Security

Reply
Occasional Contributor II
Posts: 10
Registered: ‎09-27-2010

Aruba 3400 + Microsoft NPS on Windows2k8 R2

Hi Folks, 

We recently migrated to NPS from using Cisco Secure ACS to authenticate users on our Corporate WLAN. We want to ensure that machine auth occurs first then user auth (which was the way we had it set up with Cisco ACS). Currently we are seeing the following errors in the event logs when it attempts Machine Authentication, but User Authentication seems to work fine (if the user has logged into the workstation previously as it uses cached credentials). 

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: host/HOSTNAME
Account Domain: DOMAINNAME
Fully Qualified Account Name: DOMAINNAME\HOSTNAME$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B8661F100
Calling Station Identifier: 0024D61AA0AE

NAS:
NAS IPv4 Address: CONTROLLERIP
NAS IPv6 Address: -
NAS Identifier: CONTROLLERNAME
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: CONTROLLERNAME
Client IP Address: CONTROLLERIP

Authentication Details:
Connection Request Policy Name: ArubaWireless
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPSSERVERNAME
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

 

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: NPSSERVERNAME$
Account Domain: DOMAINNAME
Logon ID: 0x3e7

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: HOSTNAME$
Account Domain: DOMAINNAME

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc0000199
Sub Status: 0x0

Process Information:
Caller Process ID: 0x360
Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

 

Some of the previous arcticles have mentioned to disable termination, but when I do that users are unable to connect at all. We currently aren't using any type of certificates, could this be the issue? Is this a requirement for machine authentication? I have followed the guides available on Airheads for both IAS and NPS but am still hitting a roadblock on this. 

 

Any help would be greatly appreciated!! 

 

thanks, 

Rick 

 

 

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Aruba 3400 + Microsoft NPS on Windows2k8 R2

You would need to:

 

1-  Disable Termination

2- Issue a certificate (SSL) that is trusted by your clients to the Windows 2008 server

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎09-27-2010

Re: Aruba 3400 + Microsoft NPS on Windows2k8 R2

Thanks! It appeared that the certificate and disabling termination did the trick. I appreciate the fast response. 

New Contributor
Posts: 1
Registered: ‎10-02-2012

Re: Aruba 3400 + Microsoft NPS on Windows2k8 R2

http://technet.microsoft.com/en-us/library/cc731363.aspx

 

The part about "Issue a certificate (SSL) that is trusted by your clients" was not that clear here.  The above link describes exactly what that means for your NPS server.

Search Airheads
Showing results for 
Search instead for 
Did you mean: