Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RADIUS Server (NPS) with Computer + User authentication

This thread has been viewed 19 times

  • 1.  RADIUS Server (NPS) with Computer + User authentication

    Posted May 16, 2017 08:29 PM

    Hello,

    I know this question has been asked a bunch but the answers seem to vary between everyone's own setups.

     

    The goal is to get machine and user authentication working via RADIUS server through Windows NPS. 

     

    Currently, I'm able to get user auth (AD credentials) working but once I add a machine group, everything fails.

     

    This is the log when I add a machine group to the network policy constraints:

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 5/16/2017 5:21:17 PM
    Event ID: 6273
    Task Category: Network Policy Server
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: DC.corp.com
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: CORP\msong
    Account Name: CORP\msong
    Account Domain: CORP
    Fully Qualified Account Name: corp.com/sea/msong

    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: Connections to other access servers
    Authentication Provider: Windows
    Authentication Server: dc.corp.com
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 65
    Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access

     

    I checked dial-in properties to be ignored in the network policy.

     

    I'm pretty new to this stuff, so any help is appreciated. 

    Let me know if you need any more info.

     

    Thanks! 



  • 2.  RE: RADIUS Server (NPS) with Computer + User authentication

    EMPLOYEE
    Posted May 16, 2017 08:35 PM

    NPS does not allow you to check both computer and user authentication.  There is only one authentication at a time; if the username of a computer is authenticating, that is what is checked.  If the username of a user is authenticating, that is what is checked...



  • 3.  RE: RADIUS Server (NPS) with Computer + User authentication

    Posted May 16, 2017 08:41 PM

    Ah okay. Is there a better way to go about this? To only allow domain joined devices to a specific SSID? 

     

    Thanks! 



  • 4.  RE: RADIUS Server (NPS) with Computer + User authentication

    EMPLOYEE
    Posted May 16, 2017 08:54 PM

    If you configure the computer supplicant for "Machine-Only" authentication, you can do that, and check the group membership of those machines.  Your NPS rule would only check the Domain Computers group for membership...



  • 5.  RE: RADIUS Server (NPS) with Computer + User authentication

    Posted May 16, 2017 08:58 PM

    Okay, I would definitely like to try that out.

     

    Where exactly would I make that change to check only machine auth? Is that through network group policy?

     

    Thank you! 



  • 6.  RE: RADIUS Server (NPS) with Computer + User authentication

    EMPLOYEE
    Posted May 16, 2017 11:53 PM

    To the network policy constraints..



  • 7.  RE: RADIUS Server (NPS) with Computer + User authentication

    Posted Mar 14, 2018 09:47 AM

    I got same issue. Could you please provide the detail where we can changes this only for domain machine access.