MFA 802.1X does not work on Windows 2012 R2 and NPS/RADIUS.

RAPHAEL BENS 0 Reputation points
2023-08-01T13:12:09.9366667+00:00

Hello,

I want to set up MFA (Multi-Factor Authentication) through a specific SSID on the LAN and WIFI network.

To do this, I have installed a Microsoft 2012 R2 server and enabled the NPS feature (this test server also acts as AD/DNS/IIS). Then, I configured two RADIUS clients: the Microsoft server itself and the WIFI controller.

In the Connection Request Policies, I set the conditions as follows:

  • Conditions: NAS Port Type - Wireless - 802.11

In the Network Policies, I set the conditions as follows:

  • Conditions: NAS Port Type - Wireless - 802.11 & Windows Groups: ADGROUP
  • Constraints: Authentication Method - Protected EAP (PEAP) & Smart Card or Certificate

Under Template Management, I created a shared secret template with a password (PWD).

I imported a certificate from another server that has the Certificate Services role (CS).

On the network controller, I have my SSID configured with the desired VLAN, and the authentication server is set to my Microsoft server with NPS.

However, when I try to connect to the SSID using the user account declared in the user group, the connection gets stuck at "Connecting," and I don't see any logs on the NPS server.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,707 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,976 Reputation points
    2023-08-02T10:40:42.1666667+00:00

    Hello there,

    If you're experiencing issues with MFA (Multi-Factor Authentication) and 802.1X on Windows Server 2012 R2 with NPS (Network Policy Server) and RADIUS, there could be several reasons why it's not working as expected. Here are some troubleshooting steps to help you identify and resolve the problem:

    Verify RADIUS configuration: Double-check your RADIUS server settings in NPS to ensure they are correctly configured for 802.1X authentication and MFA. Pay attention to settings such as EAP methods, authentication protocols, and MFA requirements.

    Check NPS policies: Review the network policies configured in NPS to ensure they are correctly set up for 802.1X authentication. Ensure that MFA requirements are properly included in the policy.

    Verify MFA setup: If you are using a third-party MFA solution, make sure it's properly integrated with NPS. Verify that the necessary MFA settings are correctly configured on the MFA provider's side.

    Test MFA separately: Test the MFA solution independently from 802.1X authentication to ensure it's functioning correctly on its own. This can help isolate whether the issue lies with MFA or the integration with 802.1X.

    Check network device settings: Ensure that the network devices (switches, access points, etc.) are configured to support 802.1X and that the correct RADIUS server information is configured on them.

    Check event logs: Monitor the Event Viewer on the NPS server and the client devices for any error messages or events related to authentication or MFA. This can provide valuable information about the root cause of the issue.

    Update software and firmware: Make sure you are running the latest versions of NPS, Windows Server 2012 R2, and any third-party MFA software. Outdated software may have compatibility issues.

    Use a network capture tool: Network capture tools like Wireshark can help you analyze the network traffic during the authentication process. This can help identify any communication or protocol issues.

    Review firewall and network settings: Ensure that there are no firewall rules or network configurations that may be blocking communication between the NPS server, client devices, and MFA provider.

    Consult vendor documentation and support: Check the documentation and support resources provided by the MFA solution, NPS, and any relevant network device vendors for troubleshooting guidance.

    If you've exhausted these troubleshooting steps and are still unable to get MFA with 802.1X working on Windows Server 2012 R2, consider upgrading to a more recent version of Windows Server that may offer better support for modern authentication methods and security features.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments