none
NPS Called-Station-ID Regex Pattern RRS feed

  • Question

  • I am trying to set separate auth policies up per WLAN. The attribute "Called-Station-ID" contains the mac address and SSID of the WLAN a client is connecting from so this seemed an obvious choice. When I specify any kind of regex pattern in the "Called-Station-ID" authentication fails with error 69 stating the Called-Station-ID does not match any policy. I know the policy is fine except for the Called-Station-ID attribute b/c If I enter the exact Called-Station-ID value, as pulled from the logs, which includes the mac address and SSID it works fine. I searched Google first and none of the suggestions I found worked. I would appreciate some help.


    Working Called-Station-ID: 00-17-df-34-82-80:RSC-Secure-Wireless

    List of attempts:

    .*:RSC-Secure-Wireless

    .0-17-df-34-82-80:RSC-Secure-Wireless

    ^00-17-df-34-82-80:RSC-Secure-Wireless$

    /00-17-df-34-82-80:RSC-Secure-Wireless/

    /^00-17-df-34-82-80:RSC-Secure-Wireless$/

     

    While my first attempt may have been incorrect at least one of my test patterns should have worked. From what I can gather its not processing the value as a pattern at all.

     

    Tuesday, March 22, 2011 2:36 PM

All replies

  • Hi JCotton1123,

    Yes, you can use the regex pattern for the Called-Station-ID. You can find the info from the nap blog: http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx.

    And, you can find how to use the Regex in NPS here: http://technet.microsoft.com/en-us/library/cc755272(WS.10).aspx.

    To you specific question, the first  attempt should work. the last one should work as well if you delete the first "/" and last "/". 

     


    Clarification: Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, March 22, 2011 6:37 PM

  • Thank you for the response however the first attempt does not work. Below is the xml config for the pattern and log:

     

    <msNPCalledStationID xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">.*:RSC-Secure-Wireless</msNPCalledStationID>

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          3/24/2011 11:12:12 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      Auth01##########
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            AC\#######
        Account Name:            #######
        Account Domain:            AC
        Fully Qualified Account Name:    AC\#######

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        00-3a-98-f1-ec-60:RSC-Secure-Wireless
        Calling Station Identifier:        00-15-af-95-12-72

    NAS:
        NAS IPv4 Address:        ##########
        NAS IPv6 Address:        -
        NAS Identifier:            Stockton-Wireless-Controller2
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            13

    RADIUS Client:
        Client Friendly Name:        Wireless Controllers
        Client IP Address:            ##########

    Authentication Details:
        Connection Request Policy Name:    Wireless Controllers
        Network Policy Name:        RSC-Secure-Wireless
        Authentication Provider:        Windows
        Authentication Server:        Auth01##########
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            69
        Reason:                The telephone number of the network access server does not match the value of the Called-Station-ID attribute that is configured in the constraints of the matching network policy. NPS denied the Access-Request.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>6273</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2011-03-24T15:12:12.087546200Z" />
        <EventRecordID>1427504</EventRecordID>
        <Correlation />
        <Execution ProcessID="476" ThreadID="328" />
        <Channel>Security</Channel>
        <Computer>Auth01##########</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-3143963120-878878136-4141151189-7564</Data>
        <Data Name="SubjectUserName">#######</Data>
        <Data Name="SubjectDomainName">AC</Data>
        <Data Name="FullyQualifiedSubjectUserName">AC\#########</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">00-3a-98-f1-ec-60:RSC-Secure-Wireless</Data>
        <Data Name="CallingStationID">00-15-af-95-12-72</Data>
        <Data Name="NASIPv4Address">#############</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">Stockton-Wireless-Controller2</Data>
        <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
        <Data Name="NASPort">13</Data>
        <Data Name="ClientName">Wireless Controllers</Data>
        <Data Name="ClientIPAddress">#############</Data>
        <Data Name="ProxyPolicyName">Wireless Controllers</Data>
        <Data Name="NetworkPolicyName">RSC-Secure-Wireless</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">Auth01########</Data>
        <Data Name="AuthenticationType">EAP</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">69</Data>
        <Data Name="Reason">The telephone number of the network access server does not match the value of the Called-Station-ID attribute that is configured in the constraints of the matching network policy. NPS denied the Access-Request.</Data>
        <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
      </EventData>
    </Event>

    Thursday, March 24, 2011 3:23 PM
  • I have the exact same symptom here, my Procurve MSM controller sends a similar pattern ie. macaddress:ssid


    Did you resolve this, I'm planning on using this as a mechanism to prevent different domained machines connecting to the wrong ssid's.

     

    Cheers,

    Tuesday, May 3, 2011 1:11 AM
  • Did anyone resolve this issue?

    An EXACT match works fine (no wildcards/regex), or not enabling the pattern match works fine, so I know NPS/Radius is working fine from that point. But when I enable the pattern matching, nothing with REGEX wildcards works at all. I can't even get the examples to work in the NPS REGEX article, or even just .* !!!


    Monday, June 27, 2011 10:30 PM
  • Hi,

     

    Exctly the same issue  :-( Does anybody find the solution ?

     

    Cheers.

    DV

    • Proposed as answer by Dvi Tuesday, July 5, 2011 10:42 AM
    • Unproposed as answer by Dvi Tuesday, July 5, 2011 10:42 AM
    Tuesday, July 5, 2011 9:05 AM
  • We opened a case and wasted a bunch of time with MS to have them finally determine its a bug.

    The only thing that works, is an EXACT match... no regex expressions work at all. They've said it will be fixed eventually.

    • Proposed as answer by HCCC NetAdmin Wednesday, August 10, 2011 10:01 PM
    • Unproposed as answer by HCCC NetAdmin Wednesday, August 10, 2011 10:02 PM
    Wednesday, July 20, 2011 6:33 PM
  • Try the following

    RSC-Secure-Wireless$

    -or-

    .*:RSC-Secure-Wireless$

    After pulling my hair out and using the following website as a sanity check I finally tried the ssid with the $ after it and was pleasantly surprised. According to the .net regex your examples should have worked but... thanks again M$ for countless hours of wasted time. Regardless, very happy it is working now.

    http://regexlib.com/RETester.aspx?AspxAutoDetectCookieSupport=1

    No rhyme or reason...

    ...And as I'm posting this I went back to the original without the $ and it is magically working. So frustrating ...but again, working.


    • Proposed as answer by craymond Wednesday, August 17, 2011 8:59 PM
    Wednesday, August 10, 2011 10:09 PM
  • Thanks a lot HCCC for finding this - I spent hours myself trying to figure out why this didn't work per the MS instructions!

    Wednesday, August 17, 2011 8:58 PM
  • I'm at the same problem.

     

    I've tried using .*:WIRELESS_SSID$ with and without the $ but its not working for us.

    In the logfile i see this:

     

    "SERVERNAME","IAS",09/21/2011,11:33:39,3,,"DOMAIN\username",,,,,,,,0,"10.0.97.XXX","COMPANY-WX01",,,,,,,5,"COMPANY WLAN",69,"311 1 fe80::39b0:35bd:7c6b:3bba 08/29/2011 11:56:47 564",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "SERVERNAME","IAS",09/21/2011,11:34:43,1,"username","DOMAIN\username","00-26-3E-A5-21-82:COMPANYO","90-21-55-CC-XX-XX",,,"Trapeze","10.0.97.XXX",2984,0,"10.0.97.XXX","COMPANY-WX01",,,19,,,2,5,"COMPANY WLAN",0,"311 1 fe80::39b0:35bd:7c6b:3bba 08/29/2011 11:56:47 565",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "SERVERNAME","IAS",09/21/2011,11:34:43,3,,"DOMAIN\username",,,,,,,,0,"10.0.97.XXX","COMPANY-WX01",,,,,,,5,"COMPANY WLAN",69,"311 1 fe80::39b0:35bd:7c6b:3bba 08/29/2011 11:56:47 565",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "SERVERNAME","IAS",09/21/2011,11:55:59,1,"username","DOMAIN\username","00-26-3E-A5-21-82:COMPANYO","90-21-55-CC-XX-XX",,,"Trapeze","10.0.97.XXX",2992,0,"10.0.97.XXX","COMPANY-WX01",,,19,,,2,5,"COMPANY WLAN",0,"311 1 fe80::39b0:35bd:7c6b:3bba 09/21/2011 09:55:58 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    


     

    If i enter the full Mac +  SSID it works instantly:

     

    Network Policy Server granted full access to a user because the host met the defined health policy.
    
    User:
    	Security ID:			DOMAIN\username
     Account Name: username Account Domain: domain Fully Qualified Account Name: DOMAIN\username Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: XXXXX:SSID Calling Station Identifier: XXXXXX NAS: NAS IPv4 Address: 10.0.97.2XX NAS IPv6 Address: - NAS Identifier: Trapeze NAS Port-Type: - NAS Port: 2996 RADIUS Client: Client Friendly Name: XXXXXX Client IP Address: 10.0.97.2XX Authentication Details: Proxy Policy Name: Use Windows authentication for all users Network Policy Name: WLAN Authentication Provider: - Authentication Server: SERVER.DOMAIN.info Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: - Quarantine Information: Result: - Extended-Result: - Session Identifier: - Help URL: - System Health Validator Result(s): -

     

    Is it really a bug, that regex not working for the Called-Station-ID field or got anyone that to work?

     

    Constantin


    Wednesday, September 21, 2011 10:32 AM
  • I changed the method slightly and added "Called-Station-ID" under the "Conditions" tab rather than in "Constraints."  It does not look like the "Constraints" tab settings allows for Regex but it works perfectly (so far) under "Conditions."  I am still testing this so it may not be 100% correct but I added SSID$  am not sure if it is restricting access based on this.  

     

    Please try it and let me know your experience. 

    Hope this helps...

    • Proposed as answer by Emil Roshan Monday, June 17, 2013 2:10 AM
    Friday, September 23, 2011 11:44 PM
  • I changed the method slightly and added "Called-Station-ID" under the "Conditions" tab rather than in "Constraints."  It does not look like the "Constraints" tab settings allows for Regex but it works perfectly (so far) under "Conditions."  I am still testing this so it may not be 100% correct but I added SSID$  am not sure if it is restricting access based on this.  

    Please try it and let me know your experience. 

    Hope this helps...


    This is true - regex works in Conditions. Called Station ID Constraint does not accept regex, only exact match. Tested extensively.
    • Proposed as answer by szozz Tuesday, August 21, 2012 7:04 PM
    Tuesday, August 21, 2012 7:04 PM
  • I changed the method slightly and added "Called-Station-ID" under the "Conditions" tab rather than in "Constraints."  It does not look like the "Constraints" tab settings allows for Regex but it works perfectly (so far) under "Conditions."  I am still testing this so it may not be 100% correct but I added SSID$  am not sure if it is restricting access based on this.  

    Please try it and let me know your experience. 

    Hope this helps...


    Thank you.  

    Having spent almost a day pulling my hair with pattern matching syntax, your post saved me from going insane.

    Same expression that didn’t work on constraints tab work like a charm in conditions tab.
    Monday, June 17, 2013 2:15 AM
  • I ran into a similar issue where I have two SSIDs that need to be distinguished based on NPS policy. The regex that I used for the called station ID was:

    ..-..-..-..-..-..:ssid

    This resolves all authentications that meet the remaining conditions successfully. Hope this helps!

    • Proposed as answer by LesterClayton Tuesday, August 7, 2018 11:16 AM
    Tuesday, September 12, 2017 3:25 PM
  • Thank you.

    This solution is working (for me).

    Friday, December 8, 2017 1:14 PM
  • This is true - regex works in Conditions. Called Station ID Constraint does not accept regex, only exact match. Tested extensively.

    Is that still the case ?

    Seb

    Tuesday, February 19, 2019 6:51 PM
  • (:ssid)$ works fine too :)
    Monday, March 4, 2019 11:16 AM
  • hi 

    it didnt work for me either if i used on Conditions or on contraints 

    APNAME-*:SSID_Test

    could you help pls?


    • Edited by shai_lukov Tuesday, May 7, 2019 12:10 PM
    Tuesday, May 7, 2019 11:45 AM
  • found how to solve it

    string should start with ^ and end with | 

    for example ^APNAME:SSID$|

    Wednesday, May 8, 2019 6:44 AM