Network Policy Server authentication failing
I'm sure I am not the first one who encountered this so I'm answering my own question. Within NPS, there the following must be changed and the issue will be resolved.
Within NPS, goto:
- Policies >> Network Policies
- Disabled "Connections to other access servers"
This corrected the issue and just to be safe and Ordered the policies as follows:
- Connections to Microsoft Routing and Remote Access server (Enabled)
- Allow pfSense (Enabled)
- Connections to other access servers (Disabled)
Related videos on Youtube
25 : 18
27 : 44
04 : 37
![[TSHOOT] Troubleshooting RADIUS server with the MX, Switch and MR using the Cisco Meraki Dashboard](https://i.ytimg.com/vi/Xmm6RKhkfy4/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDQwIgwhEORkIscS1bSTMbsx2DxZQ)
19 : 47
02 : 22
Sean
Updated on September 18, 2022Comments
-
Sean almost 2 years
I've configured our RADIUS client (pfSense) and Windows 2008 NPS for authentication via RADIUS. The set-up is a Captive portal where LAN users authenticate with Active Directory.
When looking at our event logs, I see the following error after a log-in test.
Network Policy Server denied access to the user.
Contact the Network Policy Server administrator for more information. User: Security ID: CAMPUS\testuser Account Name: testuser Account Domain: CAMPUS Fully Qualified Account Name: campus.mydomain.local/Users/Administrator Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: - Calling Station Identifier: - NAS: NAS IPv4 Address: 0.0.0.0 NAS IPv6 Address: - NAS Identifier: pfsense.campus.mydomain.local NAS Port-Type: - NAS Port: - RADIUS Client: Client Friendly Name: pfSense Client IP Address: 192.168.1.6 Authentication Details: Proxy Policy Name: Use Windows authentication for all users Network Policy Name: Connections to other access servers Authentication Provider: Windows Authentication Server: AGDC01.campus.mydomain.local Authentication Type: PAP EAP Type: - Account Session Identifier: - Reason Code: 65 Reason: The connection attempt failed because network access permission for the user account was denied. To allow network access, enable network access permission for the user account, or, if the user account specifies that access is controlled through the matching network policy, enable network access permission for that network policy.This is regardless of the user I authenticate with. Within AD, our users are set-up to "Control access through NPS Network Policy." I look forward to some assistance because I am pretty stuck.