none
Network Location Awareness & RADIUS RRS feed

  • Question

  • Installed Server 2019 for testing a few days ago set up as PDC. Up to this point, I've already done two reinstalls from scratch but two issues still persists. It started with the inability to get Wireless access via RADIUS. It's all set up correctly in NPS via the setup wizard. Now if I turn off the firewall, everything connects no issues. I've checked, and ports 1812 & 1813 are open for the domain. So I figure it has something to do with AD-AS access through the firewall for the wireless user's credentials.

    One thing that bought this to light was checking that ports 1812 & 1813 were enable for the domain only. I noted in Network & Sharing that the network type was set to private, when it should be domain. Try as I might to change it, I could change it between Public & Private, but not to Domain. After the 2nd reinstall I discovered quite by accident that if I stop/restart the NLA service, it immediately switches to Domain which is what it should show. I've even set the service to Automatic (Delayed Start) and that doesn't help. I have to manually restart the service after a reboot to switch the network type from Private to Domain.

    So two issues:

    - Network type shows private and will not show Domain until NLA is restarted manually.

    - Unable to connect wireless user via default RADIUS setup unless the Domain firewall is disabled on the server.

    Tuesday, January 22, 2019 5:11 PM

Answers

All replies

  • I think its a known issue. You could also mention here and vote this one up. In the interim create a rule for 1812 UDP

    https://windowsserver.uservoice.com/forums/295059-networking/suggestions/35724043-fix-default-nps-firewall-rules-for-server-2019

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Tuesday, January 22, 2019 7:05 PM
    Owner
  • Thanks Dave. I threw my two cents into the referenced thread and mentioned this thread for the combined NLA/RADIUS issue. For me, while creating a rule of my own to allow UDP Ports 1812-13 works, and with that rule set up to allow domain traffic only, it won't work after a reboot until I manually restart NLA to change the domain profile from Private to Domain.

    Wednesday, January 23, 2019 12:08 AM
  • Ok, well then that sounds like a separate unrelated problem. 

    When NLA starts to detect the network location, the machine will contact the domain controller via port 389. If this detection successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
    If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

    The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests

    If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.

    So I'd check the domain controller and problem client have the static address of DC listed for DNS and no others such as router or public DNS

     Also if a single domain controller it may be the Network Location Awareness service starts too early at boot. Try restarting the service to check if profile changes to Domain. If so might be able to change it to Automatic (Delayed Start) or create a delayed start up task with enough delay time to bounce the service shortly after boot.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Wednesday, January 23, 2019 12:18 AM
    Owner
  • YOur mention of port 389 got me to thinking "firewall issue here too?" But I don't see how that's possible. But to put it to rest, I turned off the firewall for all profiles and rebooted. No change. Still comes up as Private Network profile. Even tried the Automatic (Delayed Start) with the firewalls off, and no change.

    So I set up a task in Task Scheduler to run net start nlasvc /y on startup with a 3 minute delay. 1 minute delay was apparently not long enough, and my only delay choice beyond that was 30 minutes. So I edited the task directly and gave it a 3 minute delay. This "seems" to have done the trick. The task runs hidden with highest privledges weather or not user is logged on.

    Wednesday, January 23, 2019 3:15 AM
  • Glad to hear it helps. The issue is not with the firewall. It is simply that the NLA service starts and does its checks before active directory has had a chance to start up and provide the correct answer.

    If and when you stand up the second DC this will no longer be an issue.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Wednesday, January 23, 2019 3:18 AM
    Owner
  • I've checked dependencies on NLASVC and note that ADDS is not one of them. Would making the NLASVC service dependent on ADDS do the trick? If so, then how to I add the dependency with powershell? I figure if it has a chance, it's worth a shot.

    Also, when this server goes live, it will be the only DC on the domain. Right now, I'm basically using this particular piece of hardware as a learning tool.

    Wednesday, January 23, 2019 3:49 AM
  • You can do with sc config 

    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-config

    but if the task is working I'd probably leave it for simplicity sake. You could also use PowerShell in your task to simply restart the service.

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/restart-service?view=powershell-6

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, January 23, 2019 4:03 AM
    Owner
  • Hi,

    Thanks for your sharing.

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 24, 2019 8:01 AM
    Moderator