NPS Policy doesn't to respect the "Control access through NPS Policy" user attribute
The solution is: check your policies carefully.
In my case, I didn't read the critieria carefully enough, and both the Connection and Network policies defined referred to "Client IPv4 Address" instead of "Access Client IPv4 Address".
Related videos on Youtube
David Mackintosh
Updated on September 18, 2022Comments
-
David Mackintosh almost 2 years
I have a Win2K8 server with NPS. I am trying to set my VPN authentication on a FortiGate firewall to authorize users via Radius from my Windows server.
I have two policies configured
- a Connection Policy defining the client and the Radius secret
- a Network Policy defining the required AD group membership and the required requesting access server (ie the Firewall)
The Network Policy has the checkbox "Ignore user account dial-in properties" selected.
If the user account has "Control access through NPS Policy" selected on their dial-in properties page, access is denied. If I change it to "Allow access", access is permitted.
If I leave it at "Allow access" and remove the user from the AD group required, then access is granted, which confuses me.
So what is required to get the NPS policy to determine if access is granted regardless of the Dial-In properties selected?
I found the other question on Server Fault which describes this problem, but the suggested solution of reordering the policies does not help.
-
Spence almost 11 yearsHave you looked at the event log yet? The NPS Policy Server is going to throw event id 6273 source "Microsoft-Windows-Security-Auditing" events when it denies access to a user, along with some verbose information about the failure. My suspicion is that your policy isn't set-up in the way you think it is and that the you'll find the reason for the authentication failure in the log.
-
David Mackintosh almost 11 yearsYou are correct, there is a difference between "Access CLient IPv4 Address" and "Client IPv4 Address".
-
Spence almost 11 yearsI suppose I can live w/o an "Accept" on this one... >smile<