NPS - Prevent asking for a username?

-

i have been playing nps few days , basics.. it's not going planned.

what wanted achieve nps server used radius authentication server in our aerohive (wired & wireless) solution. want prevent access our network unauthorized devices. therefor whipped basic vlan category.

vlan 1: servers

every server wired on fixed location. these switchports defined on vlan 1.

vlan 2: trusted devices

devices need network access printers, access control devices, mfc's, etc. verified mac address

vlan 5: domain computers

the computer account has member of domain computers. these verified there computer object name.

vlan 6: trusted alien computers

other computer devices not member of our domain need access our network. verified mac address.

vlan 10: ip phones

hardware phones need access pabx. mac or switchport. if possible, i'd prefer mac because people use patch port @ of phone wired connection.

vlan 20: guest

every other request should placed in vlan 20. kind of fall back. these have access 'the internet'.

so every device requests access our network, if it's wired or wireless should pass nps server. it's server should return it's vlan.

the list of trusted devices long. have 100 network printers & mfc's , 30 - 50 people working non domain laptop. should manageable.

in aerohive router / access point have option mac authentication , if should first authenticate mac or ssid. have mac first.

i've tested lot of different set-ups have no idea if possible in nps? when trying allow alien computer it's mac address still asks me username , password?!

first see in nps log:

network policy server granted access user.

user:
security id: wgit\b8-86-87-e3-55-58
account name: b88687e35558
account domain: wgit
fully qualified account name: wgit\b8-86-87-e3-55-58

client machine:
security id: null sid
account name: -
fully qualified account name: -
os-version: -
called station identifier: 08-ea-44-0b-13-4c:willemen groep
calling station identifier: b8-86-87-e3-55-58

nas:
nas ipv4 address: 172.18.120.1
nas ipv6 address: -
nas identifier: home-tdc-1
nas port-type: wireless - ieee 802.11
nas port: 0

radius client:
client friendly name: aerohive branch routing
client ip address: 172.18.120.1

authentication details:
connection request policy name: trusted devices
network policy name: trusted devices
authentication provider: windows
authentication server: dc-sccm.wgit.local
authentication type: ms-chapv2
eap type: -
account session identifier: -
logging results: accounting information written local log file.

quarantine information:
result: full access
session identifier: -

if have entered 'ok' username this:

network policy server denied access user.

contact network policy server administrator more information.

user:
security id: wgit\b8-86-87-e3-55-58
account name: ok
account domain: wgit
fully qualified account name: wgit.local/be/vlaanderen/willemen groep/resources/b8-86-87-e3-55-58

client machine:
security id: null sid
account name: -
fully qualified account name: -
os-version: -
called station identifier: 08-ea-44-0b-13-4c:willemen groep
calling station identifier: b8-86-87-e3-55-58

nas:
nas ipv4 address: 172.18.120.1
nas ipv6 address: -
nas identifier: home-tdc-1
nas port-type: wireless - ieee 802.11
nas port: 0

radius client:
client friendly name: aerohive branch routing
client ip address: 172.18.120.1

authentication details:
connection request policy name: accept all
network policy name: guest
authentication provider: windows
authentication server: dc-sccm.wgit.local
authentication type: eap
eap type: -
account session identifier: -
logging results: accounting information written local log file.
reason code: 66
reason: user attempted use authentication method not enabled on matching network policy.

why?!

why asking username while gained access?

hi tiele,

>when put second connection request, unknown device still fail connect because no network policy able validate credentials.

i tested in lab, , got similar result you. create 2 connection request polices, policy1 forward request nps can't pass authentication, policy2 authenticate locally can pass authentication.

when put policy1 in first order, every request failed authentication, since request not authenticated locally using policy2, so, issue in lab normally, once request matched connection policy1, not use policy2 more.

the way think work around issue setting nps server, since nps role can add windows server, may set nps server "unauthenticated devices".

best regards,

anne

please remember mark replies answers if , unmark them if provide no help. if have feedback technet support, contact tnmff@microsoft.com.




Windows Server  >  Network Infrastructure Servers



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more