none
NPS Called-Station-ID Regex Pattern RRS feed

  • Question

  • I am trying to set separate auth policies up per WLAN. The attribute "Called-Station-ID" contains the mac address and SSID of the WLAN a client is connecting from so this seemed an obvious choice. When I specify any kind of regex pattern in the "Called-Station-ID" authentication fails with error 69 stating the Called-Station-ID does not match any policy. I know the policy is fine except for the Called-Station-ID attribute b/c If I enter the exact Called-Station-ID value, as pulled from the logs, which includes the mac address and SSID it works fine. I searched Google first and none of the suggestions I found worked. I would appreciate some help.


    Working Called-Station-ID: 00-17-df-34-82-80:RSC-Secure-Wireless

    List of attempts:

    .*:RSC-Secure-Wireless

    .0-17-df-34-82-80:RSC-Secure-Wireless

    ^00-17-df-34-82-80:RSC-Secure-Wireless$

    /00-17-df-34-82-80:RSC-Secure-Wireless/

    /^00-17-df-34-82-80:RSC-Secure-Wireless$/

     

    While my first attempt may have been incorrect at least one of my test patterns should have worked. From what I can gather its not processing the value as a pattern at all.

     

    Tuesday, March 22, 2011 2:36 PM

All replies

  • Hi JCotton1123,

    Yes, you can use the regex pattern for the Called-Station-ID. You can find the info from the nap blog: http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx.

    And, you can find how to use the Regex in NPS here: http://technet.microsoft.com/en-us/library/cc755272(WS.10).aspx.

    To you specific question, the first  attempt should work. the last one should work as well if you delete the first "/" and last "/". 

     


    Clarification: Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, March 22, 2011 6:37 PM

  • Thank you for the response however the first attempt does not work. Below is the xml config for the pattern and log:

     

    <msNPCalledStationID xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">.*:RSC-Secure-Wireless</msNPCalledStationID>

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          3/24/2011 11:12:12 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      Auth01##########
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            AC\#######
        Account Name:            #######
        Account Domain:            AC
        Fully Qualified Account Name:    AC\#######

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        00-3a-98-f1-ec-60:RSC-Secure-Wireless
        Calling Station Identifier:        00-15-af-95-12-72

    NAS:
        NAS IPv4 Address:        ##########
        NAS IPv6 Address:        -
        NAS Identifier:            Stockton-Wireless-Controller2
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            13

    RADIUS Client:
        Client Friendly Name:        Wireless Controllers
        Client IP Address:            ##########

    Authentication Details:
        Connection Request Policy Name:    Wireless Controllers
        Network Policy Name:        RSC-Secure-Wireless
        Authentication Provider:        Windows
        Authentication Server:        Auth01##########
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            69
        Reason:                The telephone number of the network access server does not match the value of the Called-Station-ID attribute that is configured in the constraints of the matching network policy. NPS denied the Access-Request.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>6273</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2011-03-24T15:12:12.087546200Z" />
        <EventRecordID>1427504</EventRecordID>
        <Correlation />
        <Execution ProcessID="476" ThreadID="328" />
        <Channel>Security</Channel>
        <Computer>Auth01##########</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-3143963120-878878136-4141151189-7564</Data>
        <Data Name="SubjectUserName">#######</Data>
        <Data Name="SubjectDomainName">AC</Data>
        <Data Name="FullyQualifiedSubjectUserName">AC\#########</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">00-3a-98-f1-ec-60:RSC-Secure-Wireless</Data>
        <Data Name="CallingStationID">00-15-af-95-12-72</Data>
        <Data Name="NASIPv4Address">#############</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">Stockton-Wireless-Controller2</Data>
        <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
        <Data Name="NASPort">13</Data>
        <Data Name="ClientName">Wireless Controllers</Data>
        <Data Name="ClientIPAddress">#############</Data>
        <Data Name="ProxyPolicyName">Wireless Controllers</Data>
        <Data Name="NetworkPolicyName">RSC-Secure-Wireless</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">Auth01########</Data>
        <Data Name="AuthenticationType">EAP</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">69</Data>
        <Data Name="Reason">The telephone number of the network access server does not match the value of the Called-Station-ID attribute that is configured in the constraints of the matching network policy. NPS denied the Access-Request.</Data>
        <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
      </EventData>
    </Event>

    Thursday, March 24, 2011 3:23 PM
  • I have the exact same symptom here, my Procurve MSM controller sends a similar pattern ie. macaddress:ssid


    Did you resolve this, I'm planning on using this as a mechanism to prevent different domained machines connecting to the wrong ssid's.

     

    Cheers,

    Tuesday, May 3, 2011 1:11 AM
  • Did anyone resolve this issue?

    An EXACT match works fine (no wildcards/regex), or not enabling the pattern match works fine, so I know NPS/Radius is working fine from that point. But when I enable the pattern matching, nothing with REGEX wildcards works at all. I can't even get the examples to work in the NPS REGEX article, or even just .* !!!


    Monday, June 27, 2011 10:30 PM
  • Hi,

     

    Exctly the same issue  :-( Does anybody find the solution ?

     

    Cheers.

    DV

    • Proposed as answer by Dvi Tuesday, July 5, 2011 10:42 AM
    • Unproposed as answer by Dvi Tuesday, July 5, 2011 10:42 AM
    Tuesday, July 5, 2011 9:05 AM
  • We opened a case and wasted a bunch of time with MS to have them finally determine its a bug.

    The only thing that works, is an EXACT match... no regex expressions work at all. They've said it will be fixed eventually.

    • Proposed as answer by HCCC NetAdmin Wednesday, August 10, 2011 10:01 PM
    • Unproposed as answer by HCCC NetAdmin Wednesday, August 10, 2011 10:02 PM
    Wednesday, July 20, 2011 6:33 PM
  • Try the following

    RSC-Secure-Wireless$

    -or-

    .*:RSC-Secure-Wireless$

    After pulling my hair out and using the following website as a sanity check I finally tried the ssid with the $ after it and was pleasantly surprised. According to the .net regex your examples should have worked but... thanks again M$ for countless hours of wasted time. Regardless, very happy it is working now.

    http://regexlib.com/RETester.aspx?AspxAutoDetectCookieSupport=1

    No rhyme or reason...

    ...And as I'm posting this I went back to the original without the $ and it is magically working. So frustrating ...but again, working.


    • Proposed as answer by craymond Wednesday, August 17, 2011 8:59 PM
    Wednesday, August 10, 2011 10:09 PM
  • Thanks a lot HCCC for finding this - I spent hours myself trying to figure out why this didn't work per the MS instructions!

    Wednesday, August 17, 2011 8:58 PM
  • I'm at the same problem.

     

    I've tried using .*:WIRELESS_SSID$ with and without the $ but its not working for us.

    In the logfile i see this:

     

    "SERVERNAME","IAS",09/21/2011,11:33:39,3,,"DOMAIN\username",,,,,,,,0,"10.0.97.XXX","COMPANY-WX01",,,,,,,5,"COMPANY WLAN",69,"311 1 fe80::39b0:35bd:7c6b:3bba 08/29/2011 11:56:47 564",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "SERVERNAME","IAS",09/21/2011,11:34:43,1,"username","DOMAIN\username","00-26-3E-A5-21-82:COMPANYO","90-21-55-CC-XX-XX",,,"Trapeze","10.0.97.XXX",2984,0,"10.0.97.XXX","COMPANY-WX01",,,19,,,2,5,"COMPANY WLAN",0,"311 1 fe80::39b0:35bd:7c6b:3bba 08/29/2011 11:56:47 565",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "SERVERNAME","IAS",09/21/2011,11:34:43,3,,"DOMAIN\username",,,,,,,,0,"10.0.97.XXX","COMPANY-WX01",,,,,,,5,"COMPANY WLAN",69,"311 1 fe80::39b0:35bd:7c6b:3bba 08/29/2011 11:56:47 565",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "SERVERNAME","IAS",09/21/2011,11:55:59,1,"username","DOMAIN\username","00-26-3E-A5-21-82:COMPANYO","90-21-55-CC-XX-XX",,,"Trapeze","10.0.97.XXX",2992,0,"10.0.97.XXX","COMPANY-WX01",,,19,,,2,5,"COMPANY WLAN",0,"311 1 fe80::39b0:35bd:7c6b:3bba 09/21/2011 09:55:58 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    


     

    If i enter the full Mac +  SSID it works instantly:

     

    Network Policy Server granted full access to a user because the host met the defined health policy.
    
    User:
    	Security ID:			DOMAIN\username
     Account Name: username Account Domain: domain Fully Qualified Account Name: DOMAIN\username Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: XXXXX:SSID Calling Station Identifier: XXXXXX NAS: NAS IPv4 Address: 10.0.97.2XX NAS IPv6 Address: - NAS Identifier: Trapeze NAS Port-Type: - NAS Port: 2996 RADIUS Client: Client Friendly Name: XXXXXX Client IP Address: 10.0.97.2XX Authentication Details: Proxy Policy Name: Use Windows authentication for all users Network Policy Name: WLAN Authentication Provider: - Authentication Server: SERVER.DOMAIN.info Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: - Quarantine Information: Result: - Extended-Result: - Session Identifier: - Help URL: - System Health Validator Result(s): -

     

    Is it really a bug, that regex not working for the Called-Station-ID field or got anyone that to work?

     

    Constantin


    Wednesday, September 21, 2011 10:32 AM
  • I changed the method slightly and added "Called-Station-ID" under the "Conditions" tab rather than in "Constraints."  It does not look like the "Constraints" tab settings allows for Regex but it works perfectly (so far) under "Conditions."  I am still testing this so it may not be 100% correct but I added SSID$  am not sure if it is restricting access based on this.  

     

    Please try it and let me know your experience. 

    Hope this helps...

    • Proposed as answer by Emil Roshan Monday, June 17, 2013 2:10 AM
    Friday, September 23, 2011 11:44 PM
  • I changed the method slightly and added "Called-Station-ID" under the "Conditions" tab rather than in "Constraints."  It does not look like the "Constraints" tab settings allows for Regex but it works perfectly (so far) under "Conditions."  I am still testing this so it may not be 100% correct but I added SSID$  am not sure if it is restricting access based on this.  

    Please try it and let me know your experience. 

    Hope this helps...


    This is true - regex works in Conditions. Called Station ID Constraint does not accept regex, only exact match. Tested extensively.
    • Proposed as answer by szozz Tuesday, August 21, 2012 7:04 PM
    Tuesday, August 21, 2012 7:04 PM
  • I changed the method slightly and added "Called-Station-ID" under the "Conditions" tab rather than in "Constraints."  It does not look like the "Constraints" tab settings allows for Regex but it works perfectly (so far) under "Conditions."  I am still testing this so it may not be 100% correct but I added SSID$  am not sure if it is restricting access based on this.  

    Please try it and let me know your experience. 

    Hope this helps...


    Thank you.  

    Having spent almost a day pulling my hair with pattern matching syntax, your post saved me from going insane.

    Same expression that didn’t work on constraints tab work like a charm in conditions tab.
    Monday, June 17, 2013 2:15 AM
  • I ran into a similar issue where I have two SSIDs that need to be distinguished based on NPS policy. The regex that I used for the called station ID was:

    ..-..-..-..-..-..:ssid

    This resolves all authentications that meet the remaining conditions successfully. Hope this helps!

    • Proposed as answer by LesterClayton Tuesday, August 7, 2018 11:16 AM
    Tuesday, September 12, 2017 3:25 PM
  • Thank you.

    This solution is working (for me).

    Friday, December 8, 2017 1:14 PM
  • This is true - regex works in Conditions. Called Station ID Constraint does not accept regex, only exact match. Tested extensively.

    Is that still the case ?

    Seb

    Tuesday, February 19, 2019 6:51 PM
  • (:ssid)$ works fine too :)
    Monday, March 4, 2019 11:16 AM
  • hi 

    it didnt work for me either if i used on Conditions or on contraints 

    APNAME-*:SSID_Test

    could you help pls?


    • Edited by shai_lukov Tuesday, May 7, 2019 12:10 PM
    Tuesday, May 7, 2019 11:45 AM
  • found how to solve it

    string should start with ^ and end with | 

    for example ^APNAME:SSID$|

    Wednesday, May 8, 2019 6:44 AM
  • I used regexr to figure it out.  It is nice that the site lets you past your own string and test your regex against it.  This pattern worked consistently for me with a Cisco WLC appending the SSID on the end of the called station ID.  It is working for me with multiple policies for multiple SSIDs.

    ^.*:YourSSIDName$

    Tuesday, August 27, 2019 2:48 PM