+ Post New Thread
Results 1 to 9 of 9
Windows Server 2008 R2 Thread, Wireless Authentication with NPS Machine Groups Policy in Technical; Hi Long story short we have NPS setup with RADIUS client AP's to process wireless connection requests on our 2008 ...
  1. #1

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Wireless Authentication with NPS Machine Groups Policy

    Hi

    Long story short we have NPS setup with RADIUS client AP's to process wireless connection requests on our 2008 R2 domain. Our Connection request and Network policies at present only contain a NAS Port Type 802.11 condition, which works fine. I am trying to restrict wireless access to computers that are part of the domain but as soon as I add a Machine Group condition which includes the Domain Computers group non of the computers can connect. I have seperately tested adding a User Group condition and this works fine. Any ideas on what could be wrong or I am missing?

    Cheers

  2. #2

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Have you created your wireless network policies?
    Are you trying to restrict on a per user or per machine basis?
    What desktop clients are you using including SP Level?
    Have you configured your RADIUS Clients?
    What Wi-Fi Protected Access (WPA) are you using? WPA, WEP etc...
    What Authentication methods are you using? EAP-TLS, MS-CHAP v2, PEAP-TLS?
    Confirm the network connection method for policy, i.e Ethernet, Wireless Access Point etc....

    Also, you mention that you use the Domain Computers group as your condition. This will include all computers. I know you are configuring NAP for Wireless but have you tried to create a group for Wireless client, then add that group as a condition add add client to it?


    Regards
    Sukh
    Last edited by sukh; 9th March 2011 at 11:42 PM.

  3. #3

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by sukh View Post
    Hi

    Have you created your wireless network policies?
    Are you trying to restrict on a per user or per machine basis?
    What desktop clients are you using including SP Level?
    Have you configured your RADIUS Clients?
    What Wi-Fi Protected Access (WPA) are you using? WPA, WEP etc...
    What Authentication methods are you using? EAP-TLS, MS-CHAP v2, PEAP-TLS?
    Confirm the network connection method for policy, i.e Ethernet, Wireless Access Point etc....

    Also, you mention that you use the Domain Computers group as your condition. This will include all computers. I know you are configuring NAP for Wireless but have you tried to create a group for Wireless client, then add that group as a condition add add client to it?


    Regards
    Sukh
    Hi Sukh

    The background is that we have had the whole system working for quite a while now so yes the wireless policies have been created and the RADIUS clients are configured. Setup is:

    Wireless access point RADIUS clients using WPA2 encryption
    XP SP3 and W7 Ent desktop clients
    Authentication methods are PEAP and MS-CHAP v2

    I am trying to restrict access to the wireless network on a per machine basis. I am using the domain computers group simply as an initial test group. As I said in the original post the system works fine until I introduce a Machine Group condition into the Network Policy. Even when this condition includes the Domain Computers group none of our laptops are able to connect. When I remove this condition it works fine again. I have seen this issue reported before in connection with VPN setups but ours is a Wireless LAN system only.

    Cheers

  4. #4

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Have you created a seperate network policy for the wireless and Confirm the network connection method for policy, i.e Ethernet, Wireless Access Point etc....

    "Even when this condition includes the Domain Computers group none of our laptops are able to connect. When I remove this condition it works fine again. "

    In the condition, when you include the Domain Computers group, none of your laptops are able to connect, is that wired or wireless?

    Thanks
    Sukh

  5. #5

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi

    ATM the system authenticates wireless connections only.

    Cheers

  6. #6

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Have you created a seperate network policy for the wireless and Confirm the network connection method for policy, i.e Ethernet, Wireless Access Point etc....

    "Even when this condition includes the Domain Computers group none of our laptops are able

  7. #7
    chrisbrown's Avatar
    Join Date
    Aug 2010
    Location
    Melbourne, Australia
    Posts
    103
    Thank Post
    2
    Thanked 16 Times in 14 Posts
    Rep Power
    17
    We had a similar problem, best thing to do was sit and monitor the event logs on the DC. This provided a realtime view of what was happening (and what wasn't)

  8. #8

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi

    I've tracked down the issue so thought I'd post it here for anyone else who might have a similar problem. Our issue was caused by the Authentication Mode in the Security Settings for the Wireless Network Connection that we had setup in Group Policy

    (Computer Configuration > Windows Settings > Security Settings > Wireless Network (802.11) Policies > "Your Network Policy")

    Originally the Authentication Mode was set to "User or Computer authentication", when this was changed to "Computer authentication" the Computer Account condition in the Network Policy in NPS was processed correctly and clients could connect.

    I can only assume that this is a bug as on further testing I found that when the Authentication Mode was set to "User or Computer authentication" NPS would process a User Account condition in the Network Policy correctly, but still refused to process the Computer Account condition properly.

    Hope this helps someone.

    Cheers

  9. #9

    Join Date
    Sep 2012
    Location
    Chicago, IL
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Lightbulb Additional Solution

    Quote Originally Posted by psycorp View Post

    (Computer Configuration > Windows Settings > Security Settings > Wireless Network (802.11) Policies > "Your Network Policy")

    Originally the Authentication Mode was set to "User or Computer authentication", when this was changed to "Computer authentication" the Computer Account condition in the Network Policy in NPS was processed correctly and clients could connect.
    Additionally, whether it is by design or not, it may be because NPS is trying to process BOTH 'Domain Users' and 'Domain Computers'.
    I was able to duplicate my NPS Policy, creating a seperate policy for 'Domain Users' and 'Domain Machines'. Because they are matched in order, when 'Users' fails, 'Machines' picks up and authenticates!

    Hope that helps someone!

    (Sorry for updating an old post - it's google's fault!)



SHARE:
+ Post New Thread

Similar Threads

  1. Connecting HP iPAQ to wireless NPS PEAP 802.1x SSID
    By FatBoy in forum Netbooks, PDA and Phones
    Replies: 1
    Last Post: 19th October 2010, 03:45 PM
  2. Replies: 7
    Last Post: 28th July 2010, 01:12 PM
  3. NPS/Radius authentication with wireless clients using 2008 R2
    By ranj in forum Windows Server 2008 R2
    Replies: 7
    Last Post: 26th April 2010, 12:49 PM
  4. Wireless Config With NPS
    By Richie1972 in forum Windows Server 2008
    Replies: 2
    Last Post: 2nd October 2009, 01:45 AM
  5. Deploy Default User to Machine Groups
    By monkey_boy in forum How do you do....it?
    Replies: 6
    Last Post: 25th January 2007, 11:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •