I know this question has been asked a bunch but the answers seem to vary between everyone's own setups.
The goal is to get machine and user authentication working via RADIUS server through Windows NPS.
Currently, I'm able to get user auth (AD credentials) working but once I add a machine group, everything fails.
This is the log when I add a machine group to the network policy constraints:
Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 5/16/2017 5:21:17 PMEvent ID: 6273Task Category: Network Policy ServerLevel: InformationKeywords: Audit FailureUser: N/AComputer: DC.corp.comDescription:Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:Security ID: CORP\msongAccount Name: CORP\msongAccount Domain: CORPFully Qualified Account Name: corp.com/sea/msong
Connection Request Policy Name: Use Windows authentication for all usersNetwork Policy Name: Connections to other access serversAuthentication Provider: WindowsAuthentication Server: dc.corp.comAuthentication Type: EAPEAP Type: -Account Session Identifier: -Logging Results: Accounting information was written to the local log file.Reason Code: 65Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access
I checked dial-in properties to be ignored in the network policy.
I'm pretty new to this stuff, so any help is appreciated.
Let me know if you need any more info.
NPS does not allow you to check both computer and user authentication. There is only one authentication at a time; if the username of a computer is authenticating, that is what is checked. If the username of a user is authenticating, that is what is checked...
Ah okay. Is there a better way to go about this? To only allow domain joined devices to a specific SSID?
If you configure the computer supplicant for "Machine-Only" authentication, you can do that, and check the group membership of those machines. Your NPS rule would only check the Domain Computers group for membership...
Okay, I would definitely like to try that out.
Where exactly would I make that change to check only machine auth? Is that through network group policy?
To the network policy constraints..
I got same issue. Could you please provide the detail where we can changes this only for domain machine access.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.