This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I am trying to setup a NPS that uses RADIUS for our Wi-Fi. The logon name and password should be the computers MAC address. I have created the new user in AD with the mac as the account name and password. The computer tries to connect to the Wi-Fi, and the logs show it giving the right information. I get my connection request policy back, but the Network Policy will not show up in the log. Therefore, the computer cannot get connected to Wi-Fi.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: Domain\60452e38fb8a
Account Name: 60452e38fb8a
Account Domain: Domain
Fully Qualified Account Name: Domain\60452e38fb8a
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 10f3119946a0
Calling Station Identifier: 60452e38fb8a
NAS:
NAS IPv4 Address: 10.x.x.12
NAS IPv6 Address: -
NAS Identifier: 2504
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: WLC
Client IP Address: 10.x.x.12
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: SERVER2.Domain
Authentication Type: PAP
EAP Type: -
Account Session Identifier: 36363930303739392F36303A34353A32653A33383A66623A38612F32313137
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
Here is my Network Policy - "MAC Authentication Policy":
Conditions:
NAS Port Type Wifeless - IEEE 802.11
Calling Station ID XXXXXXXXXXXX
Windows Groups Domain\Wifi-MAC-filtering
Settings:
Authentication Method Unencrypted authentication (PAP,SPAP)
Access Permission Grant Access
Framed-Protocol PPP
Service-Type Framed
Encryption Policy Disabled
I think I need help forming the Network Policy. Any help would be appreciated.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
I have checked username and password are valid
There is no lockout policy set and account isn't locked
yes, the request is contacting the right controller
I have done all of the stuff in the link numerous times
It is still giving me both events for the device. The first one authorizes it using MAC (what I want), the second is denning using Host name (not what I want, this host name doesn't exist). I do not know why it is doing it twice?
Hello Chris,
Would you be prepared to create and share trace data?
On a client, I would suggest the following commands to start/stop tracing:
netsh trace start scenario=wlan report=disabled capture=yes tracefile=why.etl
netsh trace stop
On the NPS:
netsh nps set tracing *=verbose
netsh nps set tracing *=none
The client trace data is in file why.etl; the server trace data is in file %SystemRoot%\System32\LogFiles\NPS\IAS.etl,
The start/stop commands should encompass an authentication attempt.
Gary
I tired it. I have the IAS.etl from the NPS but I can't find the why.etl on the client.
How can i read the file. If I import it into Event Viewer I don't really get any information.
Hello Chris,
When you executed the command "netsh trace start [...]", the command interpreter would have had some "current directory" (the path that the "cd" or "chdir" command shows); why.etl will be in that directory.
There are 4 types of ETW providers: MOF, Manifest/Crimson, WPP and TraceLogging. There is normally enough metadata available on any system to easily interpret MOF, Manifest/Crimson and TraceLogging events, but the metadata needed for WPP events is only occasionally available.
IAS.etl contains events produced by the WPP and unfortunately the metadata needed to comfortably interpret IAS.etl is not made available by Microsoft; one needs a lot of experience to glean some understanding of the data.
why.etl should contain a mixture of Manifest/Crimson and WPP events. You may be able to learn something from this data but again experience is needed to get the most from the data.
Gary
Gary,
Thanks, but the why.etl is not showing up. I even changed the directory just to make sure it wasn't locked or something.