Network Policy Server windows 7 non domain wireless clients could not connect (Event id 6273 reason code 265)
Hi,
We have successfully configured network policy server on windows server 2012 and all wireless clients could connect to our network except windows 7 and xp non domain clients.The clients that are successfully authenticated includes windows 8,mobile users
(andriod + iOS) domain as well as non domain clients.If we join windows 7 pc to the domain it successfully connects but non domain clients could not connect.We have large number of windows 7 users that have their own laptop machines and we dont want
each laptop to join the domain.
On server event 6273 generated with reason code 265 "The certificate chain was issued by an authority that is not trusted".Plz help how to resolve this issue.I have searched on the internet but no proper solution found.
Hi,
According to the error message, it seems that you used certificate-based authentication methods and the non-domain computers has no Trusted Root Certificate for the CA that enrolled the certificate for the NPS.
For more detailed information, please refer to the links below:
Certificates and NPS
Manage Trusted Root Certificates
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Similar Messages
-
Server 2008 TS - some client could not connect to the server
Hi guys,
I have a Server 2008 x64 Terminal Server with license server (some machine) and installed device CALs.
I can connect with Windows 7 client to Terminal Server by RDP (TS assign device CAL to every connected machine automatically) without problem, but I get this error message if I try connection with Motorola (Symbol) MC8080 mobile scanners:
"Because of a security error, the client could not connect to the remote computer.
Very that you are logged on the network, and then try connecting again."
I tried different settings by KB2477176 and activate/deactivate server, but it didn't solve the problem.
http://support.microsoft.com/kb/2477176/hu
(These scanners can connecto to another Terminal Server.)
Is it client or server-side issue?
Have you another idee?
Regards,
GaborHi,
Thank you for posting in Windows Server Forum.
Please again cross check whether you have properly configured certificate attached with the server. Because the error which you are facing is generally due to corrupted certificate on server side. As you have already tried, I again want you to back up the registry
setting and then remove the X509 certificate registry key under below mention path, restart the computer and reactivate the RD Licensing Server.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
You can also refer below article for additional information.
How to resolve the issue “Remote Desktop Disconnected” or “Unable to
Connect to Remote Desktop (Terminal Server)”
Hope it helps!
Thanks.
Dharmesh Solanki -
Hi,
When we try to send file over seeburger SFTP (receiver) we are getting the error as below.
Message processing failed. Cause: javax.resource.ResourceException: Fatal exception: javax.resource.ResourceException: >> Description: SFTP transaction error occured.>> Details: putFile: Could not connect to remote host; Reason: Unable to open Sftp client. SshReasonCode: CHANNEL_FAILURE>>SendingStatus: NOT_TRANSMITTED>>FaultCategory: COMMUNICATION_ERROR>>Retryable: true>>Fatal: true, >> Description: SFTP transaction error occured.>> Details: putFile: Could not connect to remote host; Reason: Unable to open Sftp client. SshReasonCode: CHANNEL_FAILURE>>SendingStatus: NOT_TRANSMITTED>>FaultCategory: COMMUNICATION_ERROR>>Retryable: true>>Fatal: true
But we are able to connect through filezilla . we are able to create and delete file using the same username and password which is being used in SFTP adapter.
we have imported the both dsa and rsa keys in SFTP partner folder in NWA. Even though we are getting same error.
Thanks,
VinayakHi Ram,
we checked with network team and port 22 is open and they are able to ping to the target system.
we checked the seeburger logs and we see EOF received from remote site error:
Caused by: com.maverick.ssh.SshException: EOF received from remote side [Unknown cause]
#at com.maverick.ssh2.TransportProtocol.b(Unknown Source)
#at com.maverick.ssh2.TransportProtocol.i(Unknown Source)
#at com.maverick.ssh2.TransportProtocol.nextMessage(Unknown Source)
#at com.maverick.ssh.message.SshMessageRouter.d(Unknown Source)
#at com.maverick.ssh.message.SshMessageRouter.access$000(Unknown Source)
#at com.maverick.ssh.message.SshMessageRouter$_b.run(Unknown Source)
Thanks,
Vinayak. -
Wireless card could not connect after mother replacement
Hi,
I just replace my lenovo T430i motherboard, everything working except Wireless card could not connect to wirelesss network. I take to the shop they replace new wireless card, but it still appear the same problem. Is there anyone having the same problem.
Best Regards,
Bunheng MomHello bunheng,
If you could please boot into BIOS at start-up. On the main page this should show you your system-unit serial number, and the system board serial number. Could you check and make sure both of these fields are occupied.
One step at a time.
Hope this helps,
Alex
Was this or another post on the forum helpful? Click the star on the left side of the screen to give kudos! Did someone solve the problem you encountered? Click Solution Provided to let us know!
What we Do in Life will Echo through Eternity. -Maximus Aurelius -
All non-Apple Wireless Clients won't Connect to Time Capsule
I have a latest gen Apple 2TB TC (ME177LL/A) and have had it for about 14 months. I have never had any issue with it in the past and have perhaps only had to reset it twice in that 14 month span.
Came home from work last night to watch some Netflix on my PS4, and noticed my PS4 couldn't connect to the network. In the PS4 OS I kept getting errors that said either the network no longer existed or my password was incorrect. I simply tried to re-enter my password multiple times, but only once was the PS4 successfully able to connect. The one time it did connect the network speed indicated in the PS4 speed test was less than 200 kpbs. Within moments, the PS4 lost connection again. I was unable to reconnect.
At this point I figured I would just use the PS3 instead...same issue, however. Initially thought it was perhaps a PSN issue, but this time I never once could get the PS3 to connect. It repeatedly just said the network wasn't available or the password was incorrect. Went through the same troubleshooting steps that I did on the PS4 with no luck.
At this point I realized my Lyric thermostat had been erroring out and giving me a notification on my phone---the app on my phone wasn't able to connect to the Lyric via Wifi. Also noticed my August Connect was flashing red and was not connected. DirecTV Genie was not connected to my TC network either. Then went to my home office to discover my Slingbox was no longer connected either. Interestingly enough, though, my iPhone, MacBook Pro, Mac Mini, wife's iPhone, and MacBook all were still connected to my TC network with no issues. I performed speed tests on all of them and all were giving me well over my 60 Gbps Internet speeds. These devices never disconnected nor had any hiccups.
Essentially determined all my non-Apple devices couldn't stay connected to the TC network.
Proceeded to just reset the TC and see what would happen. None of the non-Apple devices could connect. Same "Network not found/incorrect password"
Then proceeded to perform factory reset on TC. At the same time I unplugged my Charter internet modem from power and cat5 out. Powered on modem, waited. Then powered up TC. I did this process twice through, once with auto selected 2.4/5 Ghz channels--still had issue with devices being unable to connect. The second time through, I set up the 2.4/5 Ghz bases upon the most "open" channels as shown by iStumblr (I live in fairly large luxury apartment building that has many networks -- so there are A LOT of networks).
This time I appeared to have success. One-by-one I was able to connect all my non-Apple devices to this new network with the new SSID and credentials. All devices were able to connect and the PS3/PS4 were able to connect to PSN and I was very easily able to get Netflix.
Woke up this morning and noticed all non-Apple devices were once again not connected....really not sure what's going on. Didn't have time to dive in deeper before heading to work.
Just as an FYI, I have 2 different Macs backing up to the TC via Time Machine wirelessly (the primary reason I have a TC and not another router). Also have an Asustor AS5008T connected to the TC via round robin link aggregation. All Macs are running Yosemite. All iPhones are running iOS 8.3. Offhand, I don't know the firmware the TC is running. I made no recent changes to the network or any of the hardware.
Anybody have any idea what could be the culprit? Any help would be greatly appreciated.Whilst I said in my first post that apple had removed all the logs.. you can still get them via PC version 5 airport utility... you will need to plug in via ethernet since wireless is not working. You can also install v5 utility into a Mac but I cannot tell you how. Google it.
The other method.. and I am not at all sure if it is useful or not.
Using the airport utility in an ipad.. click on the TC, then edit.. then advanced.. Diagnostics and Usage Data.
Go into this and you will see the Airport utility has got a stack of info out of the TC..(for secret transmission to apple).
eg
I guess it is comparison between normal functionality and when it fails that will show something interesting.. meaning you will need to track the info... and it is not so easy to get it out other than as a screenshot.. -
Could not connect to the server because the name or password is not correct
Everyday I use Command + K to bring up the "Connect to Server" dialog, select the server from "Favorite Servers", click the Connect button, receive a prompt to provide my credentials to access the network share, then the share mounts and I access the files on it.
Starting yesterday I no longer get the prompt asking me to provide the domain, username and password, it just tries to connect to the server then reports the following error:
"Could not connect to the server because the name or password is not correct."
I've restarted my Mac but still does the same thing. I'm able to connect to other server shares just fine, prompts me for the username and password, but this one particular server just will not prompt me for the username and password.
I've done the following to try and resolve it but without any success in doing so:
I've restarted the server
I ran Repair Disk Permissions in Disk Utility
Ran Keychain Access --> First Aid --> Repair
Tried to find an entry in Keychain to remove, none listed
Able to connect to share within Fusion running XP
Anything I missing?Hi Troy-
It surely is starting to look like it's some kind of security setting on the Win-Server...something that's different from the other server you just patched.
If you've looked at local and domain policies that do not 'require' digital signing, then I'm a a loss. (I don't have the exact settings, but it's been discussed here ad nauseum over the past two years)
Has something to do with disabling digital signing of communications "always", and enabling "when possible"... other than that, I've forgotten the exact policies...Look in security policies, and you'll probably see what I'm trying to describe.
(Glad I got my daily brain-hiccup out of the way early today!) -
Could not connect to Unwired Server
Hi,
We have a problem while trying to conect from a local Unwired Workspace (Eclipse) to an Unwired Server 2.0.
Error is:
Could not connect to My Unwired Server.
Error creating Unwired Server Connection connection to My Unwired Server. (Error: org.omg.CORBA.COMM_FAILURE: java.net.SocketException: Connection reset vmcid: 0x0 minor code: 0 completed: No)
org.omg.CORBA.COMM_FAILURE: java.net.SocketException: Connection reset vmcid: 0x0 minor code: 0 completed: No
When we do the same but in a workspace installed on the same machine as Unwired Server it all works.
We have check that all ports are opened.
Server machine is: Windows Server 2008 r2 Enterprise 64bits
Client machine is: Windows 7 32 bits
Has anyone face the same problem?
Thanks in advance.Hi
Check if all your services are up and running.
I used to get the below error when the openDS was down.
"1. Error creating Unwired Server Connection connection to My Unwired Server. (Error: org.omg.CORBA.NO_PERMISSION: java.lang.SecurityException: Login Failed: user 'supAdmin'
vmcid: 0x0 minor code: 0 completed: Yes)
2. CORBA.COMM_FAILURE"
Next check if the connection properties of the Unwired Server .
Thanks
Pradeep -
BOXIR3- Unable to log on : Could not connect to server - FWM 01003 null
Hi
I've just installed for the third time BOE Premium Server XIR3
Config:
Windows Server 2008
BOXIR3
CMS on MySQL
Tomcat 5.5
I've installed from scratch my server and I could not connect to any application
CCM : the SIA is up and Running, but I could not manage server to see what is launch on the server
> Error : Unable to log on : Could not connect to server SERVER_NAME:6400. Please check that the server name is correct, and that the server is running
Tomcat Configuration: Can't connect to that services too
-->Error : Unable to open the service BOE120Tomcat
CMS / Infoview : Unable to connect too.
--->Error : The server SERVER_NAME:6400 is not found (FWM 01003) null
(Here I translated the error message because I've got the message in french...)
Concerning the MySQL database, it's seems to be correctly installed as I can access the database via MySQL Admin tool.
I've seen lots of similar issue but I never found any resolution or workaround.
So If you have any ideas to help me it would be great as I must make a demo on customer site on monday morning :o(((
Many Thanks
Anne-MArieHello,
Please refer to the following KBAs, may be this can helps you:
http://service.sap.com/sap/support/notes/1884899
http://service.sap.com/sap/support/notes/1351898
And as Sneha said, make sure that the SIA and the CMS don't use the same port number.
I hope that this helps you.
Regards,
Asma -
I am trying to install SQL Server 2008 in my local machine. However, I kept running into errors with the following error message:
"The MOF Compiler could not connect with the WMI Server. This is either because of a semantic error such as an incompatibility with the existing WMI repository or an actual error such
as the failure of the WMI Server to start".
I also ran "rundll32 wbemupgd, UpgradeRepository" to rebuild WMI repository, it doesn't help either. I got the same error message.
Any ideas what settings I need to change in order to ensure a successful installation of SQL Server 2008?"The MOF Compiler could not connect with the WMI Server. This is either because of a semantic error such as an incompatibility with the existing WMI repository or an actual error such
as the failure of the WMI Server to start".
I also ran "rundll32 wbemupgd, UpgradeRepository" to rebuild WMI repository, it doesn't help either. I got the same error message.
Any ideas what settings I need to change in order to ensure a successful installation of SQL Server 2008?
can you check below two links.Make sure previous failed installation is removed completely.
http://connect.microsoft.com/SQLServer/feedback/details/356258/the-mof-compiler-could-not-connect-with-the-wmi-server#
Solution given by Connect MS is:
Possibly the issue was caused by uninstalling from add-remove programs - at any rate, using aaron bertrand's suggestion below fixed the issue. Also of note - I used the local admin for the install.
http://sqlblog.com/blogs/aaron_bertrand/archive/2009/02/20/the-xp-sp3-msxml6-sp2-sql-server-debacle.aspx
yes - remove msxml6 and any other half installed portion of sql 2008 and REBOOT and install sql
Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers -
Network Policy Server: No Domain Controller Available
When attempting to configure our domain controller as a Network Policy Server, I am receiving an error message stating that there is no domain controller available for domain K12.TX.US (which is the NETBIOS name of our domain).
The Full DNS Name of our Domain is : nederland.k12.tx.us
Log Name: System
Source: NPS
Date: 3/7/2014 12:55:51 PM
Event ID: 4402
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ADMIN-PDC.nederland.k12.tx.us
Description:
There is no domain controller available for domain K12.TX.US.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="49152">4402</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-07T18:55:51.000000000Z" />
<EventRecordID>84518</EventRecordID>
<Channel>System</Channel>
<Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
<Security />
</System>
<EventData>
<Data>K12.TX.US</Data>
</EventData>
</Event>
Please help, as I believe that this is causing the following error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/7/2014 12:55:51 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: ADMIN-PDC.nederland.k12.tx.us
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: abusby
Account Domain: K12.TX.US
Fully Qualified Account Name: K12.TX.US\abusby
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-19-92-0C-E4-E9:NISD_Testing
Calling Station Identifier: B8-E8-56-A8-D4-D9
NAS:
NAS IPv4 Address: 10.250.1.15
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: Testing Access Point
Client IP Address: 10.250.1.15
Authentication Details:
Connection Request Policy Name: BlueSocket Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: ADMIN-PDC.nederland.k12.tx.us
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2014-03-07T18:55:51.061488000Z" />
<EventRecordID>3106129068</EventRecordID>
<Correlation />
<Execution ProcessID="584" ThreadID="4712" />
<Channel>Security</Channel>
<Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">abusby</Data>
<Data Name="SubjectDomainName">K12.TX.US</Data>
<Data Name="FullyQualifiedSubjectUserName">K12.TX.US\abusby</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">00-19-92-0C-E4-E9:NISD_Testing</Data>
<Data Name="CallingStationID">B8-E8-56-A8-D4-D9</Data>
<Data Name="NASIPv4Address">10.250.1.15</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Wireless - IEEE 802.11</Data>
<Data Name="NASPort">0</Data>
<Data Name="ClientName">Testing Access Point</Data>
<Data Name="ClientIPAddress">10.250.1.15</Data>
<Data Name="ProxyPolicyName">BlueSocket Wireless Connections</Data>
<Data Name="NetworkPolicyName">-</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">ADMIN-PDC.nederland.k12.tx.us</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">Microsoft: Secured password (EAP-MSCHAP v2)</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">7</Data>
<Data Name="Reason">The specified domain does not exist.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>Yes I did see that article, and there are plenty of logs from another device that authenticates via
RADIUS. Requests from our 802.1x wireless network are giving the "the specified domain does not exist" error. I can enter the username asusername,
username@domain, or domain\username and
neither method fixes the error. -
Using Windows Network Policy Server to authenticate Prime Infrastructure 1.4 admin access
I am using Prime Infrastructure 1.4 and I am needing to set up RADIUS Authencation. I am using Microsoft Network Policy Server. I have done all of the setup on both systems. I have matched up the settings the best I can on both systems. I am trying to use CHAP. I keep getting username or passwrod is not valid. In a effort to test I changed the Authentication type to PAP (I do not want to use this because it is not encrypted) But in a effort of testing I changed the setting on both the NPS and on Prime. I am now able to log in. Changing back to CHAP it fails and states the Username or Password is invalid. SO, PLEASE HELP!!!!
Ok, I was able to resolve this over the weekend. The actual fix is a little complicated. You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius. They are as as follows:
NCS:role0=Admin
NCS:virtual-domain0=ROOT-DOMAIN
"Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that. -
Using Windows Network Policy Server to authenticate Prime Infrastructure 1.2 admin access
Dear all,
How can I authenticate admin access to the Prime infrastructure 1.2 using AAA mode RADIUS with Windows Network Policy Server as RADIUS server? I find some information using ACS as RADIUS server but cannot find how to for Windows NPS.
I try to configure the NPS but an error prompted when logging in to PI using an account in the NPS server, "No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"
Thanks for your help.
DennisOk, I was able to resolve this over the weekend. The actual fix is a little complicated. You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius. They are as as follows:
NCS:role0=Admin
NCS:virtual-domain0=ROOT-DOMAIN
"Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that. -
NPS: Event 6274 - Network Policy Server discarded the request for a user
Intermittently I will get desktop (wired) and laptop (wireless) computers experiencing issues with NPS (they drop off the network).
Some computers are affected more than others, although they are identical hardware and based on a standard image.
In the event log of the NPS servers I can see the following messages:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/05/2014 8:47:58 a.m.
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NT147.domain.local
Description:
Network Policy Server discarded the request for a user.Contact the Network Policy Server administrator for more information.User:
Security ID: NULL SID
Account Name: host/DPC0387.domain.local
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\DPC0387$Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 3c-xx-xx-xx-xx-xx
Calling Station Identifier: 00-xx-xx-xx-xx-xxNAS:
NAS IPv4 Address: 10.nnn.nnn.nnn
NAS IPv6 Address: -
NAS Identifier: ND246
NAS Port-Type: Ethernet
NAS Port: 71RADIUS Client:
Client Friendly Name: Network Device Management Subnet
Client IP Address: 10.nnn.nnn.nnnAuthentication Details:
Connection Request Policy Name: NAP 802.1X (Wired)
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NT147.domain.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 384F322E317838316564303034313030306230666632
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
How do I debug when an internal error occurs but there is nothing in the system event log? Where else can I look?
Here's the packet trace that matches the event log entry above:
No. Time Source Destination Protocol Length Time from request Info
1 0.000000 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
2 2.470423 Universa_xx:xx:xx Nearest EAPOL 60 Start
3 2.472870 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
4 2.539416 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
5 2.544206 Universa_xx:xx:xx Nearest EAPOL 60 Start
6 2.548804 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
7 2.550050 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
8 2.552597 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=249, l=208)
9 2.556043 10.NPS_Server 10.switch RADIUS 136 0.003446000 Access-Challenge(11) (id=249, l=90)
10 2.565876 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
11 2.569472 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=250, l=208)
12 2.572566 10.NPS_Server 10.switch RADIUS 136 0.003094000 Access-Challenge(11) (id=250, l=90)
13 2.580254 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
14 2.586544 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
15 4.564841 Universa_xx:xx:xx Nearest EAPOL 60 Start
16 4.568530 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
17 4.569876 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
18 4.582263 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=252, l=208)
19 4.586006 10.NPS_Server 10.switch RADIUS 136 0.003743000 Access-Challenge(11) (id=252, l=90)
20 4.591896 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
21 4.592692 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
22 4.599634 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=253, l=315)
23 4.600887 10.NPS_Server 10.switch IPv4 1518 Fragmented IP protocol (proto=UDP 17, off=0, ID=07db)
24 4.609920 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 1514 Server Hello, Certificate, Certificate Request, Server Hello Done
25 4.610516 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
26 4.617407 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=254, l=216)
27 4.618352 10.NPS_Server 10.switch RADIUS 288 0.000945000 Access-Challenge(11) (id=254, l=242)
28 4.623650 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 176 Server Hello, Certificate, Certificate Request, Server Hello Done
29 4.643316 Universa_xx:xx:xx Nearest TLSv1 361 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
30 4.649607 10.switch 10.NPS_Server RADIUS 601 Access-Request(1) (id=255, l=555)
31 4.656950 10.NPS_Server 10.switch RADIUS 199 0.007343000 Access-Challenge(11) (id=255, l=153)
32 4.662734 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 87 Change Cipher Spec, Encrypted Handshake Message
33 4.681106 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
34 4.788536 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=2, l=216)
35 4.789735 10.NPS_Server 10.switch RADIUS 173 0.001199000 Access-Challenge(11) (id=2, l=127)
36 4.795723 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 61 Application Data
37 4.796372 Universa_xx:xx:xx Nearest TLSv1 93 Application Data
38 4.802368 10.switch 10.NPS_Server RADIUS 331 Access-Request(1) (id=3, l=285)
39 4.803363 10.NPS_Server 10.switch RADIUS 189 0.000995000 Access-Challenge(11) (id=3, l=143)
40 4.808905 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
41 4.809501 Universa_xx:xx:xx Nearest TLSv1 77 Application Data
42 4.817342 10.switch 10.NPS_Server RADIUS 315 Access-Request(1) (id=4, l=269)
43 4.822986 10.NPS_Server 10.switch RADIUS 189 0.005644000 Access-Challenge(11) (id=4, l=143)
44 4.828973 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
45 4.833318 Universa_xx:xx:xx Nearest TLSv1 829 Application Data
46 4.840610 10.switch 10.NPS_Server RADIUS 1073 Access-Request(1) (id=5, l=1027)
47 4.845946 10.NPS_Server 10.switch RADIUS 189 0.005336000 Access-Challenge(11) (id=5, l=143)
48 4.850938 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
49 4.907924 Universa_xx:xx:xx Nearest TLSv1 141 Application Data
50 4.913390 10.switch 10.NPS_Server RADIUS 379 Access-Request(1) (id=6, l=333)
51 4.917535 10.NPS_Server 10.switch RADIUS 221 0.004145000 Access-Challenge(11) (id=6, l=175)
52 4.922877 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 109 Application Data
53 4.923472 Universa_xx:xx:xx Nearest TLSv1 61 Application Data
54 4.930319 10.switch 10.NPS_Server RADIUS 299 Access-Request(1) (id=7, l=253)
55 4.937348 10.NPS_Server 10.switch RADIUS 381 0.007029000 Access-Challenge(11) (id=7, l=335)
56 4.942543 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 269 Application Data
57 4.944791 Universa_xx:xx:xx Nearest TLSv1 125 Application Data
58 4.951408 10.switch 10.NPS_Server RADIUS 363 Access-Request(1) (id=8, l=317)
59 4.954022 10.NPS_Server 10.switch RADIUS 355 0.002614000 Access-Accept(2) (id=8, l=309)
60 4.981482 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Success
61 32.590347 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
62 62.592420 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
63 92.595043 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
64 122.597856 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
65 152.600618 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)A belated thanks for your reply.
Our environment doesn't have NPS accounting configured so that was easy to rule out.
The mid-day drop outs have stopped after I added "set protocols dot1x authenticator no-mac-table-binding" to our Juniper switches (which prevents mac address aging from clearing the active dot1x client session).
I believe the above error message occurs because the RADIUS session ID is rejected / ignored because of some quirks in the RADIUS standard. At the start of a dot1x authentication request a RADIUS session ID is created. For whatever reason the
RADIUS/NAP server stops responding and the Juniper switch fails over to the backup RADIUS/NAP server configured. The session ID is kept (per RADIUS standard) but the backup RADIUS/NAP server doesn't know about the session, so this event: "Network
Policy Server discarded the request for a user." occurs.
It would be nice to see a clearer error message "Invalid RADIUS session" or similar.
There is a Microsoft guide on how to set up RADIUS/NAP servers in a highly available configuration - something to do with RADIUS proxy servers.
It would be even nicer to see some kind of RADIUS session synchronisation between NAP servers... if it doesn't already exist?
I am having the same exact issue you posted on here except I have Extreme Network switches. Some of my computers, various hardware, will randomly not authenticate during re-authentication. The switch says that it failed to contact the NPS server so then it
switches to my backup server. The client has a random time on how long it waits to authenticate so sometimes I end up having the disable/re-enable the port they are connected to so that the session is started again. I see that you basically removed the option
to force clients to re-authenticate Any downfall disabling that?. Any idea why the NPS server is no longer responding? Are you using Windows Server 2012? -
How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?
I have a Network Policy Server running on Server 2012 R2. I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
and that works great.
Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
mac address. I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute.
I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password. I
do not want to do that. This is not an option.
I have also found several posts about using ieee802Device. I can't find a way to get that to work.
I also found a suggestion to use msNPCallingStationID ad attribute. I can easily set this for each user as their mac addresses but how do I configure the
NPS server to use this attribute to authenticate this?
If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
Thank you for your assistance!Hi,
I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
add the MAC address as the computer user name and password,
To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
If you want to combine the MAC address MAC filtering and
EAP Authentication, you can refer the following related article:
Enhance your 802.1x deployment security with MAC filtering
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
More information:
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
Authorization by User and Group
http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
The similar thread:
NPS: Override User-Name and User Identity Attribute
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
The related third party article:
Configuring IEEE 802.1x Port-Based Authentication
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
Hope this helps. -
Forefront TMG network policy server and VPN issue.
Hello every one!
I have a problem with configuration VPN server on Forefront TMG on Windows Server 2008R2 with latests microsoft updates.
I install Forefront TMG on on Windows Server 2008R2 with latest updates.
Then, I configure startup wizard where I set network configuration and etc.
Next, I set VPN settings, I set DHCP pool, DNS servers, Access groups for VPN, and set PPTP.
After apply this settings, service RemoteAccess doesn't start. I try to reboot server but service doesn't start.
But it's not one problem.
When I add VPN Access groups in Forefront, and apply configuration, I don't see changes in network policy server (nps.msc) Groups don't add to policy in network policy server.
Screenshot
If I start RemoteAccess manually and add new VPN Access groups in policy in network policy server, I can use VPN server, and connect to forefront server.
But I don't understand why TMG Forefront can't apply this settings in nps.msc and services.
What I do wrong?
I Use Windows Server 2008R2
Forefront TMG RTM 7.0.7734.100Hello! Thank you for your help!
I see this link
http://www.isaserver.org/articles-tutorials/configuration-security/Implementing-Secure-Remote-Access-PPTP-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html
But I don't use RADIUS server in my Forefront TMG VPN configuration.
I configure client VPN Access via PPTP
When I configure TMG VPN settings, I set VPN Access groups. After that NPS server change and apply TMG network policy correctly.
But if I change some TMG firewall policy, and then I try to add VPN Access groups (screenshot -
http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png) NPS server can't change and apply TMG network policy correctly.
Now I have a two Access groups in TMG VPN settings
http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png
And I have a NPS server network policy with not correctly settings
http://i.gyazo.com/1dd973ca9cc2a228d54a53d88ca90009.png
Forefront can't change NPS server network policy. I don't undesrtand where problem.
I try to reinstall TMG on new machine, but problem
problem persists.
Maybe you are looking for
-
Windows Vista doesn't recognize my iPod nano 6th gen
I've had this iPod since Christmas, and last night when I plugged it in to my computer to charge, a little bubble at the bottom of my screen says: "USB Device not recognized." I've tried everything it said to do on iPod trouble shooting. I'm very poo
-
Using iBook G4 and external moniter
I am using my iBook G4 and an external moniter at the same time. Here is the problem. Right now it uses the mirror display and I was wondering if there was a way that I could turn that off. I tried to use system preferences but it said that the "arra
-
Need installation media for Acrobat 9
I use a proprietary software that only supports Acrobat up to version 9 at this point. I purchased version 11 as that is the only version that appears to be available for purchase and was told I can downgrade to 9. I have been unable to downgrade as
-
Does not run from My Documents
I tried putting SQL Developer into My Documents so I can run it from any PC I am logged onto. Unfortunately is starts and quickly disappears without any error. The My Documents folder is on a network drive that is always available when I log onto a P
-
Tengo el ipad1, y desde que actualice el ios, aplicaciones como facebook andan mal, se tilda seguido y a veces no me permite abrirla. Es problema del ipad o de la app?