Occasional Contributor II

Aruba 3400 + Microsoft NPS on Windows2k8 R2

Hi Folks, 

We recently migrated to NPS from using Cisco Secure ACS to authenticate users on our Corporate WLAN. We want to ensure that machine auth occurs first then user auth (which was the way we had it set up with Cisco ACS). Currently we are seeing the following errors in the event logs when it attempts Machine Authentication, but User Authentication seems to work fine (if the user has logged into the workstation previously as it uses cached credentials). 


Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

Security ID: NULL SID
Account Name: host/HOSTNAME
Account Domain: DOMAINNAME
Fully Qualified Account Name: DOMAINNAME\HOSTNAME$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B8661F100
Calling Station Identifier: 0024D61AA0AE

NAS IPv6 Address: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: CONTROLLERNAME

Authentication Details:
Connection Request Policy Name: ArubaWireless
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPSSERVERNAME
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.


An account failed to log on.

Security ID: SYSTEM
Account Domain: DOMAINNAME
Logon ID: 0x3e7

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: HOSTNAME$
Account Domain: DOMAINNAME

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc0000199
Sub Status: 0x0

Process Information:
Caller Process ID: 0x360
Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: IAS
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


Some of the previous arcticles have mentioned to disable termination, but when I do that users are unable to connect at all. We currently aren't using any type of certificates, could this be the issue? Is this a requirement for machine authentication? I have followed the guides available on Airheads for both IAS and NPS but am still hitting a roadblock on this. 


Any help would be greatly appreciated!! 






Guru Elite

Re: Aruba 3400 + Microsoft NPS on Windows2k8 R2

You would need to:


1-  Disable Termination

2- Issue a certificate (SSL) that is trusted by your clients to the Windows 2008 server



*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Aruba 3400 + Microsoft NPS on Windows2k8 R2

Thanks! It appeared that the certificate and disabling termination did the trick. I appreciate the fast response. 

New Contributor

Re: Aruba 3400 + Microsoft NPS on Windows2k8 R2


The part about "Issue a certificate (SSL) that is trusted by your clients" was not that clear here.  The above link describes exactly what that means for your NPS server.

Search Airheads
Showing results for 
Search instead for 
Did you mean: