Configuring Radius for PC Authentication
Hello. Has anyone configured RADIUS for PC authentication? It would be great if I could do both User and PC authentication but I've read that only one can be used. That being said, every time I add "Domain Computers" to the RADIUS settings I
cannot connect to the wi-fi. "Domain Users" however....works with no problems. I'd appreciated the help!!
Finally resolved this and figured I'd share my results. For starters in NPS on your RADIUS server, you'll want to use "Machine Groups" and tie that to "Domain Computers" which is the default AD group for all PC objects when added to your domain.
On your GPO for the wireless, you would hit edit > advanced > and select "computer authentication". This works well as it also keeps mobile devices off the network.
Similar Messages
-
Cisco Nexus 5K + Micrososft Radius for Admin Authentication
Hi,
I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
the commands I have used on 3750 are as follows:
aaa new-model
aaa authentication login vtylogin group radius local
aaa authentication login conlogin group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec vtylogin group radius local
aaa authorization exec conlogin group radius local
radius-server host x.x.x.x key SECRETE
line con 0
exec-timeout 5 0
authorization exec conlogin
logging synchronous
login authentication conlogin
line vty 0 4
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
line vty 5 15
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input sshI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
Configure SSO for ITS to R/3 using SNC/Kerberos
Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now. We now have a requirement to configure SSO between ITS and R/3. Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library. I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name. That seems to work fine. From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate. However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it. Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
=====================================================
[Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
[Thr 5284] PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
[Thr 5284] File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
[Thr 5284] The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
[Thr 2888] Sun Jan 15 22:44:59 2006
[Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
[Thr 2888] Sun Jan 15 22:45:29 2006
[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
=====================================================
Does anyone know what am I missing? Any help is greatly appreciated.
Thank you!
DiemHi Markus,
I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation. I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS). Does that sound right to you?
I tried both options for ~extid_type parameter = "LD" and "UN". I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed". I increased the trace level for sapextaut.trc but I don't see enough detail information. Following are the errors/data from the trace file. Can you please let me know how I can tell what string is being passed for authentication?
I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem.
To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
Thank you very much for all your help.
Diem Tran
Trace:
=====================================================
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 437]: W sapextauth: PAS session begins...
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 456]: sapextauth: SncNameR3 is: "p:na1adm/[email protected]"
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 462]: sapextauth: SncNameAGate is: "p:[email protected]"
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 468]: sapextauth: SNC_LIB is: "C:\WINNT\system32\gsskrb5.dll"
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 568]: sapextauth: XGatConnectSession leaving....
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth, 398]: sapextauth: XGatEventOpenSession called...
2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....
2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]: sapextauth: LDAP port ist 389
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth, 398]: sapextauth: XGatEventOpenSession called...
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]: sapextauth: LDAP port ist 389
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
======================================================= -
IIsProxy version for windows authentication
We are in the process of installing windows authentication to our EP 6.0 portal. We are running on SP 11 J2EE with portal SP 11 patch 3.
The first question I have in document Using Header variables or Integrated Windows Authentication section Installing the IIsProxy module says for security reasons we need to install version 1.7.0.0. Was this version released, we cannot find it on the service market place?
My second question, when we use version IISPROXY16_2-10001433.SAR the authentication mechanism works fine to the portal but I cannot navigate within the portal, it looks like the screen get stuck on the first Iview no matter what role you choose. When we use version IISPROXY15_0-10001969.SAR things work fine. I increased the trace while using IISProxy 16.2 but there were no errors in the logs. We would like to be on the latest version. Any idea what might be the problem?
Thanks for your help,
Mike FashehHi folks !
I have made this configuration a couple of times without problems (other iisproxy version), but for some reason this time is not working and Im totally desesperated =(
Scenario:
- 1st server, win 2003, iis 6.0: Iisproxy 1.6.2 installed, it forwards the requests correctly
- 2st. server, ibm with aix, sap ep 6.0 sp12. Configurations made for NT authentication.
The problem:
For some reason the virtual directories defined in IisProxy.xml file are not taking the IIS Security Settings (Integrated Windows Authenticated). The iisproxy is just forwarding the request, but the IIS is not making the NT authentication.
If I change the name of the virtual directory in the IisProxy.xml file (put any name). In this case, IIS applies the security settings correctly.
Any clue about this ?
Thanks a lot for your help !!!!!!
Regards from Mexico,
Diego -
ISG Debug - IP configuration missing for radius proxy session initiation
Folks,
We are trying to configure the ISG as a Radius-Proxy for EAP Authentication. I have configured aaa server radius proxy, clients and aaa auth radius-proxy group as per the guide. I have my interface config as follows:
interface TenGigabitEthernet0/2/0.205
encapsulation dot1Q 205
ip vrf forwarding CS
ip address 10.20.0.1 255.255.224.0
ip helper-address global 172.X.X.X
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1420
service-policy type control DEFAULT_RULES
ip subscriber l2-connected
initiator dhcp
initiator radius-proxy
arp ignore local
When I try to connect a wifi client to an AP, I can see that the AP is forwarding the Access-Request to the ISG but the ISG does not forward it to the AAA. In the ISG debug I see the following message:
RADIUS: IP configuration missing for radius proxy session initiation
Can any one help to identify what is missing here pls?
Thank You in advance!Kiran,
Did you follow this guide? It looks like the interface configuration is there but you didnt include the actual radius configuration does it follow the guide here -
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_radius_proxy.html#wp1055053
Thanks,
Tarik Admani -
The driver is not configured for integrated authentication
my code is :
String connectionUrl = "jdbc:sqlserver://169.254.35.45:1486;" +
"databaseName=ipec;"+"integratedSecurity=true";
Connection con = null;
Statement stmt = null;
try
// Establish the connection to the principal server.
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
System.out.println("driver loaded");
con = DriverManager.getConnection(conne ctionUrl);
System.out.println("Connected to the principal server.");
but this throws an SQL exception that : Driver is not configured for integrated authentication.
I've placed the sqljdbc_auth.dll in
catalina_root/common/lib where the driver jar file is placed....
but its still givin the same error............
replies are welcomed.............
thank you,
shibhsshibhs wrote:
but this throws an SQL exception that : Driver is not configured for integrated authentication.
I've placed the sqljdbc_auth.dll in
catalina_root/common/lib where the driver jar file is placed....
but its still givin the same error...........I know this is an old message but I have just had the same problem and it seemed to mean that the driver couldn't find the auth dll. When I put in the windows\system32 directory, the integrated authentication worked fine.
Rgrds
Peter
Edited by: P_Tootill on Jul 3, 2008 3:26 AM -
Configuring tomcat for form based authentication-help badly needed
hi , i want to have form based or some other way of authentication for the users comming to my site , i have access only to web.xml , but in tomcat documentations its giveni need to change server.xml and tomcat-user.xml , can i make these changes on web.xml to implement it or please tell me way out of this please , i tried even jguard but it needs changes in jvm which also not into my access
Hi,
I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file. -
Radius server web authentication using ISE
Hi,
Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
The following link explains "Radius Server Web Authentication" using ACS. I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
Thanks,Hi,
Please check these:
Central Web Authentication on the WLC and ISE Configuration Example
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
Regards
Dont forget to rate helpful posts -
How to configure RADIUS to give IP address to a PPP client
I need to configure a RADIUS server, ACS if it's suported, to give a pre-defined IP address to a user connecting through PPP.
The NAS asks RADIUS for authentication then receives the accept or reject and some parameter that should tell the NAS the IP address the client will be assigned. (I guess it's this way)
Somebody knows which is this parameter and if it's this easy?
ThanksYes it also works fine. You may try this also.
Before configuring the RADIUS NAS-IP-Address Attribute Configurability feature, you must have configured the RADIUS servers or server groups and AAA method lists. To configure the RADIUS NAS-IP-Address Attribute Configurability feature, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server attribute 4 ip-address
For further information click this link.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rad_nas_ip_cfg_ps6350_TSD_Products_Configuration_Guide_Chapter -
RV220W - Wrong NAS Port-Type using RADIUS for 802.11
Hi everyone
I am attempting to configure the RV220W (Firmware 1.0.6.6) for dot1x authentication over a Windows 2008 based RADIUS Server (using Remote Access Services).
The RADIUS settings on the RV220W are pointing towards that W2008 Server. The SSID has been set up for "WPA2 Enterprise" Security.
All the authentication attempts arrive at the server, but they fail to get authenticated because the Cisco RV220W is not transmitting a "NAS Port-Type" and therefore, the RADIUS Server will reject the requests.
This is what the request from the RV220W looks like on the server:
And this is a request from a similar Zyxel Router:
How can I enable the Cisco RV220W to send a NAS Port-Type (19, Wireless 802.11)?
Thank you for your support!The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/ -
Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.
Hi there,
I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.
Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.
I've attach the VSA and a *.pcap of wireshark to see what's going on.
Can anyone advice of suggest any option that can make this thing work.
With regards,
Richard GosenHalijenn,
Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.
Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.
Any other possibilities?
Kind regards,
Richard Gosen -
AS2 adpater-- Configuration details for both SND and RCV.
Hi All,
I need some details for both AS2 sender and receiver adapter.
Sender AS2 adapter :
1. Use Proxy
Use Authentication
Which one we need to use?
2. what is this Proxy Realm or Authentication Realm??
3. Whether we need to enable Hostname check & HTTP keep alive? what is the purpose of these settings?
4. what is this Message subject ?? the content of this comes from the file name or file data?
5. Server certificate and private key authentication?? do we need to get these from partner system??
Receiver AS2 adapter :
1. Here also the same question when we need to use Proxy settings and when we need to use Authentication settings.
2. Dynamic attributes??
Use dynamic attributes
Use non-empty attributes.
What are the information we need to ask partner system to get the connection??
Please reply if anyone worked on these AS2 settings.
Thank You.
Regards
Krupakar.hi..
Sender Adapter..
1.You can use both use proxy and use authentication.depends upon the requirement.
when you use proxy you have to give proxy server name and all parameters.That means proxy server acts like your actual server.To pass this data through the AS2 apdapter U hv to specify th following parameters.
Proxy Server : Your proxy server.
Proxy Port :The port of the proxy server.
Proxy User: User for optional authentication.
Proxy Password: Password for optional authentication.
Proxy Realm: Realm for optional authentication.
2. REALM
A realm is a part of Yanel which has its own configuration and repository. This allows you to run several subsites (which are independent of one another) in a single Yanel instance. For example, each department in your company can have its own realm. This allows one department to use its database as a content repository and another to use the filesystem to provide the content to Yanel
So proxy realm means u r authorized to use the proxy server
You use Use Authentication for -
>Used to enable/disable basic authentication.
Use Authentication Used to enable/disable basic authentication.
User: User for basic authentication.
Password: Password for basic authentication.
Realm: Realm for basic authentication.
3. if u check these options for the following purpose.
SSL Hostname Check: Validate common name with server name.
HTTP Timeout:Timeout in seconds for waiting for server
response.
4.Message Subject: This subject will be compared with the subject in the received message. This is used to find the
correct channel for the inbound message. Wildcards are allowed.Its the file data.
5. Your partne rwill provide u these details.
Receiver Adapter:
1.If u use the same in sender side then u hv to verify it again in the receiver system. Then only the communication is established.
3.u must have the AS2ID and the certificates.
THAnks
MAnas
reward points if helpful. -
Reporting Services through ISA server for All Authenticated Users
Hello colleagues.
I have MS SQL 2012 server with Reporting Services and it work via link:
https://reports2.domain.com/reports
In LAN all work fine, but I want publish this resource via ISA for All Authenticated Users.
When in publish rule I configure (in Condition) "All users" - all work fine, but when I configure "All Authenticated Users" - I have trouble on web form on
https://reports2.domain.com/reports/Pages/Report.aspx?ItemPat... - scripts not work, because it run how "anonymous" (I see on ISA logging) and ISA block scripts.
I can't use "All Users", because it's not secure.
Maybe somebody publish Reporting Services through ISA server for All Authenticated Users?
OR maybe - how on Reporting Services configure Negotiate authenticated for scripts?Hi Alexander,
All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. The AuthenticationType named RSWindowsNegotiate is supported
by Reporting Services. To configure Windows Authentication on the Report Server, please see:
http://msdn.microsoft.com/en-us/library/cc281253(v=sql.110).aspx
Besides, we can publish report server via ISA server. Please note that you should use a new web port number with a new listener which shouldn’t be used by other web site for report server. Reference:
http://social.technet.microsoft.com/Forums/forefront/en-US/1cc68996-1ce6-4d88-a30d-2bfd13fba06e/how-to-publish-ssrs-2008-through-isa-2006?forum=Forefrontedgegeneral
Hope this helps.
Thanks,
Katherine Xiong
Katherine Xiong
TechNet Community Support
Katherine thanks for answer.
Report Server service started as Domain account.
I have in RSReportServer.config this:
<Authentication>
<AuthenticationTypes>
<RSWindowsNegotiate />
</AuthenticationTypes>
<RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>
<RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
<EnableAuthPersistence>true</EnableAuthPersistence>
</Authentication>
In web.config I have this:
<authentication mode="Windows" />
<identity impersonate="true" />
I can go (from Internet through ISA) to
https://reports2.domain.com/reports and LogOn Authentication is work, but scripts not work, because it run how "anonymous" (I see this on ISA logging) and ISA block scripts.
Do you know where in Reporting Services configure run scripts with Negotiate authentication? -
Need SSO on CRM 2013. As per documents assigning Delegation Permission in Kerberos Authentication is mandatory to achieve SSO in CRM 2013.
Before doing that need to evaluate risks in doing so. Any help or document for the same is helpful.
DeveshHi Devesh,
“The idea of delegation in Kerberos is that if a user makes a request to a final resource, and some
intermediary accounts must process the request, then those intermediary accounts can be trusted to delegate on the user’s behalf. You can configure an account for delegation by using Active Directory Users and Computers as a domain administrator.
Select Trust this user/computer for delegation to any service (Kerberos) under the Delegation tab of the user or computer account.”
Quoted from this article below:
Using Kerberos for SharePoint Authentication
http://technet.microsoft.com/en-us/magazine/ee914605.aspx
From my point of view, as long as the intermediary account can be trusted, then it is safe.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Radius 802.1x authentication with computer AND users.
Hi !
I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
Therefore I created a new policy with the following conditons :
- NAS Port Type : Wireless
- Client IPv4 Address : <my cisco ip>
- Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
- Users Groups : EUROPE\MY_USER_GROUP
- Machine Groups : EUROPE\Domain Computers
When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
User:
Security ID: EUROPE\HOSTNAME$
Account Name: host/HOSTNAME.my.server.com
Account Domain: EUROPE
Fully Qualified Account Name: EUROPE\HOSTNAME$
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: My.radius.server.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
It therefore seems that it doesn't match my network policy and falls bacj to the default one.
If I remove the user rule, and let the computer rule : Connection OK
If I remove the computer rule, and let the user rule : Connection OK
but if I put both, i can't connect :s
Can someone help me with this issue ?
Thanks a lot !
GeoffreyHi Geoffrey,
I would like to know if
EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
Please try to use NPS wizard to configure 802.1x wireless connection,
and
you will find that it
creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
you
need filter by user and computer account, the log should show both authenticate user and machine account name.
EAP-TLS-based Authenticated Wireless Access Design
http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
Regards, Rick Tan
Maybe you are looking for
-
Wifi on Ipad and Iphone won't connect
I have an iphone 4s and an ipad mini, both updated to iOS 7 and they both will not connect to wifi. They will connect when I am at home or at Starbucks etc., but not while I am at school. My phone did connect at school last year, but has not been abl
-
Can't sign into or out of Creative Cloud
About a month ago I downloaded the free trial of Photoshop with Creative Cloud. Some days ago, I bought a subscription for Photoshop. When I open Photoshop, I keep getting the small screen, telling me, my free trial is running out soon. I if try to l
-
Oracle 9i Warehouse builder...
HI, We are in the process on designing a datawarehouse. Please let me know if Oracle ware house builder provides interfaces to the follwing financial systems :- 1)Great Plains V6.0 2)Sun 4.2.6 3)Oracle Financials 11.5.8 4)Navision 2.6
-
Procurement with account assignment category F
Hiiiiiiiiiiiiiiiiii Experts, I have a requirement.I am making a PO with account assignment category 'F'. There i am giving production order in account assignment tab of item in PO.Now after doing GRN with movement type 103 and QI with mov. type 105 i
-
Tell me about at selection-screen on output
hi, could u explain at selection-screen on output any body give the wchich purpose it was used? i will be waiting for reply. regards eswar.