Configuring Radius for PC Authentication

Similar Messages

• Cisco Nexus 5K + Micrososft Radius for Admin Authentication

  Hi,
  I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
  I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
  the commands I have used on 3750 are as follows:
  aaa new-model
  aaa authentication login vtylogin group radius local
  aaa authentication login conlogin group radius local
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization exec vtylogin group radius local
  aaa authorization exec conlogin group radius local
  radius-server host x.x.x.x key SECRETE
  line con 0
  exec-timeout 5 0
  authorization exec conlogin
  logging synchronous
  login authentication conlogin
  line vty 0 4
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh
  line vty 5 15
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• Configure SSO for ITS to R/3 using SNC/Kerberos

  Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now.  We now have a requirement to configure SSO between ITS and R/3.  Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library.  I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name.  That seems to work fine.  From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate.  However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
  I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it.  Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
  =====================================================
  [Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
  [Thr 5284]       PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
  [Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
        gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
  [Thr 5284]   File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
  [Thr 5284]   The internal Adapter for the loaded GSS-API mechanism identifies as:
    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
  [Thr 2888] Sun Jan 15 22:44:59 2006
  [Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  [Thr 2888] Sun Jan 15 22:45:29 2006
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  =====================================================
  Does anyone know what am I missing?  Any help is greatly appreciated.
  Thank you!
  Diem

  Hi Markus,
  I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation.  I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS).  Does that sound right to you?
  I tried both options for ~extid_type parameter = "LD" and "UN".  I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed".  I increased the trace level for sapextaut.trc but I don't see enough detail information.  Following are the errors/data from the trace file.  Can you please let me know how I can tell what string is being passed for authentication? 
  I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem. 
  To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
  Thank you very much for all your help.
  Diem Tran
  Trace:
  =====================================================
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  437]: W sapextauth: PAS session begins...
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  456]:     sapextauth: SncNameR3 is:    "p:na1adm/[email protected]"
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  462]:     sapextauth: SncNameAGate is: "p:[email protected]"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  468]:     sapextauth: SNC_LIB is:      "C:\WINNT\system32\gsskrb5.dll"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  568]:     sapextauth: XGatConnectSession leaving....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
  2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  =======================================================

• IIsProxy version for windows authentication

  We are in the process of installing windows authentication to our EP 6.0 portal. We are running on SP 11 J2EE with portal SP 11 patch 3. 
  The first question I have in document “Using Header variables or Integrated Windows Authentication” section “Installing the IIsProxy module” says for security reasons we need to install version 1.7.0.0. Was this version released, we cannot find it on the service market place?
  My second question, when we use version IISPROXY16_2-10001433.SAR the authentication mechanism works fine to the portal but I cannot navigate within the portal, it looks like the screen get stuck on the first Iview no matter what role you choose. When we use version IISPROXY15_0-10001969.SAR things work fine. I increased the trace while using IISProxy 16.2 but there were no errors in the logs. We would like to be on the latest version. Any idea what might be the problem?
  Thanks for your help,
  Mike Fasheh

  Hi folks !
  I have made this configuration a couple of times without problems (other iisproxy version), but for some reason this time is not working and Im totally desesperated =(
  Scenario:
  - 1st server, win 2003, iis 6.0: Iisproxy 1.6.2 installed, it forwards the requests correctly
  - 2st. server, ibm with aix, sap ep 6.0 sp12. Configurations made for NT authentication.
  The problem:
  For some reason the virtual directories defined in IisProxy.xml file are not taking the IIS Security Settings (Integrated Windows Authenticated). The iisproxy is just forwarding the request, but the IIS is not making the NT authentication.
  If I change the name of the virtual directory in the IisProxy.xml file (put any name). In this case, IIS applies the security settings correctly.
  Any clue about this ?
  Thanks a lot for your help !!!!!!
  Regards from Mexico,
  Diego

• ISG Debug - IP configuration missing for radius proxy session initiation

  Folks,
  We are trying to configure the ISG as a Radius-Proxy for EAP Authentication. I have configured aaa server radius proxy, clients and aaa auth radius-proxy group as per the guide. I have my interface config as follows:
  interface TenGigabitEthernet0/2/0.205
  encapsulation dot1Q 205
  ip vrf forwarding CS
  ip address 10.20.0.1 255.255.224.0
  ip helper-address global 172.X.X.X
  no ip redirects
  no ip proxy-arp
  ip tcp adjust-mss 1420
  service-policy type control DEFAULT_RULES
  ip subscriber l2-connected
    initiator dhcp
    initiator radius-proxy
    arp ignore local
  When I try to connect a wifi client to an AP, I can see that the AP is forwarding the Access-Request to the ISG but the ISG does not forward it to the AAA. In the ISG debug I see the following message:
  RADIUS: IP configuration missing for radius proxy session initiation
  Can any one help to identify what is missing here pls?
  Thank You in advance!

  Kiran,
  Did you follow this guide? It looks like the interface configuration is there but you didnt include the actual radius configuration does it follow the guide here -
  http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_radius_proxy.html#wp1055053
  Thanks,
  Tarik Admani

• The driver is not configured for integrated authentication

  my code is :
  String connectionUrl = "jdbc:sqlserver://169.254.35.45:1486;" +
  "databaseName=ipec;"+"integratedSecurity=true";
  Connection con = null;
  Statement stmt = null;
  try
  // Establish the connection to the principal server.
  Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
  System.out.println("driver loaded");
  con = DriverManager.getConnection(conne ctionUrl);
  System.out.println("Connected to the principal server.");
  but this throws an SQL exception that : Driver is not configured for integrated authentication.
  I've placed the sqljdbc_auth.dll in
  catalina_root/common/lib where the driver jar file is placed....
  but its still givin the same error............
  replies are welcomed.............
  thank you,
  shibhs

  shibhs wrote:
  but this throws an SQL exception that : Driver is not configured for integrated authentication.
  I've placed the sqljdbc_auth.dll in
  catalina_root/common/lib where the driver jar file is placed....
  but its still givin the same error...........I know this is an old message but I have just had the same problem and it seemed to mean that the driver couldn't find the auth dll. When I put in the windows\system32 directory, the integrated authentication worked fine.
  Rgrds
  Peter
  Edited by: P_Tootill on Jul 3, 2008 3:26 AM

• Configuring tomcat for form based authentication-help badly needed

  hi , i want to have form based or some other way of authentication for the users comming to my site , i have access only to web.xml , but in tomcat documentations its giveni need to change server.xml and tomcat-user.xml , can i make these changes on web.xml to implement it or please tell me way out of this please , i tried even jguard but it needs changes in jvm which also not into my access

  Hi,
  I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file.

• Radius server web authentication using ISE

  Hi,
  Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
  I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
  The following link explains "Radius Server Web Authentication" using ACS.  I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html  
  Thanks,

  Hi,
  Please check these:
  Central Web Authentication on the WLC and ISE Configuration Example
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Regards
  Dont forget to rate helpful posts

• How to configure RADIUS to give IP address to a PPP client

  I need to configure a RADIUS server, ACS if it's suported, to give a pre-defined IP address to a user connecting through PPP.
  The NAS asks RADIUS for authentication then receives the accept or reject and some parameter that should tell the NAS the IP address the client will be assigned. (I guess it's this way)
  Somebody knows which is this parameter and if it's this easy?
  Thanks

  Yes it also works fine. You may try this also.
  Before configuring the RADIUS NAS-IP-Address Attribute Configurability feature, you must have configured the RADIUS servers or server groups and AAA method lists. To configure the RADIUS NAS-IP-Address Attribute Configurability feature, perform the following steps.
  SUMMARY STEPS
  1. enable
  2. configure terminal
  3. radius-server attribute 4 ip-address
  For further information click this link.
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rad_nas_ip_cfg_ps6350_TSD_Products_Configuration_Guide_Chapter

• RV220W - Wrong NAS Port-Type using RADIUS for 802.11

  Hi everyone
  I am attempting to configure the RV220W (Firmware 1.0.6.6) for dot1x authentication over a Windows 2008 based RADIUS Server (using Remote Access Services).
  The RADIUS settings on the RV220W are pointing towards that W2008 Server. The SSID has been set up for "WPA2 Enterprise" Security.
  All the authentication attempts arrive at the server, but they fail to get authenticated because the Cisco RV220W is not transmitting a "NAS Port-Type" and therefore, the RADIUS Server will reject the requests.
  This is what the request from the RV220W looks like on the server:
  And this is a request from a similar Zyxel Router:
  How can I enable the Cisco RV220W to send a NAS Port-Type (19, Wireless 802.11)?
  Thank you for your support!

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

  Hi there,
  I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.
  Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info  attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.
  I've attach the VSA and a *.pcap of wireshark to see what's going on.
  Can anyone advice of suggest any option that can make this thing work.
  With regards,
  Richard Gosen

  Halijenn,
  Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.
  Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.
  Any other possibilities?
  Kind regards,
  Richard Gosen

• AS2 adpater-- Configuration details for both SND and RCV.

  Hi All,
  I need some details for both AS2 sender and receiver adapter.
  Sender AS2 adapter :
  1. Use Proxy
        Use Authentication
  Which one we need to use? 
  2. what is this Proxy Realm or Authentication Realm??
  3. Whether we need to enable Hostname check & HTTP keep alive? what is the purpose of these settings?
  4. what is this Message subject ?? the content of this comes from the file name or file data?
  5. Server certificate and private key authentication?? do we need to get these from partner system??
  Receiver AS2 adapter :
  1. Here also  the same question when we need to use Proxy settings and when we need to use Authentication settings.
  2. Dynamic attributes??
       Use dynamic attributes
       Use non-empty attributes.    
  What are the information we need to ask partner system to get the connection??
  Please reply if anyone worked on these AS2 settings.
  Thank You.
  Regards
  Krupakar.

  hi..
  Sender Adapter..
  1.You can use both use proxy and use authentication.depends upon the requirement.
  when you use proxy you have to give proxy server name and all parameters.That means proxy server acts like your actual server.To pass this data through  the AS2 apdapter U hv to specify th following parameters.
  Proxy Server : Your proxy server.
  Proxy Port :The port of the proxy server.
  Proxy User: User for optional authentication.
  Proxy Password: Password for optional authentication.
  Proxy Realm: Realm for optional authentication.
  2. REALM
  A realm is a part of Yanel which has its own configuration and repository. This allows you to run several subsites (which are independent of one another) in a single Yanel instance. For example, each department in your company can have its own realm. This allows one department to use its database as a content repository and another to use the filesystem to provide the content to Yanel
  So proxy realm means u r authorized to use the proxy server
  You use Use Authentication for -
  >Used to enable/disable basic authentication.
  Use Authentication Used to enable/disable basic authentication.
  User: User for basic authentication.
  Password: Password for basic authentication.
  Realm: Realm for basic authentication.
  3. if u check these options for the following purpose.
  SSL Hostname Check: Validate common name with server name.
  HTTP Timeout:Timeout in seconds for waiting for server
  response.
  4.Message Subject: This subject will be compared with the subject in the received message. This is used to find the
  correct channel for the inbound message. Wildcards are allowed.Its the file data.
  5. Your partne rwill provide u these details.
  Receiver Adapter:
  1.If u use the same in sender side then u hv to verify it again in the receiver system. Then only the communication is established.
  3.u must have the AS2ID and the certificates.
  THAnks
  MAnas
  reward points if helpful.

• Reporting Services through ISA server for All Authenticated Users

  Hello colleagues.
  I have MS SQL 2012 server with Reporting Services and it work via link:
  https://reports2.domain.com/reports
  In LAN all work fine, but I want publish this resource via ISA for All Authenticated Users.
  When in publish rule I configure (in Condition) "All users" - all work fine, but when I configure "All Authenticated Users" - I have trouble on web form on
  https://reports2.domain.com/reports/Pages/Report.aspx?ItemPat...  - scripts not work, because it run how "anonymous" (I see on ISA logging) and ISA block scripts.
  I can't use "All Users", because it's not secure.
  Maybe somebody publish Reporting Services through ISA server for All Authenticated Users?
  OR maybe - how on Reporting Services configure Negotiate authenticated for scripts?

  Hi Alexander,
  All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. The AuthenticationType named RSWindowsNegotiate is supported
  by Reporting Services. To configure Windows Authentication on the Report Server, please see:
  http://msdn.microsoft.com/en-us/library/cc281253(v=sql.110).aspx
  Besides, we can publish report server via ISA server. Please note that you should use a new web port number with a new listener which shouldn’t be used by other web site for report server. Reference:
  http://social.technet.microsoft.com/Forums/forefront/en-US/1cc68996-1ce6-4d88-a30d-2bfd13fba06e/how-to-publish-ssrs-2008-through-isa-2006?forum=Forefrontedgegeneral
  Hope this helps.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support
  Katherine thanks for answer.
  Report Server service started as Domain account.
  I have in RSReportServer.config this:
  <Authentication>
  <AuthenticationTypes>
  <RSWindowsNegotiate />
  </AuthenticationTypes>
  <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>
  <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
  <EnableAuthPersistence>true</EnableAuthPersistence>
  </Authentication>
  In web.config I have this:
  <authentication mode="Windows" />
      <identity impersonate="true" />
  I can go (from Internet through ISA) to
  https://reports2.domain.com/reports  and LogOn Authentication is work, but scripts not work, because it run how "anonymous" (I see this on ISA logging) and ISA block scripts.
  Do you know where in Reporting Services configure run scripts with Negotiate authentication?

• Any document explaining Risks involved in assigning "Delegation Permission" to a computer for Kerberos Authentication

  Need SSO on CRM 2013. As per documents assigning Delegation Permission in Kerberos Authentication is mandatory to achieve SSO in CRM 2013.
  Before doing that need to evaluate risks in doing so. Any help or document for the same is helpful.
  Devesh

  Hi Devesh,
  “The idea of delegation in Kerberos is that if a user makes a request to a final resource, and some
  intermediary accounts must process the request, then those intermediary accounts can be trusted to delegate on the user’s behalf. You can configure an account for delegation by using Active Directory Users and Computers as a domain administrator.
  Select Trust this user/computer for delegation to any service (Kerberos) under the Delegation tab of the user or computer account.”
  Quoted from this article below:
  Using Kerberos for SharePoint Authentication
  http://technet.microsoft.com/en-us/magazine/ee914605.aspx
  From my point of view, as long as the intermediary account can be trusted, then it is safe.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan