Windows 2008 R2 NPS + Ubiquiti AP Pro + Radius = issues
Some time ago I wrote about configuring WiFi network with Radius authentication.
Recently I got some issues with that: some devices couldn’t connect to WiFi for a long time, then suddenly could and so on.
So, I started the investigation …
1. I look at the NPS log – You can find it in the Event Viewer – Custom Views – Server Roles – Network Policy and Access server.
2. I found that some requests were denied with a reason 65(Dialin properties is set to Deny for user) although it was set to “Managed by Network Policy”.
I used a script to set this parameter as “Enable”:
Dim oContainer
Set oContainer=GetObject(“LDAP://OU=Users,DC=local,DC=com”)
ModifyUsers oContainer
‘cleanup
Set oContainer = Nothing
WScript.Echo “Finished”Sub ModifyUsers(oObject)
Dim oUser
oObject.Filter = Array(“user”)
For Each oUser in oObject
oUser.Put “msNPAllowDialin”,”TRUE”
oUser.SetInfo
Next
End Sub
3. After that I saw another error in the log: The user attempted to use an authentication method that is not enabled on the matching network policy.
I used this tip:
Incorrect connection request policy configuration
If you are using NAP with 802.1X enforcement or VPN enforcement, you must select Override network policy authentication settings when you configure connection request policy. If this setting is not configured, then client access requests will be denied with the following reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
When you use NAP with 802.1X enforcement or VPN enforcement, access requests must be authenticated in connection request policy.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
- On a server running NPS, click Start, click Run, type nps.msc, and press ENTER.
- In the NPS console tree, open Policies\Connection Request Policies.
- Right-click the name of your NAP client connection request policy, and then click Properties.
- On the Settings tab, click Authentication methods.
- Select Override network policy authentication settings, and then click OK.
And got this:
All three EAP types were added. In the EAP(PEAP) all two types were added.
4. In the Network Policies – the same:
Good Link about NPS errors: technet.microsoft.com/en-us/library/dd348487(v=ws.10).aspx
After these actions I saw the clear NPS log without errors.
Some errors appeared later but they appeared rarely and were caused by device specific issues and weak signal. There were a lot of errors before.
You can change level of logging:
Logging Schannel events
Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These protocols provide identity authentication and secure, private communication through encryption.
Logging of client certificate validation failures is a secure channel event, and is not enabled on the server running NPS by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
Install Datastax OpsCenter to monitor Cassandra claster Apache + wildcard certificate