Share via

Server 2019 NPS

Anonymous
2024-06-14T20:59:39+00:00

I am trying to setup a Network Policy Server to use for Radius. This will be MAC Radius. My users will connect to Wireless Lan through WLC and WLC will check with NPS to see if MAC is authorized. The issue I am having is the one test client keeps not authenticating. Its username and password are its mac address. I have found many guides on how to do this but none of them talk about using MAC. Currently my WLC and NPS are talking just can't get a client to login.

here is the log

Contact the Network Policy Server administrator for more information.

User:

Security ID:			NULL SID

Account Name:			60452e38fb8a

Account Domain:			Domain

Fully Qualified Account Name:	Domain\60452e38fb8a

Client Machine:

Security ID:			NULL SID

Account Name:			-

Fully Qualified Account Name:	-

Called Station Identifier:		10f3119946a0

Calling Station Identifier:		60452e38fb8a

NAS:

NAS IPv4 Address:		10.x.x.12

NAS IPv6 Address:		-

NAS Identifier:			2504

NAS Port-Type:			Wireless - IEEE 802.11

NAS Port:			1

RADIUS Client:

Client Friendly Name:		WLC

Client IP Address:			10.x.x.12

Authentication Details:

Connection Request Policy Name:	Secure Wireless Connections

Network Policy Name:		-

Authentication Provider:		Windows

Authentication Server:		SERVER2.domain

Authentication Type:		PAP

EAP Type:			-

Account Session Identifier:		36363663383461322F36303A34353A32653A33383A66623A38612F31303139

Logging Results:			Accounting information was written to the local log file.

Reason Code:			36

Reason:				The user's authentication attempts have exceeded the maximum allowed number of failed attempts specified by the account lockout threshold setting in Account Lockout Policy in Group Policy. To unlock the account, edit the user account properties.

Any help on this issue would be great. TIA.

Windows for business | Windows Server | Networking | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-06-17T01:31:54+00:00

    Sure, here are the specific troubleshooting steps to check and configure your NPS for MAC-based RADIUS authentication:

    1. Verify User Account and Password

    1. Open **Active Directory Users and Computers**.
    2. Locate the user account that corresponds to the MAC address (e.g., 60452e38fb8a).
    3. Right-click the user account and select **Properties**.
    4. Ensure that the username is the MAC address and set the password to the same MAC address.

    2. Check NPS Configuration

    1. Open *Network Policy Server*.
    2. Expand *Policies* and click on *Connection Request Policies*.
    3. Ensure there is a policy that handles wireless connections. For example, "Secure Wireless Connections".
    4. Verify that the policy conditions match your setup (e.g., *NAS Port Type*: Wireless - IEEE 802.11).
    5. Next, click on *Network Policies*.
    6. Ensure there is a policy for MAC authentication. If not, create a new one:
      • Click New* to create a new policy.
      • Name the policy (e.g., "MAC Authentication Policy").
      • Add a condition for **Calling Station ID** with the MAC address format.

    3. Review Account Lockout Policy

    1. Open *Group Policy Management*.
    2. Navigate to the appropriate Group Policy Object (GPO) that applies to your NPS server or user accounts.
    3. Under *Computer Configuration*, expand *Policies* > *Windows Settings* > *Security Settings* > *Account Policies* > *Account Lockout Policy**.
    4. Check the **Account Lockout Threshold** and ensure it is set to a reasonable number of failed attempts.
    5. Reset the lockout status of the user if necessary:
      • Open **Active Directory Users and Computers**.
      • Right-click the locked-out user account and select **Properties**.
      • Go to the **Account** tab and check/uncheck **Unlock account**.

    4. RADIUS Client Configuration

    1. In **Network Policy Server**, go to **RADIUS Clients and Servers** > **RADIUS Clients**.
    2. Ensure that your Wireless LAN Controller (WLC) is correctly configured as a RADIUS client.
    3. Verify the shared secret matches the one configured on the WLC.
    4. Ensure the IP address of the WLC is correctly entered.

    5. Check Event Viewer Logs

    1. Open *Event Viewer* on the NPS server.
    2. Navigate to *Windows Logs* > *Security*.
    3. Look for any events related to the authentication attempts.
    4. Note any specific error messages or warnings for further troubleshooting.

    6. Test with Different Client

    1. Use a different client device.
    2. Set its username and password to its MAC address.
    3. Attempt to authenticate and check if the issue persists.

    7. Update NPS and WLC Firmware

    1. Ensure the NPS server is running the latest updates from Windows Update.
    2. Check the firmware version of the Netgear switch and WLC.
    3. Update the firmware if there are any new versions available.

    8. Example Configuration for Network Policy

    1. Open *Network Policy Server*.
    2. Go to *Policies* > *Network Policies*.
    3. Click *New* to create a new policy.
    4. Name the policy (e.g., "MAC Authentication Policy").
    5. Under *Conditions*:
      • Add *Calling Station ID*.
      • Set the value to match the MAC address format (e.g., XX:XX:XX:XX:XX:XX or XXXXXXXXXXXX).
    6. Under *Constraints*:
      • Click on *Authentication Methods*.
      • Ensure *PAP* is enabled.
    7. Under *Settings*:
      • Ensure the *Access Permission* is set to *Grant access*.
    8. Apply and save the policy.

    If you have followed these steps and the issue persists, please provide more detailed logs or error messages for further assistance.

    Best regards,

    Rosy

    0 comments
  2. Anonymous
    2024-07-11T17:26:19+00:00

    I keep getting this error message in the NPS Log:

    Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

	Security ID:			Domain\60452e38fb8a

	Account Name:			60452e38fb8a

	Account Domain:			Domain

	Fully Qualified Account Name:	Domain\60452e38fb8a

Client Machine:

	Security ID:			NULL SID

	Account Name:			-

	Fully Qualified Account Name:	-

	Called Station Identifier:		10f3119946a0

	Calling Station Identifier:		60452e38fb8a

NAS:

	NAS IPv4 Address:		10.x.x.12

	NAS IPv6 Address:		-

	NAS Identifier:			2504

	NAS Port-Type:			Wireless - IEEE 802.11

	NAS Port:			1

RADIUS Client:

	Client Friendly Name:		WLC

	Client IP Address:			10.x.x.12

Authentication Details:

	Connection Request Policy Name:	Secure Wireless Connections

	Network Policy Name:		-

	Authentication Provider:		Windows

	Authentication Server:		SERVER2.Domain

	Authentication Type:		PAP

	EAP Type:			-

	Account Session Identifier:		36363930303739392F36303A34353A32653A33383A66623A38612F32313137

	Logging Results:			Accounting information was written to the local log file.

	Reason Code:			48

	Reason:				The connection request did not match any configured network policy.

    I have configured it just like you said but it doesn't seem to see the Network Policy.

    Here is my "MAC Authentication Policy":

    Conditions:

Calling Station ID    XXXXXXXXXXXX

Windows Groups  Domain\Wifi-MAC-filtering

Settings:

Authentication Method EAP or Unencrypted authentication (PAP,SPAP)

Access Permission Grant Access

Framed-Protocol PPP

Service-Type Framed
Extensible Authentication Protocol Method    Microsoft: Protected EAP (PEAP)

    In Conditions I did try it with just "Calling Station ID" but got the same thing. I added the others as tests.

    0 comments
  3. Anonymous
    2024-07-12T13:41:47+00:00

    Can anyone help me I think this has to do with my network policy not being setup properly?

    0 comments