Security

Reply
Community Administrator
Posts: 2,276
Registered: ‎12-03-2013

Controller Login via Windows NPS

[ Edited ]

Hello All..

 

Sorry...  So this is a windows problem, but there are some wicked smart guys on here and there is a 7210 involved so here goes.

 

I have encountered a very aggravating problem with deploying a NPS server to handle hardware login. The controller is acting exactly as it should (communicating with the NPS). NPS is also behaving like it should (detailed logging). Nevertheless auth keeps failing.The reason code I keep getting is 65. This indicates the user account in AD is set to deny access. Seems like an easy fix right? When I finally get to view the account in question it is not set to "deny access" it is in fact set to "allow radius to grant access". Upon some further digging (google) i discover the "ignore user dial in properties" tick box, so NPS wont even check the access settings. This didn't resolve the problem.

 

Next I discover the user is hitting one of the generic windows polices. I have the configured policy at the top and the value is set to 1. The other policies aren't configured so im not sure why it it triggering those policies. If i disable all policies except the one I configured i get a new error of no policy to handle request.

*The policy has all of the required groups added for authentication.

 

Has anyone encountered anything similar? Since the error code is 100% incorrect im not sure where to look next.

CWNA, ACMP, Security +
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: Controller Login via Windows NPS

What is the authentication method and conditions you are using in your NPS policy  ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Community Administrator
Posts: 2,276
Registered: ‎12-03-2013

Re: Controller Login via Windows NPS

Victor, conditions are very simple. If you are in the group you get access.We are unsing unencrypted PAP, SPAP.

CWNA, ACMP, Security +
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: Controller Login via Windows NPS

Jamie E, you need to add a check for Nas-Port-Type of "Virtual" to your Admin login rule conditions, so that your admin login rule is not triggered by a regular wireless authentication.  Regular wireless authentication has a Nas Port Type of "Wireless".

virtual.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Community Administrator
Posts: 2,276
Registered: ‎12-03-2013

Re: Controller Login via Windows NPS

 

 

Any ideas on how to troubleshoot this with out AD access?  I can get access but its not constant.

 

Thanks.

CWNA, ACMP, Security +
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: Controller Login via Windows NPS

Jamie E,

 

I do not know, but strip the policy down to the bare essentials, like pap, your windows group and nas-port-type of virtual.  Put it all the way on top so it is hit first.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Community Administrator
Posts: 2,276
Registered: ‎12-03-2013

Re: Controller Login via Windows NPS

Thank you sir!!! 

 

Ill give your suggestions a whirl and check back in.

CWNA, ACMP, Security +
MVP
Posts: 291
Registered: ‎11-04-2008

Re: Controller Login via Windows NPS

First don’t try to decipher the Windows Event Viewer as they are confusing. Windows NPS authenticate hardware logon requires two policies:

  1. Connections request policy: the default is the generic “Use Windows authentication for all users”. It is ok if you hit this policy.
  2. Network Policies: you must hit this policy correctly.  This is my working policy, as Colin mentioned, you need NAS port type Virtual (VPN) (more confusing!)

1.png

The successful authentication log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/11/2015 2:16:11 AM
Event ID:      6278
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC.lab.net
Description:
Network Policy Server granted full access to a user because the host met the defined health policy.

User:
	Security ID:			LAB\ngutri
	Account Name:			ngutri
	Account Domain:			LAB
	Fully Qualified Account Name:	lab.net/Users/Trinh Nguyen

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		000B866148D4
	Calling Station Identifier:		172.18.254.250

NAS:
	NAS IPv4 Address:		172.18.31.246
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		ARUBA-MASTER
	Client IP Address:			172.18.31.246

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	          Network Policy Name:		SSH POLICY
	Authentication Provider:		Windows
	Authentication Server:		DC.lab.net
	Authentication Type:		MS-CHAPv2
	EAP Type:			-
	Account Session Identifier:		-

Quarantine Information:
	Result:				Full Access
	Extended-Result:			-
	Session Identifier:			-
	Help URL:			-

 

~Trinh Nguyen~
Boys Town
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: Controller Login via Windows NPS

Just do exactly like cjoseph said 

In the policy define the AD group you want to allow and the NAS identifier, which should match on the controller side as well

2015-02-11 23_51_12-Chrome Remote Desktop.png

2015-02-11 23_54_33-Switch General Configuration.png

 

Ignore the tacacs ID i used :)

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Community Administrator
Posts: 2,276
Registered: ‎12-03-2013

Re: Controller Login via Windows NPS

Thanks for all the help guys.

 

It turned out to be a matter of "and" and "or". Each of the groups were added as an individual condition instead of as a single condition. Im still not sure why the error code was so far off base.

 

Again thanks for all of the help.

CWNA, ACMP, Security +
Search Airheads
Showing results for 
Search instead for 
Did you mean: