NPS Network Policy Define Access Client IPv4 Address not working

Marcus Wong Theen Nam 1,061 Reputation points
2021-07-06T03:36:32.317+00:00

Currently I have one NPS RADIUS server setup for multiple forests (two-way trust). There is one VPN server connecting to the RADIUS server to authenticate users from both forests. So far this is working good with the below network policy conditions:
111984-image.png

However, I have a request to add in the evaluation on user client IPv4 address. So I went to add in the Client Access IPv4 Address conditions but after that users failed to authenticate. Modified policy as below:

112005-image.png

The user machine network segment is 192.168.1.x. Therefore I added this segment into the network policy but its not working. When I removed this condition, users can authenticate without any issue. Error from event logs is as below:

111974-image.png

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
436 questions
Accepted answer
  1. Candy Luo 12,476 Reputation points
    2021-07-07T04:29:19.533+00:00

    Hi ,

    I have tested in my lab with following results:

    If we configure client's IP in Access Client IPv4 Address , NPS will deny it.

    112412-2.png

    If we use Calling Station ID , then it will work.

    112320-1.png

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,476 Reputation points
    2021-07-06T07:28:48.18+00:00

    Hi ,

    I would suspect it is related with syntax. If you want to specify a range of IP addresses that begin with 192.168.1, the syntax is: 192\.168\.1\..+

    112057-image.png

    For your reference:

    Examples for network policy attributes

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Candy Luo 12,476 Reputation points
    2021-07-06T09:31:43.037+00:00

    Might check the NPS log to see whether the Client's IP address shows up as Calling Station ID.

    Here is a similar thread, check if it is helpful with you:

    Network Policy Condition "Access Client IPv4 Address" does not work