Using Windows Network Policy Server to authenticate Prime Infrastructure 1.2 admin access

Similar Messages

• Using Windows Network Policy Server to authenticate Prime Infrastructure 1.4 admin access

  I am using Prime Infrastructure 1.4 and I am needing to set up RADIUS Authencation.  I am using Microsoft Network Policy Server.   I have done all of the setup on both systems.  I have matched up the settings the best I can on both systems.  I am trying to use CHAP.  I keep getting username or passwrod is not valid.  In a effort to test I changed the Authentication type to PAP (I do not want to use this because it is not encrypted) But in a effort of testing I changed the setting on both the NPS and on Prime.  I am now able to log in.  Changing back to CHAP it fails and states the Username or Password is invalid.  SO, PLEASE HELP!!!!

  Ok, I was able to resolve this over the weekend.  The actual fix is a little complicated.  You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
  The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius.  They are as as follows:
  NCS:role0=Admin
  NCS:virtual-domain0=ROOT-DOMAIN
  "Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
  For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that.

• Network Policy Server Policies

  We are using Windows Network Policy Server application as a radius server for VPN connections using windows server 2008 R2.
  On my firewall, we currently have only 1 VPN profile and we have a Network Policy that saysif they are not part of this windows group, they cannot connect to the VPN.
  I have setup two additional vpn profiles for different vendors, etc and set up the test accounts to use different groups and setup new network policies for each one. The issue I am running into is all NPS network policies work with each vpn profile. I would
  like to know how can you setup a policy so they differenciate between each vpn policy so if user is on vpn profile 1 it will use network policy 1 and not allow them access to any of the other vpn profile 2 or 3 because they do not meet the requirements for
  them based off the network policy that is defined.

  Hi,
  According to your description, my understanding is that you wanted the NPS pociles to work differing from the firewall rules/profiles. If I misunderstood anything, please feel free to let me know.
  Based on my experience, it seems that NPS won't do that with firewall profiles. If you want to define different network policies to different user group. You can select the specific user group when specifying conditions of the network policy. More information:
  Network Policy Conditions Properties
  Best regards,
  Susie

• An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).

  Hello everyone:
  I know this question have been asked in these forums quite a few times. I apologize if it is a repeat telecast but I was not able to find a suitable solution pertaining to my problem.
  I have a AP/SM setup that is configured to get EAP-PEAP authentication from Windows 2012 Server. I have setup everything and have verified that the EAP-PEAP authentication works fine on AP/SM by getting authentication from FreeRADIUS server. Now, when I try
  to get authentication from Windows Server, I am getting a reject. The Event log shows this generic message:
  Reason Code: 23
  Reason:
      An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
  There is nothing in the EAP logs that is obvious too:
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
  07/11/2014 00:05:57 4927",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
  07/11/2014 00:05:57 4928",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,11,"PEAP_TEST",0,"311 1 10.120.133.1
  07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,3,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,11,"PEAP_TEST",23,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  So, basically, the sequence is this:
  request , challenge, request , challenge, request, reject
  Any idea what might be happening?
  Thank you.

  Hi,
  Have you installed certificates on the NPS server properly? Have you selected the proper certificate in the properties of PEAP?
  Here is an article about the Certificate requirements of PEAP,
  Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
  http://support.microsoft.com/kb/814394
  If your certificate matches the requirement, you may try to reinstall the certificate by export and import.
  To export a certificate, please follow the steps below,
  Open the Certificates snap-in for a user, computer, or service.
  In the console tree under the logical store that contains the certificate to export, click
  Certificates.
  In the details pane, click the certificate that you want to export.
  On the Action menu, point to
  All Tasks, and then click Export.
  In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
  Provide the following information in the Certificate Export Wizard:
  Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
  If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
  If required, in Password, type a password to encrypt the private key you are exporting. In
  Confirm password, type the same password again, and then click
  Next.
  In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click
  Next, and then click Finish.
  To import a certificate, please follow the steps below,
  Open the Certificates snap-in for a user, computer, or service.
  In the console tree, click the logical store where you want to import the certificate.
  On the Action menu, point to
  All Tasks, and then click Import to start the Certificate Import Wizard.
  Type the file name containing the certificate to be imported. (You can also click
  Browse and navigate to the file.)
  If it is a PKCS #12 file, do the following:
  Type the password used to encrypt the private key.
  (Optional) If you want to be able to use strong private key protection, select the
  Enable strong private key protection check box.
  (Optional) If you want to back up or transport your keys at a later time, select the
  Mark key as exportable check box.
  Do one of the following:
  If the certificate should be automatically placed in a certificate store based on the type of certificate, click
  Automatically select the certificate store based on the type of certificate.
  If you want to specify where the certificate is stored, select
  Place all certificates in the following store, click
  Browse, and choose the certificate store to use.
  If issue persists, you may try to re-issue the certificate.
  For detailed procedure, you may refer to the similar threads below,
  Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Network Policy Server windows 7 non domain wireless clients could not connect (Event id 6273 reason code 265)

  Hi,
  We have successfully configured network policy server on windows server 2012 and all wireless clients could connect to our network except windows 7 and xp non domain clients.The clients that are successfully authenticated includes windows 8,mobile users
  (andriod + iOS) domain as well as non domain clients.If we join windows 7 pc to the domain it  successfully connects but non domain clients could not connect.We have large number of windows 7 users that have their own laptop machines and we dont want
  each laptop to join the domain.
  On server event 6273 generated with reason code 265 "The certificate chain was issued by an authority that is not trusted".Plz help how to resolve this issue.I have searched on the internet but no proper solution found.

  Hi,
  According to the error message, it seems that you used certificate-based authentication methods and the non-domain computers has no Trusted Root Certificate for the CA that enrolled the certificate for the NPS.
  For more detailed information, please refer to the links below:
  Certificates and NPS
  Manage Trusted Root Certificates
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Using Network Policy Server Polices in conjunction with RRAS on Server 2012 R2

  Within the RRAS MMC console there is an option called Remote Access Logging & Polices.
  If I right mouse click and can get to the NPS and tried to configure a couple of basic settings (e.g. group membership of Domain Admins required) for granting access.
  However when testing this, the policy did not seem to apply (aka the user got on even though group membership was not correct).
  I have made sure that the dial-in properties for the user was set to Control access through NPS Network Policy.
  Q/ For the above to work, do I actually need to install the NPS role itself or can it work independently?

  Hi,
  It seems that Remote Access logging and policy configuration is now performed through NPS since Windows server 2008.
  As you have tested for this, I assume that you would need to install the NPS role to perform RADIUS accounting and Network Polices.
  More information:
  Network Policy Server
  In addition, since it is related to network, I will move it to the Network Access Protection forum for better assistance. Thanks for your understanding and support.
  Best regards,
  Susie

• NPS: Event 6274 - Network Policy Server discarded the request for a user

  Intermittently I will get desktop (wired) and laptop (wireless) computers experiencing issues with NPS (they drop off the network).
  Some computers are affected more than others, although they are identical hardware and based on a standard image.
  In the event log of the NPS servers I can see the following messages:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2/05/2014 8:47:58 a.m.
  Event ID:      6274
  Task Category: Network Policy Server
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      NT147.domain.local
  Description:
  Network Policy Server discarded the request for a user.Contact the Network Policy Server administrator for more information.User:
   Security ID:   NULL SID
   Account Name:   host/DPC0387.domain.local
   Account Domain:   DOMAIN
   Fully Qualified Account Name: DOMAIN\DPC0387$Client Machine:
   Security ID:   NULL SID
   Account Name:   -
   Fully Qualified Account Name: -
   OS-Version:   -
   Called Station Identifier:  3c-xx-xx-xx-xx-xx
   Calling Station Identifier:  00-xx-xx-xx-xx-xxNAS:
   NAS IPv4 Address:  10.nnn.nnn.nnn
   NAS IPv6 Address:  -
   NAS Identifier:   ND246
   NAS Port-Type:   Ethernet
   NAS Port:   71RADIUS Client:
   Client Friendly Name:  Network Device Management Subnet
   Client IP Address:   10.nnn.nnn.nnnAuthentication Details:
   Connection Request Policy Name: NAP 802.1X (Wired)
   Network Policy Name:  -
   Authentication Provider:  Windows
   Authentication Server:  NT147.domain.local
   Authentication Type:  -
   EAP Type:   -
   Account Session Identifier:  384F322E317838316564303034313030306230666632
   Reason Code:   1
   Reason:    An internal error occurred. Check the system event log for additional information.
  How do I debug when an internal error occurs but there is nothing in the system event log? Where else can I look?
  Here's the packet trace that matches the event log entry above:
  No.     Time        Source                Destination           Protocol Length Time from request Info
        1 0.000000    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
        2 2.470423    Universa_xx:xx:xx     Nearest               EAPOL    60                       Start
        3 2.472870    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
        4 2.539416    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Identity
        5 2.544206    Universa_xx:xx:xx     Nearest               EAPOL    60                       Start
        6 2.548804    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
        7 2.550050    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Identity
        8 2.552597    10.switch             10.NPS_Server         RADIUS   254                      Access-Request(1) (id=249, l=208)
        9 2.556043    10.NPS_Server         10.switch             RADIUS   136    0.003446000       Access-Challenge(11) (id=249, l=90)
       10 2.565876    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Protected EAP (EAP-PEAP)
       11 2.569472    10.switch             10.NPS_Server         RADIUS   254                      Access-Request(1) (id=250, l=208)
       12 2.572566    10.NPS_Server         10.switch             RADIUS   136    0.003094000       Access-Challenge(11) (id=250, l=90)
       13 2.580254    Universa_xx:xx:xx     Nearest               TLSv1    123                      Client Hello
       14 2.586544    10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=251, l=315)
       15 4.564841    Universa_xx:xx:xx     Nearest               EAPOL    60                       Start
       16 4.568530    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
       17 4.569876    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Identity
       18 4.582263    10.switch             10.NPS_Server         RADIUS   254                      Access-Request(1) (id=252, l=208)
       19 4.586006    10.NPS_Server         10.switch             RADIUS   136    0.003743000       Access-Challenge(11) (id=252, l=90)
       20 4.591896    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Protected EAP (EAP-PEAP)
       21 4.592692    Universa_xx:xx:xx     Nearest               TLSv1    123                      Client Hello
       22 4.599634    10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=253, l=315)
       23 4.600887    10.NPS_Server         10.switch             IPv4     1518                     Fragmented IP protocol (proto=UDP 17, off=0, ID=07db)
       24 4.609920    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    1514                     Server Hello, Certificate, Certificate Request, Server Hello Done
       25 4.610516    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Protected EAP (EAP-PEAP)
       26 4.617407    10.switch             10.NPS_Server         RADIUS   262                      Access-Request(1) (id=254, l=216)
       27 4.618352    10.NPS_Server         10.switch             RADIUS   288    0.000945000       Access-Challenge(11) (id=254, l=242)
       28 4.623650    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    176                      Server Hello, Certificate, Certificate Request, Server Hello Done
       29 4.643316    Universa_xx:xx:xx     Nearest               TLSv1    361                      Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
       30 4.649607    10.switch             10.NPS_Server         RADIUS   601                      Access-Request(1) (id=255, l=555)
       31 4.656950    10.NPS_Server         10.switch             RADIUS   199    0.007343000       Access-Challenge(11) (id=255, l=153)
       32 4.662734    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    87                       Change Cipher Spec, Encrypted Handshake Message
       33 4.681106    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Protected EAP (EAP-PEAP)
       34 4.788536    10.switch             10.NPS_Server         RADIUS   262                      Access-Request(1) (id=2, l=216)
       35 4.789735    10.NPS_Server         10.switch             RADIUS   173    0.001199000       Access-Challenge(11) (id=2, l=127)
       36 4.795723    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    61                       Application Data
       37 4.796372    Universa_xx:xx:xx     Nearest               TLSv1    93                       Application Data
       38 4.802368    10.switch             10.NPS_Server         RADIUS   331                      Access-Request(1) (id=3, l=285)
       39 4.803363    10.NPS_Server         10.switch             RADIUS   189    0.000995000       Access-Challenge(11) (id=3, l=143)
       40 4.808905    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    77                       Application Data
       41 4.809501    Universa_xx:xx:xx     Nearest               TLSv1    77                       Application Data
       42 4.817342    10.switch             10.NPS_Server         RADIUS   315                      Access-Request(1) (id=4, l=269)
       43 4.822986    10.NPS_Server         10.switch             RADIUS   189    0.005644000       Access-Challenge(11) (id=4, l=143)
       44 4.828973    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    77                       Application Data
       45 4.833318    Universa_xx:xx:xx     Nearest               TLSv1    829                      Application Data
       46 4.840610    10.switch             10.NPS_Server         RADIUS   1073                     Access-Request(1) (id=5, l=1027)
       47 4.845946    10.NPS_Server         10.switch             RADIUS   189    0.005336000       Access-Challenge(11) (id=5, l=143)
       48 4.850938    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    77                       Application Data
       49 4.907924    Universa_xx:xx:xx     Nearest               TLSv1    141                      Application Data
       50 4.913390    10.switch             10.NPS_Server         RADIUS   379                      Access-Request(1) (id=6, l=333)
       51 4.917535    10.NPS_Server         10.switch             RADIUS   221    0.004145000       Access-Challenge(11) (id=6, l=175)
       52 4.922877    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    109                      Application Data
       53 4.923472    Universa_xx:xx:xx     Nearest               TLSv1    61                       Application Data
       54 4.930319    10.switch             10.NPS_Server         RADIUS   299                      Access-Request(1) (id=7, l=253)
       55 4.937348    10.NPS_Server         10.switch             RADIUS   381    0.007029000       Access-Challenge(11) (id=7, l=335)
       56 4.942543    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    269                      Application Data
       57 4.944791    Universa_xx:xx:xx     Nearest               TLSv1    125                      Application Data
       58 4.951408    10.switch             10.NPS_Server         RADIUS   363                      Access-Request(1) (id=8, l=317)
       59 4.954022    10.NPS_Server         10.switch             RADIUS   355    0.002614000       Access-Accept(2) (id=8, l=309)
       60 4.981482    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Success
       61 32.590347   10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=251, l=315)
       62 62.592420   10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=251, l=315)
       63 92.595043   10.switch             10.NPS_Backup_Server  RADIUS   361                      Access-Request(1) (id=9, l=315)
       64 122.597856  10.switch             10.NPS_Backup_Server  RADIUS   361                      Access-Request(1) (id=9, l=315)
       65 152.600618  10.switch             10.NPS_Backup_Server  RADIUS   361                      Access-Request(1) (id=9, l=315)

  A belated thanks for your reply.
  Our environment doesn't have NPS accounting configured so that was easy to rule out.
  The mid-day drop outs have stopped after I added "set protocols dot1x authenticator no-mac-table-binding" to our Juniper switches (which prevents mac address aging from clearing the active dot1x client session).
  I believe the above error message occurs because the RADIUS session ID is rejected / ignored because of some quirks in the RADIUS standard.  At the start of a dot1x authentication request a RADIUS session ID is created.  For whatever reason the
  RADIUS/NAP server stops responding and the Juniper switch fails over to the backup RADIUS/NAP server configured.  The session ID is kept (per RADIUS standard) but the backup RADIUS/NAP server doesn't know about the session, so this event: "Network
  Policy Server discarded the request for a user." occurs.
  It would be nice to see a clearer error message "Invalid RADIUS session" or similar.
  There is a Microsoft guide on how to set up RADIUS/NAP servers in a highly available configuration - something to do with RADIUS proxy servers.
  It would be even nicer to see some kind of RADIUS session synchronisation between NAP servers... if it doesn't already exist?
  I am having the same exact issue you posted on here except I have Extreme Network switches. Some of my computers, various hardware, will randomly not authenticate during re-authentication. The switch says that it failed to contact the NPS server so then it
  switches to my backup server. The client has a random time on how long it waits to authenticate so sometimes I end up having the disable/re-enable the port they are connected to so that the session is started again. I see that you basically removed the option
  to force clients to re-authenticate Any downfall disabling that?. Any idea why the NPS server is no longer responding? Are you using Windows Server 2012?

• Forefront TMG network policy server and VPN issue.

  Hello every one!
  I have a problem with configuration VPN server on Forefront TMG on Windows Server 2008R2 with latests microsoft updates.
  I install Forefront TMG on on Windows Server 2008R2 with latest updates.
  Then, I configure startup wizard where I set network configuration and etc.
  Next, I set VPN settings, I set DHCP pool, DNS servers, Access groups for VPN, and set PPTP.
  After apply this settings, service RemoteAccess doesn't start. I try to reboot server but service doesn't start.
  But it's not one problem.
  When I add VPN Access groups in Forefront, and apply configuration, I don't see changes in network policy server (nps.msc) Groups don't add to policy in network policy server.
  Screenshot
  If I start RemoteAccess manually and add new VPN Access groups in policy in network policy server, I can use VPN server, and connect to forefront server.
  But I don't understand why TMG Forefront can't apply this settings in nps.msc and services.
  What I do wrong?
  I Use Windows Server 2008R2
  Forefront TMG RTM 7.0.7734.100

  Hello! Thank you for your help!
  I see this link
  http://www.isaserver.org/articles-tutorials/configuration-security/Implementing-Secure-Remote-Access-PPTP-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html
  But I don't use RADIUS server in my Forefront TMG VPN configuration.
  I configure client VPN Access via PPTP
  When I configure TMG VPN settings, I set VPN Access groups. After that NPS server change and apply TMG network policy correctly.
  But if I change some TMG firewall policy, and then I  try to add VPN Access groups (screenshot -
  http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png) NPS server can't change and apply TMG network policy correctly.
  Now I have a two Access groups in TMG VPN settings
  http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png
  And I have a NPS server network policy with not correctly settings
  http://i.gyazo.com/1dd973ca9cc2a228d54a53d88ca90009.png
  Forefront can't change NPS server network policy. I don't undesrtand where problem.
  I try to reinstall TMG on new machine, but problem
  problem persists.

• Network Policy Server: No Domain Controller Available

  When attempting to configure our domain controller as a Network Policy Server, I am receiving an error message stating that there is no domain controller available for domain K12.TX.US (which is the NETBIOS name of our domain).
  The Full DNS Name of our Domain is : nederland.k12.tx.us
  Log Name:      System
  Source:        NPS
  Date:          3/7/2014 12:55:51 PM
  Event ID:      4402
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      ADMIN-PDC.nederland.k12.tx.us
  Description:
  There is no domain controller available for domain K12.TX.US.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="NPS" />
      <EventID Qualifiers="49152">4402</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-07T18:55:51.000000000Z" />
      <EventRecordID>84518</EventRecordID>
      <Channel>System</Channel>
      <Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
      <Security />
    </System>
    <EventData>
      <Data>K12.TX.US</Data>
    </EventData>
  </Event>
  Please help, as I believe that this is causing the following error:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          3/7/2014 12:55:51 PM
  Event ID:      6273
  Task Category: Network Policy Server
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      ADMIN-PDC.nederland.k12.tx.us
  Description:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: NULL SID
  Account Name: abusby
  Account Domain: K12.TX.US
  Fully Qualified Account Name: K12.TX.US\abusby
  Client Machine:
  Security ID: NULL SID
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: 00-19-92-0C-E4-E9:NISD_Testing
  Calling Station Identifier: B8-E8-56-A8-D4-D9
  NAS:
  NAS IPv4 Address: 10.250.1.15
  NAS IPv6 Address: -
  NAS Identifier: -
  NAS Port-Type: Wireless - IEEE 802.11
  NAS Port: 0
  RADIUS Client:
  Client Friendly Name: Testing Access Point
  Client IP Address: 10.250.1.15
  Authentication Details:
  Connection Request Policy Name: BlueSocket Wireless Connections
  Network Policy Name: -
  Authentication Provider: Windows
  Authentication Server: ADMIN-PDC.nederland.k12.tx.us
  Authentication Type: PEAP
  EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 7
  Reason: The specified domain does not exist.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>6273</EventID>
      <Version>1</Version>
      <Level>0</Level>
      <Task>12552</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-07T18:55:51.061488000Z" />
      <EventRecordID>3106129068</EventRecordID>
      <Correlation />
      <Execution ProcessID="584" ThreadID="4712" />
      <Channel>Security</Channel>
      <Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">abusby</Data>
      <Data Name="SubjectDomainName">K12.TX.US</Data>
      <Data Name="FullyQualifiedSubjectUserName">K12.TX.US\abusby</Data>
      <Data Name="SubjectMachineSID">S-1-0-0</Data>
      <Data Name="SubjectMachineName">-</Data>
      <Data Name="FullyQualifiedSubjectMachineName">-</Data>
      <Data Name="MachineInventory">-</Data>
      <Data Name="CalledStationID">00-19-92-0C-E4-E9:NISD_Testing</Data>
      <Data Name="CallingStationID">B8-E8-56-A8-D4-D9</Data>
      <Data Name="NASIPv4Address">10.250.1.15</Data>
      <Data Name="NASIPv6Address">-</Data>
      <Data Name="NASIdentifier">-</Data>
      <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
      <Data Name="NASPort">0</Data>
      <Data Name="ClientName">Testing Access Point</Data>
      <Data Name="ClientIPAddress">10.250.1.15</Data>
      <Data Name="ProxyPolicyName">BlueSocket Wireless Connections</Data>
      <Data Name="NetworkPolicyName">-</Data>
      <Data Name="AuthenticationProvider">Windows</Data>
      <Data Name="AuthenticationServer">ADMIN-PDC.nederland.k12.tx.us</Data>
      <Data Name="AuthenticationType">PEAP</Data>
      <Data Name="EAPType">Microsoft: Secured password (EAP-MSCHAP v2)</Data>
      <Data Name="AccountSessionIdentifier">-</Data>
      <Data Name="ReasonCode">7</Data>
      <Data Name="Reason">The specified domain does not exist.</Data>
      <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
    </EventData>
  </Event>

  Yes I did see that article, and there are plenty of logs from another device that authenticates via
  RADIUS. Requests from our 802.1x wireless network are giving the "the specified domain does not exist" error. I can enter the username asusername,
  username@domain, or domain\username and
  neither method fixes the error.

• How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?

  I have a Network Policy Server running on Server 2012 R2.  I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
  and that works great.
  Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
  mac address.  I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute. 
  I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password.  I
  do not want to do that.  This is not an option.
  I have also found several posts about using ieee802Device.  I can't find a way to get that to work.
  I also found a suggestion to use msNPCallingStationID ad attribute.  I can easily set this for each user as their mac addresses but how do I configure the
  NPS server to use this attribute to authenticate this?
  If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
  Thank you for your assistance!

  Hi,
  I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
  the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
  MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
  Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
  add the MAC address as the computer user name and password,
  To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
  If you want to combine the MAC address MAC filtering and
   EAP Authentication, you can refer the following related article:
  Enhance your 802.1x deployment security with MAC filtering
  http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
  More information:
  MAC Address Authorization
  http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
  Authorization by User and Group
  http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
  The similar thread:
  NPS: Override User-Name and User Identity Attribute
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
  The related third party article:
  Configuring IEEE 802.1x Port-Based Authentication
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
  MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
  Hope this helps.

• Can we use Windows IIS FTP server in SOA

  Can anyone help me out whether we can use windows IIS FTP server in SOA for ftp adapter file transfer operations.

  910764
  1:- I have not begged or requested for marking all answers as helpful. If answers are helpful then post author can do that.
  2:- I also follow same practice. I dont blindly mark all answers correct or helpful. It can waste other's time. Correct marking is very important. Hence my all question are not having close end.Few are still open for correct answers. I will happily mark them correct if you can help me in that.
  In the end , I will say Kindly refrain yourself using this platform as facebook or other social networking websites.
  I hope you will understand seriousness of this forum and utilize its member's posts at the most.
  Thanks,
  Ashu

• Network Policy Server Event ID 6272 not being forwarded to Event Collector.

  Hi there
  I have configured an Event Subscription to collect events from 2 DCs that run RADIUS for network switches. It appears the events are being forwarded okay, I am getting the Security events (Logon and Logoff) on the event collector PC. However I am not getting
  any of the Network Policy Server security events (specifically Event IDs 6272), to centrally audit RADIUS logins to switches.
  The subscription is collector initiated, and I have added Network Service to the Event Log Readers Group. Is there something I am missing in the setup requirements for these events to be forwarded?
  Thank you,
  Kind regards
  Hylton

  Hi Gabriel101,
  Could you offer us more information about your environment, such as what edition server you are using, whether your AD and NPS role on the same server, whether your NPS working
  properly now, whether you can receive others security auditing.
  The related KB:
  NPS Local Log File Status
  http://technet.microsoft.com/en-us/library/cc735386(v=ws.10).aspx
  Event ID 6272 — NPS Authentication Status
  http://technet.microsoft.com/en-us/library/cc735388(v=ws.10).aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Network Policy Server Two-factor authentication OTP

  Hello,
  I don't have much knowledge about the Network Policy Server so before digging into this; I would like to know if it offers two-factor authentication. If so, what are the possibilites? I'm looking for a validation based on a one-time password OTP (hardware/software
  token or sms) and  the Active Directory user/pwd.
  Is there anything builtin in the Network Policy Server offering this?
  Thank you!

  Hi,
  NPS supports smart card.
  Two-factor authentication provides improved security because it requires the user to meet two authentication criteria: a user name/password combination and a token or certificate.
  A typical example of two-factor authentication with a certificate is the use of a smart card.
  To use smart cards for remote access authentication, we may do the following:
  Configure remote access on the remote access server.
  Install a computer certificate on the remote access server computer.
  Configure the Smart card or other certificate (TLS) EAP type in remote access policies.
  Enable smart card authentication on the dial-up or VPN connection on the remote access client.
  For detailed information, please refer to the link below,
  Using smart cards for remote access
  http://technet.microsoft.com/en-us/library/cc783310(v=WS.10).aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• 6274: Network Policy Server discarded the request for a user

  How to reproduce this event:
  6274: Network Policy Server discarded the request for a user

  Hello,
  according to the following just use an older RADIUS client version:
  Warning: NPS discarded the request for a user
  This monitor returns the number of events when the Network Policy Server discarded the request for a user.
  Type of event: Warning. Event ID: 6274.
  This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS
  client.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• How to install forms 6i runtime using windows Systems Management Server?

  Hi,
  Our clinents are using oracle forms 5 application and we want to upgrade to forms 6i ( client /server ).
  How to install oracle forms 6i and reports 6i runtime in multiple client machines
  using windows systems management server instead of installing one by one manually.
  Regards

  Here is a quick summary on why this works...
  The Problem:
  The issue relies with the method and logic that MDT’s scripts use to query and validate that the proper disks, partitions and storage space reside before starting the installation of Windows.
  Essentially what you have configured in the Task Sequence and the UNATTEND.xml is analyzed by the MDT scripts then a validation is completed against the hardware in which you wish to install Windows
  on and if there are any errors you will be prompted with MDT Error or Warning dialogs.
  The problem is that the MDT scripts use WMI to query the hard disk, partition and free space requirements for Windows, but in the case of using GPT disk, the 2nd partition (MSR) that you have to create
  is hidden. The class that WMI uses for its query can’t see the MSR partition so instead of 3 partitions, it returns 2 in the query results; hence why DISK 0 PARTITION 3 doesn’t work as mentioned earlier when configured in the MDT Task Sequence.
  Although the above still confuses me as to why it works with DISK 0 PARTITION 2 since the WMI query results return PARTITION IDs 0 and 1 when it should return 1 and 2…
  The Windows Pre-Installation Environment however does see all 3 partitions correctly and we tried configuring in our Task Sequence to install Windows to DISK 0 and PARTITION 2 and in the UNATTEND.xml
  file to install Windows to DISK 0 and PARTITION 3 but due to timing issues of the way Windows installs with MDT, did this not work for us.