new policy with the Wizard? I haven't tried that yet. In part because I worked with another tech, going through setting by setting, at another location with a similar configuration.

    The server names and IP ranges - I changed/covered up just for a bit of extra piece of mind as I was posting the info publicly. 

    יום שלישי 09 יולי 2019 17:11
  • Hi,

    Yes, you can create a new policy and choose the conditions you want.

    Have you try using another user account? 

    Meanwhile, do you use user authentication? Please check the user certificate. 

    Best  regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום רביעי 10 יולי 2019 08:48
    מנחה דיון
  • I tried rebuilding another set of policies (Connection Request and Network) to no avail. 

    I have tried using several accounts. I also changed the group from a specific NPS security group I had created to "domain users." 

    The interesting thing is that it kicks back the same error 16 - "user credential mismatch" even when I don't use a real account. Most services will say "bad PW" for an existing account and "account not found" if you're not using an existing account. NPS doesn't seem to know the difference, like it's not even looking at any domain accounts.

    I did confirm that when I restart the NPS service, there is an event in the log for successful connection to my DC via LDAP. And, when I set up the policies it sees the domain groups as I add them.

    יום רביעי 10 יולי 2019 17:18
  • Hi,

    Please check the event view for verification process on the client. 

    I think the issue is related to the certificate.

    Event viewer>Application and services logs>Microsoft>windows>WLAN-AutoConfig

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום חמישי 11 יולי 2019 08:40
    מנחה דיון
  • Looks like you are correct:

    Reason: Explicit Eap failure received
    Error: 0x80420406
    EAP Reason: 0x80420406
    EAP Root cause String: The authentication failed because the certificate on the server computer does not have a server name specified

    I was reading about this error. We are using a wildcard cert - *.domain.com - perhaps this is the problem? Should I obtain a server-named cert?

    Thanks again for your assistance...

    יום חמישי 11 יולי 2019 22:26
  • Hi,

    Please check the certificate template on NPS. 

    For you reference:

    Configure Certificate Templates for PEAP and EAP Requirements 

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום שישי 12 יולי 2019 02:46
    מנחה דיון
  • Travis,

    I am a bit confused. This doc appears to apply only to situations in which NPS is using a certificate issued by an AD CA within the network. In our case we are using a wildcard cert from a 3rd party CA. I was under the impression that a 3rd party cert would work better in an environment with many devices of varying platforms (we have a lot of macs) as you won't get "trust" warnings and such.

    יום שישי 12 יולי 2019 17:50
  • Hi,

    Sorry, I don't have much experience with CA. 

    In my opinion, the name of cert should be nps.domain.com 

    Here are some threads for your reference:

    https://social.technet.microsoft.com/Forums/lync/en-US/33a32bbd-c8a4-4063-ba25-db7da2e8272b/nps-radius-peap-using-3rd-party-certificate?forum=winserverNIS 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/2065da39-289a-4ba1-bfd9-e0a556363a3d/public-certificate-for-npsnap?forum=winserverNAP  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • סומן כתשובה על-ידי M. S. Paul יום רביעי 17 יולי 2019 16:11
    יום שני 15 יולי 2019 07:58
    מנחה דיון
  • Thanks for your help Travis. I am going to get a named cert and go from there.
    • סומן כתשובה על-ידי M. S. Paul יום רביעי 17 יולי 2019 16:11
    • סימון כתשובה בוטל על-ידי M. S. Paul יום רביעי 17 יולי 2019 16:11
    יום רביעי 17 יולי 2019 16:11