I'm currently installing Windows Server 2008, and having issues with the NPS server.
Setup is as follows, our server with Win 2008 R2. And for testing purposes we have our wireless AP (Netgear WG102) directly from one of the ethernet interfaces.
We are working at a school who has their AD Domain setup for all students with their own accounts. What we would like to do is to have NPS running on the server as well and identify students with wireless devices linked to their account in the domain. This obviously without having to register their personal computers and phones etc in the server, using only account name and password for verification.
We followed this guide: http://techblog.mirabito.net.au/?p=87 and tried setting it up with EAP/PEAP. Correct me if Im wrong but this seemed like it needed certificates on the clients which isnt something that we want but only using account name and password. That didnt work anyhow, and we thought that if we only want user and pass verification we should use MMS-CHAPv2. So we tried that as well, but still cant get it to work. Below is the error report we get.
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: TEAM-SPACE\per.stormats Account Name: per.stormats Account Domain: TEAM-SPACE Fully Qualified Account Name: TEAM-SPACE\per.stormats Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00184DC0ED6C:AP-1 Calling Station Identifier: 1C4BD66F185C NAS: NAS IPv4 Address: 192.168.40.2 NAS IPv6 Address: - NAS Identifier: netgearc0ed6c NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 1 RADIUS Client: Client Friendly Name: AP-1 Client IP Address: 192.168.40.2 Authentication Details: Connection Request Policy Name: Secure Wireless Connections Network Policy Name: Secure Wireless Connections Authentication Provider: Windows Authentication Server: Sonett.team-space.se Authentication Type: EAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Thanks in advance for any help you may provide.
Thanks for the post.
I suggest you could first check the following three articles. It could help you better understand Secure Wireless Network Deployment.
IEEE 802.11 Wireless LAN Security with Microsoft WindowsChecklist: Configure NPS for Secure Wireless Access
Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
Hope this helps.
Thanks for the links, unfortunaley it didnt get us any wiser. Well they did teach us some about Windows Server environment, so thx for that.
Since it seems the connection reaches the NPS server it seems it has to be some error with either our access point not being radius compliant or some setting we have entered incorrect.
I read another post about a guy having similiar issues that hadnt setup authentication for EAP. In our access point we only have options between "WPA with Radius" or "WPA2 with Radius". Among some others, the others being the standard open network etc. Never reached our NPS when using anything but the options "with Radius".
But since our requests are getting through to the NPS, can we then assume that our AP is compliant and should get to work?
Preciate the replies Glenn & Per
Hi there --
Your AP setting WPA with Radius will allow those to connect who don't have devices that are capable of using WPA2. The RADIUS protocol is used between the AP and the NPS server, with the AP as the RADIUS client and the NPS server as the RADIUS server. Access clients don't use RADIUS.
You're correct that if you use EAP or PEAP, you need to deploy certificates.
The following entry from your file, and the fact that the NPS server rejected the connection attempt because of an unsupported authentication method, raises questions:
Authentication Type: EAP
If you're trying to deploy plain vanilla MS-CHAP v2 or MS-CHAP v1, you should not have EAP configured anywhere. Check your connection request policies and your network policies to ensure that they do not specify EAP. Also review your access point settings to make sure you don't have EAP enabled. (That probably wouldn't hurt, but since you aren't using it, no reason to complicate things.)
Also, in network policies, you can allow both MS-CHAP v1 and v2. V2 is preferable, but enabling V1 will allow clients that don't support v2 (if there are any) to connect. The NPS server and client, during the authentication process, will negotiate and select the strongest form of authentication that they both support. Just for security reasons I wouldn't enable any of the other less secure password-based authentication methods like PAP or SPAP.
Just a suggestion, hope it is helpful.
Does anyone have a solution yet?
I have a cisco router set up to forward EAP authentication requests to the NPS on a Windows 2008 R2 server but keeps failing with the above message.
However it is working fine on a test SBS 2008 SP2 server. The Network Access Server settings are pretty much the same between both servers. The console are almost identical also.
There is something different about 2008 R2 it appears.
After some research I figured it the error was due to not having a certificate in the personal store of the NPS server. So I installed the CA server services which issued certificates and installed the into the personal store. The error messages have gone away BUT...
now the NPS server does not respond to the cisco router anymore. There are now no error messages in event logs. Running a debug on the cisco router I can see it retransmitting.
- Proposed as answer by Estens Friday, March 23, 2012 6:11 PM