ArubaOS and Controllers

Reply
Contributor I
Posts: 20
Registered: ‎10-19-2011

Computer authentication issue

A client of mine wants to make sure that only computers in a certain computergroup are able to connect to the wireless network.

I have added the machine group to the NPS policy but then nobody can connect to the ssid even the computers that are in the machine group.

When I go to the event viewer, I get the following:
Presenter@All: Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 19/10/2011 11:32:13
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: REN.tresestelles.be
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: TRESESTELLES\EDRS
Account Name: TRESESTELLES\edrs
Account Domain: TRESESTELLES
Fully Qualified Account Name: tresestelles.be/PnV/Users/Personeel/Bedienden/IT/Diris Erik

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B866D6CC0
Calling Station Identifier: 5CAC4CBDF36E


NAS:
NAS IPv4 Address: 192.168.1.180
NAS IPv6 Address: -
NAS Identifier: alan002
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: alan002
Client IP Address: 192.168.1.180

Authentication Details:
Connection Request Policy Name: P&V Aruba Vesuvius
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: REN.tresestelles.be
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Event Xml:



6273
1
0
12552
0
0x8010000000000000

14910701


Security
REN.tresestelles.be



S-1-5-21-155554633-2511453929-3216367181-2315
TRESESTELLES\edrs
TRESESTELLES
tresestelles.be/PnV/Users/Personeel/Bedienden/IT/Diris Erik
S-1-0-0
-
-
-
000B866D6CC0
5CAC4CBDF36E
192.168.1.180
-
alan002
Wireless - IEEE 802.11
0
alan002
192.168.1.180
P&V Aruba Vesuvius
Connections to other access servers
Windows
REN.tresestelles.be
PEAP
Microsoft: Secured password (EAP-MSCHAP v2)
-
65
The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Accounting information was written to the local log file.

It looks like the computer credentials are not forwarded to the NPS.

Any suggestion?
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Computer authentication issue


A client of mine wants to make sure that only computers in a certain computergroup are able to connect to the wireless network.

I have added the machine group to the NPS policy but then nobody can connect to the ssid even the computers that are in the machine group.

When I go to the event viewer, I get the following:
Presenter@All: Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 19/10/2011 11:32:13
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: REN.tresestelles.be
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: TRESESTELLES\EDRS
Account Name: TRESESTELLES\edrs
Account Domain: TRESESTELLES
Fully Qualified Account Name: tresestelles.be/PnV/Users/Personeel/Bedienden/IT/Diris Erik

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B866D6CC0
Calling Station Identifier: 5CAC4CBDF36E


NAS:
NAS IPv4 Address: 192.168.1.180
NAS IPv6 Address: -
NAS Identifier: alan002
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: alan002
Client IP Address: 192.168.1.180

Authentication Details:
Connection Request Policy Name: P&V Aruba Vesuvius
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: REN.tresestelles.be
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Event Xml:



6273
1
0
12552
0
0x8010000000000000

14910701


Security
REN.tresestelles.be



S-1-5-21-155554633-2511453929-3216367181-2315
TRESESTELLES\edrs
TRESESTELLES
tresestelles.be/PnV/Users/Personeel/Bedienden/IT/Diris Erik
S-1-0-0
-
-
-
000B866D6CC0
5CAC4CBDF36E
192.168.1.180
-
alan002
Wireless - IEEE 802.11
0
alan002
192.168.1.180
P&V Aruba Vesuvius
Connections to other access servers
Windows
REN.tresestelles.be
PEAP
Microsoft: Secured password (EAP-MSCHAP v2)
-
65
The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Accounting information was written to the local log file.

It looks like the computer credentials are not forwarded to the NPS.

Any suggestion?




Only a single authentication is done at a time (user OR computer). By default computer authentication is done at the ctrl-alt-delete screen when nobody is logged in. User authentication occurs when the user has logged in successfully. Remove the domain user AND domain computer groups and have two separate remote access policies: one that only has domain computer and one that has domain user. Optionally, you can turn on "enforce machine authentication" in the 802.1x profile to possibly accomplish what you desire.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: