Security

Reply
New Contributor
Posts: 3
Registered: ‎05-16-2017

RADIUS Server (NPS) with Computer + User authentication

[ Edited ]

Hello,

I know this question has been asked a bunch but the answers seem to vary between everyone's own setups.

 

The goal is to get machine and user authentication working via RADIUS server through Windows NPS. 

 

Currently, I'm able to get user auth (AD credentials) working but once I add a machine group, everything fails.

 

This is the log when I add a machine group to the network policy constraints:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/16/2017 5:21:17 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.corp.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: CORP\msong
Account Name: CORP\msong
Account Domain: CORP
Fully Qualified Account Name: corp.com/sea/msong

Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: dc.corp.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access

 

I checked dial-in properties to be ignored in the network policy.

 

I'm pretty new to this stuff, so any help is appreciated. 

Let me know if you need any more info.

 

Thanks! 

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: RADIUS Server (NPS) with Computer + User authentication

NPS does not allow you to check both computer and user authentication.  There is only one authentication at a time; if the username of a computer is authenticating, that is what is checked.  If the username of a user is authenticating, that is what is checked...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎05-16-2017

Re: RADIUS Server (NPS) with Computer + User authentication

Ah okay. Is there a better way to go about this? To only allow domain joined devices to a specific SSID? 

 

Thanks! 

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: RADIUS Server (NPS) with Computer + User authentication

If you configure the computer supplicant for "Machine-Only" authentication, you can do that, and check the group membership of those machines.  Your NPS rule would only check the Domain Computers group for membership...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎05-16-2017

Re: RADIUS Server (NPS) with Computer + User authentication

Okay, I would definitely like to try that out.

 

Where exactly would I make that change to check only machine auth? Is that through network group policy?

 

Thank you! 

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: RADIUS Server (NPS) with Computer + User authentication

To the network policy constraints..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: