NPS Policy doesn't to respect the "Control access through NPS Policy" user attribute

windows-server-2008 radius nps
8,159

The solution is: check your policies carefully.

In my case, I didn't read the critieria carefully enough, and both the Connection and Network policies defined referred to "Client IPv4 Address" instead of "Access Client IPv4 Address".

Share:
8,159

Related videos on Youtube

David Mackintosh
Author by

David Mackintosh

Updated on September 18, 2022

Comments

  • David Mackintosh
    David Mackintosh almost 2 years

    I have a Win2K8 server with NPS. I am trying to set my VPN authentication on a FortiGate firewall to authorize users via Radius from my Windows server.

    I have two policies configured

    • a Connection Policy defining the client and the Radius secret
    • a Network Policy defining the required AD group membership and the required requesting access server (ie the Firewall)

    The Network Policy has the checkbox "Ignore user account dial-in properties" selected.

    If the user account has "Control access through NPS Policy" selected on their dial-in properties page, access is denied. If I change it to "Allow access", access is permitted.

    If I leave it at "Allow access" and remove the user from the AD group required, then access is granted, which confuses me.

    So what is required to get the NPS policy to determine if access is granted regardless of the Dial-In properties selected?

    I found the other question on Server Fault which describes this problem, but the suggested solution of reordering the policies does not help.

    • Spence
      Spence almost 11 years
      Have you looked at the event log yet? The NPS Policy Server is going to throw event id 6273 source "Microsoft-Windows-Security-Auditing" events when it denies access to a user, along with some verbose information about the failure. My suspicion is that your policy isn't set-up in the way you think it is and that the you'll find the reason for the authentication failure in the log.
    • David Mackintosh
      David Mackintosh almost 11 years
      You are correct, there is a difference between "Access CLient IPv4 Address" and "Client IPv4 Address".
    • Spence
      Spence almost 11 years
      I suppose I can live w/o an "Accept" on this one... >smile<

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Authenticate Cisco ASA to Windows 2008 domain
NPS EAP authentication failing after Windows Update
Why would NPS suddenly stop authenticating users?
WIFi Authentication with Windows Active Directory
802.1x auth without certificate on clients
Third Party Wildcard Certificates for use with Microsoft NPS / RADIUS / PEAP
Authentication via RADIUS : MSCHAPv2 Error 691
Problem with network policy rule in Network Policy Server
NPS - RADIUS - Active Directory Authentication
Radius connection with Windows 7 computers