Wireless Network using Network Policy Server

I have setup a WPA2-EAP Wireless Network Using Network Policy Server, AD and Group Policies.  We are using two Watchguard AP100s (wireless access points) with a Watchguard XTM535 firewall, in conjunction with a Windows 2008 R2 server, running a NPS.  I am trying to restrict both the computers that connect to the wireless network, and the users that connect.  At the moment I have two network policies one for computers and one for users and I want them to work as an ‘AND’ situation rather than an ‘OR’ situation.  Can anyone help?

In addition my two Windows domain user accounts (one standard, and one with full AD permissions [Enterprise Admin, Schema Admin, etc.]) can connect to the wireless network even though neither account is a member of the Wireless Users group, which is rather worrying, and I’m concerned that there might be other domain user accounts that can also connect even though they are not members of this group.
vphulAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
To get the desired 'AND' you would have to merge the Users and Computers policy; specifying users and computer (groups) in the NPS policy's 'Condition' Tab to my knowledge.

If you define multiple policies, they will always be 'OR' since the user is authenticated once the first  policy matches; imagine this like firewall rules.

A good way to troubleshoot NPS is to keep an eye on the event viewer's NPS server role logs. It will tell you exactly which policy is responsible for authenticating your 'invalid' user account. I suspect this might be because the computer matches?
0
vphulAuthor Commented:
Hello Helgeooo,

Many thanks for your comment and sorry for the long delay in sending a reply.  I have done what you suggested using Windows groups.

This is what I get when I try logging on with a user in the appropriate user group and a computer in the appropriate computer group.

"Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  domain\LEWIN702$
      Account Name:                  host/LEWIN702.domain
      Account Domain:                  domain
      Fully Qualified Account Name:      domain/WSUS Clients/GPS/LEWIN702

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            00-90-7F-B0-2B-2A:IF96SF
      Calling Station Identifier:            18-3D-A2-12-2A-90

NAS:
      NAS IPv4 Address:            192.168.24.215
      NAS IPv6 Address:            -
      NAS Identifier:                  
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            IF-AP00
      Client IP Address:                  192.168.24.215

Authentication Details:
      Connection Request Policy Name:      Secure Wireless Connections
      Network Policy Name:            Connections to other access servers
      Authentication Provider:            Windows
      Authentication Server:            IF-SRV01.domain
      Authentication Type:            PEAP
      EAP Type:                  Microsoft: Secured password (EAP-MSCHAP v2)
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  65
      Reason:                        The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission."


In the user's properties, the Network Access Permission is set to Allow Access.  If I change that to Control Access through NPS Network Policy, I get the same error message.
0
Daniel HelgenbergerCommented:
Hello vphul,

no problem! Because of the '$' it looks to me LEWIN702$ is a computer account? Did you check the dial in properties at the computer account object or the user?

Also, please post the Conditions of the policy: 'Connections to other access servers' here.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

vphulAuthor Commented:
Hello Helgeooo,

Sorry I haven't been feeling very well recently and my brain isn't fully in gear: that's my excuse anyway. :-) You're quite correct, LEWIN702 is a computer account, and I don't understand why it is showing as the User.

The policy "Connections to other access servers" should have been disabled, and this has now been done.  The network policy that should be applied is called "IF96SF Wireless", and the conditions are windows groups "IF Wireless Network Computers" and "IF Wireless Users".

This is now what I'm getting in the logs with a 'valid' computer account and 'valid' user account.

"Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  domain\LEWIN702$
      Account Name:                  host/LEWIN702.domain
      Account Domain:                  domain
      Fully Qualified Account Name:      domain\LEWIN702$

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            00-90-7F-B0-2B-2A:IF96SF
      Calling Station Identifier:            18-3D-A2-12-2A-90

NAS:
      NAS IPv4 Address:            192.168.24.215
      NAS IPv6 Address:            -
      NAS Identifier:                  
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            IF-AP00
      Client IP Address:                  192.168.24.215

Authentication Details:
      Connection Request Policy Name:      Secure Wireless Connections
      Network Policy Name:            -
      Authentication Provider:            Windows
      Authentication Server:            IF-SRV01.domain
      Authentication Type:            PEAP
      EAP Type:                  Microsoft: Secured password (EAP-MSCHAP v2)
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  48
      Reason:                        The connection request did not match any configured network policy."

No wonder it's not connecting when it thinks the computer account is a user account!!
0
Daniel HelgenbergerCommented:
I dont know if you have already seen this, but since you disabled the policy there is no policy which matches now:
Network Policy Name:            -
Reason:                        The connection request did not match any configured network policy."
Try to debug this by copying the policy twice and remove the user condition on one and the computer condition on the other. Now, check wtch one is applied.

In the end, you need a deny policy as well. Remember they are processed in order, like firewall rules on a first-match basis:
Allow: Condition1: User Group A, Condition2: Computer Group C
Deny:  Condition1: User Group A

Open in new window

Please also see this technet thread:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/dd7924dc-b1d5-4863-98e0-d9fbe6cc5455/can-nps-respect-user-accounts-restrictions
0
vphulAuthor Commented:
Hello Helgeooo,

Thanks for your latest comment.  Yes I did notice that there was no policy which matched.

I've tried the debug you suggested.  When the computer condition is in the first policy, not surprisingly, the connection is successful even though the user is not in the wireless group.  When the user condition is in the first policy, and a user that is not in the wireless group tries to connect, the connection is successful because the second (computer condition) policy is used.  This is all well and good, but once again in the logs, the user is shown as lewin702, the computer account!!

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
      Security ID:                  domain\LEWIN702$
      Account Name:                  domain\LEWIN702$
      Account Domain:                  domain
      Fully Qualified Account Name:      domain\LEWIN702$

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            00-90-7F-B0-2B-26:IF96SF
      Calling Station Identifier:            18-3D-A2-12-2A-90

NAS:
      NAS IPv4 Address:            192.168.24.216
      NAS IPv6 Address:            -
      NAS Identifier:                  
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            IF-AP01
      Client IP Address:                  192.168.24.216

Authentication Details:
      Connection Request Policy Name:      Secure Wireless Connections
      Network Policy Name:            IF96SF Wireless - allowed computers
      Authentication Provider:            Windows
      Authentication Server:            IF-SRV01.domain
      Authentication Type:            PEAP
      EAP Type:                  Microsoft: Secured password (EAP-MSCHAP v2)
      Account Session Identifier:            -

Quarantine Information:
      Result:                        Full Access
      Extended-Result:                  -
      Session Identifier:                  -
      Help URL:                  -
      System Health Validator Result(s):      -

I understand the point you make about a deny policy being required so that users cannot connect with a computer account that is not a member of the relevant group.
0
Daniel HelgenbergerCommented:
Hello,
do not worry about the computer account. If two factors match, like user and computer, only the first matching is printed.

But: Most importantly, is the user policy working? Can you make a connection from a non allowed computer with a valid user?
0
vphulAuthor Commented:
Hello Helgeooo,

Once again sorry for the delay in sending a reply.  Yes the user only policy is working and I can connect from a non-allowed computer with a valid user.

I did open a case with Microsoft about this issue, and was told

"EAP protocol is not designed to perform both kind of authentication at the same time. EAP will supply either "User" or "Machine" credentials for a specific authentication attempt. Hence, an AND condition in NPS will never work. It needs to be OR."

 I was also sent this link which to my limited knowledge has nothing to do with the matter, and we are not using Single Sign-On!!

http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

I have now got round this issue by just using NPS for user authentication, and MAC address filtering on our firewall.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel HelgenbergerCommented:
The link they provided is interesting for sure. And, you do use single sign on if you have for instance Windows domain member computers connecting to a Windows Domain Controller.

But, back to your problem:
I really did not know this was not possible, I have to look into my policies as well I think...

But this might be a workaround:
MS-ServiceClass
With this condition the authenticated client needs to be in a specific dhcp scope. So if you put all your allowed computers in that scope and use a user group, it should still be possible...
0
vphulAuthor Commented:
Using MAC address filtering on our firewall resolved the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.