NPS Network Policy

Question

I am trying to setup a NPS that uses RADIUS for our Wi-Fi. The logon name and password should be the computers MAC address. I have created the new user in AD with the mac as the account name and password. The computer tries to connect to the Wi-Fi, and the logs show it giving the right information. I get my connection request policy back, but the Network Policy will not show up in the log. Therefore, the computer cannot get connected to Wi-Fi.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

	Security ID:			Domain\60452e38fb8a

	Account Name:			60452e38fb8a

	Account Domain:			Domain

	Fully Qualified Account Name:	Domain\60452e38fb8a

Client Machine:

	Security ID:			NULL SID

	Account Name:			-

	Fully Qualified Account Name:	-

	Called Station Identifier:		10f3119946a0

	Calling Station Identifier:		60452e38fb8a

NAS:

	NAS IPv4 Address:		10.x.x.12

	NAS IPv6 Address:		-

	NAS Identifier:			2504

	NAS Port-Type:			Wireless - IEEE 802.11

	NAS Port:			1

RADIUS Client:

	Client Friendly Name:		WLC

	Client IP Address:			10.x.x.12

Authentication Details:

	Connection Request Policy Name:	Secure Wireless Connections

	Network Policy Name:		-

	Authentication Provider:		Windows

	Authentication Server:		SERVER2.Domain

	Authentication Type:		PAP

	EAP Type:			-

	Account Session Identifier:		36363930303739392F36303A34353A32653A33383A66623A38612F32313137

	Logging Results:			Accounting information was written to the local log file.

	Reason Code:			48

	Reason:				The connection request did not match any configured network policy.

Here is my Network Policy - "MAC Authentication Policy":

Conditions:
NAS Port Type Wifeless - IEEE 802.11

Calling Station ID    XXXXXXXXXXXX

Windows Groups  Domain\Wifi-MAC-filtering

Settings:

Authentication Method Unencrypted authentication (PAP,SPAP)

Access Permission Grant Access

Framed-Protocol PPP

Service-Type Framed
Encryption Policy Disabled

I think I need help forming the Network Policy. Any help would be appreciated.

Answer 1

Hello,

According to the information you provided, there may be errors in the nps policy configuration. I suggest you refer to the following:

The following is the authentication method of mac bypass for your reference. In this method, the client can use the MAC address as the username and password for verification;

The drawback of this method is that you need to know the MAC address of each device. Specific steps:

1. Create the accounts required for MAC Bypass in AD and put these accounts into a MAC Bypass group.

NOTE: The account password setting must comply with the requirements of the access device. For example, Cisco requires that the username and password are both mac addresses.

For example:

User: 001122334455

Pass: 001122334455

2. NPS sets some registry keys. We need to configure the registry key "User Identity Attribute"; this is to allow the NPS server to support MAC Bypass;

Registry path: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy

Registry key: User Identity Attribute

Registry value: 31 (dword:0000001f)

The user ID attribute does not exist by default. You can try to create it and then modify its key name and value.

3. Create Network Policies on the NPS server:

Policy Name: Mac Bypass

Conditions: Add the local group MAC Bypass created in step 1 to User group.

Constrains: Authentication Methods Only need to select Unencrypted authentication (PAP, SPAP)

Settings: If you need to put the client accessed through MAC Bypass into a specific VLAN, you can configure the three attributes in the figure below. For example, in the figure below, the client will be assigned to VLAN 10

• Tunnel-Medium-Type:802

• Tunnel-Pvt-Group-ID: The VLAN ID you wish to use, in this case 10

• Tunnel-Type: Virtual LANs (VLAN)

•

•

The above are the settings for NPS server to support MAC Bypass. In fact, MAC Bypass also requires the support of the switch/AP. This function on some devices is called mac bypass or mac filtering. This is because this authentication occurs when the client cannot provide the username and password. The access device usually will not continue to request authentication from the background radius (because there is no username password). However, when this function is enabled, if the access device supports mac authorization, it will continue to use the mac address as the authentication credential.

Refer link：http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx

Best regards

Zunhui

Answer 2

Now I am getting two events in the Event Viewer.

Event 1:

Network Policy Server granted access to a user.

User:

	Security ID:			Domain\60452e38fb8a

	Account Name:			60452e38fb8a

	Account Domain:			Domain

	Fully Qualified Account Name:	Domain\60452e38fb8a

Client Machine:

	Security ID:			NULL SID

	Account Name:			-

	Fully Qualified Account Name:	-

	Called Station Identifier:		10f3119946a0

	Calling Station Identifier:		60452e38fb8a

NAS:

	NAS IPv4 Address:		10.x.x.12

	NAS IPv6 Address:		-

	NAS Identifier:			2504

	NAS Port-Type:			Wireless - IEEE 802.11

	NAS Port:			1

RADIUS Client:

	Client Friendly Name:		WLC

	Client IP Address:			10.x.x.12

Authentication Details:

	Connection Request Policy Name:	Secure Wireless Connections

	Network Policy Name:		Mac Bypass

	Authentication Provider:		Windows

	Authentication Server:		SERVER2.Tombstone.k12.az.us

	Authentication Type:		PAP

	EAP Type:			-

	Account Session Identifier:		36363936383065662F36303A34353A32653A33383A66623A38612F32373134

	Logging Results:			Accounting information was written to the local log file.

Event 2:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

	Security ID:			NULL SID

	Account Name:			host/LP-14279

	Account Domain:			Domain

	Fully Qualified Account Name:	Domain\host/LP-14279

Client Machine:

	Security ID:			NULL SID

	Account Name:			-

	Fully Qualified Account Name:	-

	Called Station Identifier:		10f3119946a0

	Calling Station Identifier:		60452e38fb8a

NAS:

	NAS IPv4 Address:		10.x.x.12

	NAS IPv6 Address:		-

	NAS Identifier:			2504

	NAS Port-Type:			Wireless - IEEE 802.11

	NAS Port:			1

RADIUS Client:

	Client Friendly Name:		WLC

	Client IP Address:			10.x.x.12

Authentication Details:

	Connection Request Policy Name:	Secure Wireless Connections

	Network Policy Name:		-

	Authentication Provider:		Windows

	Authentication Server:		SERVER2.Tombstone.k12.az.us

	Authentication Type:		EAP

	EAP Type:			-

	Account Session Identifier:		36363936383065662F36303A34353A32653A33383A66623A38612F32373134

	Logging Results:			Accounting information was written to the local log file.

	Reason Code:			8

	Reason:				The specified user account does not exist.

And it is still not letting me connect. Why is it showing the same device twice? Is there a way to stop it from checking against the host name.

Answer 3

Hi Chris Collins TUSD,

Have you verified the mac bypass authentication steps I posted above?

Best regards

Zunhui

Answer 4

Yes I verified that the mac bypass was initiated. The first event actually allows access but then the second one denies it. The first event uses the MAC and the second uses the host name for some reason.

Answer 5

Hi Chris Collins TUSD,

Please check each of the following possible causes based on the information you provided:

Check that the user's username and password are valid.

Check if the user account is locked in Active Directory.

Check that the request targets the correct domain controller and that the user account exists.

It is recommended that you refer to the following links for troubleshooting:

Guidance for troubleshooting Network Policy Server - Windows Server | Microsoft Learn

Best regards

Zunhui