NPS server - client authenticates but using wrong policy

I have RADIUS setup and working, kind of.
The client authenticates and connects just fine, with internet access but some network access is not working.

The issue i see is on the NPS server event viewer logs, I see the client gaining 'full access' but the 'connection request policy name' and the 'network policy name' are not the ones I want it to use.
The NPS server was already setup for VPN access, so it had a couple rules/policies already in place.  when i began project i added RadiusAccess rules but the client is not picking them up.

The processing order for my radius policies is the 2nd.  Is this the issue.
Do i need another server?

if u see the attached, u will see the VPN/RadiusTest polices.  U can also see event logs showing its using the 1st policy
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
You just need to tighten up the policies.

Just a note about the connection request policy... unless you have more than one NPS you don't need to touch the connection request policy.  All RADIUS requests will use that server, so no policy is necessary to decide which RADIUS server processes the request.

The easiest way to tighten the policies is to check the NPS log to see what service-type attribute is sent by the different types of client.  VPN users will typically send a different service-type attribute to a WLAN user, so configure the conditions for each Network Access Policy to match those service-type attributes.
drmpAuthor Commented:
Where can I find the 'service-type attribute'?
I did check the NPS log and see the client being granted 'full access', but dont see the service type attribute on the page.
Craig BeckCommented:
Can you post a copy of the log for a failed attempt please?  You need to look in the Custom logs on the NPS server.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

drmpAuthor Commented:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/15/2015 10:23:09 AM
Event ID:      6272
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      xxxxxxxxxxxxxxxxxxxx
Network Policy Server granted access to a user.

      Security ID:                  xxxxx\xxxxx
      Account Name:                  xxxxx
      Account Domain:                  xxxxx
      Fully Qualified Account Name:      xxxxx/xxxxx Active Users/xxxxx

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:  
      Calling Station Identifier:            80-86-f2-92-55-63

      NAS IPv4 Address:  
      NAS IPv6 Address:            -
      NAS Identifier:                  vWLC01
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  1

RADIUS Client:
      Client Friendly Name:  
      Client IP Address:        

Authentication Details:
      Connection Request Policy Name:      Use Windows authentication for all users
      Network Policy Name:            VPN Access
      Authentication Provider:            Windows
      Authentication Server:  
      Authentication Type:            PEAP
      EAP Type:                  Microsoft: Secured password (EAP-MSCHAP v2)
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.

Quarantine Information:
      Result:                        Full Access
      Session Identifier:                  -

Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2015-06-15T14:23:09.456240600Z" />
    <Correlation />
    <Execution ProcessID="500" ThreadID="21028" />
    <Security />
    <Data Name="SubjectUserSid">S-1-5-21-2092466158-2056651354-564879142-29700</Data>
    <Data Name="SubjectUserName">xxxxx</Data>
    <Data Name="SubjectDomainName">xxxxx</Data>
    <Data Name="FullyQualifiedSubjectUserName">xxxxx/xxxxxxxx/xxxxxxx</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID"></Data>
    <Data Name="CallingStationID">80-86-f2-92-55-63</Data>
    <Data Name="NASIPv4Address"></Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">vWLC01</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">1</Data>
    <Data Name="ClientName">cisco-capwap-controller.xxxxxx</Data>
    <Data Name="ClientIPAddress"></Data>
    <Data Name="ProxyPolicyName">Use Windows authentication for all users</Data>
    <Data Name="NetworkPolicyName">VPN Access</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">xxxxxxxxxxxxx</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">Microsoft: Secured password (EAP-MSCHAP v2)</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="QuarantineState">Full Access</Data>
    <Data Name="QuarantineSessionIdentifier">-</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
Craig BeckCommented:
Thanks.  I can see that the service-type attribute isn't there.  I think it may only be detailed if it's specified in a RADIUS policy.

We can use another attribute instead.  You see the section in the middle of the log...
      NAS IPv4 Address:  
      NAS IPv6 Address:            -
      NAS Identifier:                  vWLC01
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  1

RADIUS Client:
      Client Friendly Name:  
      Client IP Address:        

...we can use any one of those attributes to tighten the policy instead.

For example, we know that VPN connections won't be coming directly from the WLC, so we can specify the NAS Identifier or the NAS IPv4 address in the policy.  The NAS IPv4 address is probably a better choice as the VPN server may not support the NAS Identifier attribute.

So, add a condition to the VPN policy that specifies the NAS IPv4 address as
Add a condition to your wireless policy that specifies the NAS IPv4 address as

That will ensure that a match only occurs if the request came from the correct authenticator.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
drmpAuthor Commented:
OK so I am only using 1 connection request policy, and I tightened up the network policies.  
Now I am seeing the correct 'network policy' being used in the event log.....Progress!

It connects just fine, internet access and network access.  The only issue now is that any DFS path is not says '...refers to a location that is unavailable....check internet/network settings...
I can browse to all servers directly, just not with DFS paths...

Any thoughts?
RDP access/email/internet, everything else working fine
Craig BeckCommented:
drmpAuthor Commented:
I checked the logonserver when connected to the new wifi, and its a remote office domain controller.
When i turn off wifi and log in with only the LAN cable.....the unplug LAN cable and connect to the new wifi, the DFS works..
looks to be an issue with the DC the new SSID uses....any thoughts on where that is set?  On the WLC?
Craig BeckCommented:
DC selection is not a WLC function.  That will be DNS SRV records and/or AD Sites and Services.

If you've added a subnet for wireless make sure you've assigned the subnet to the correct AD site so wireless clients use the correct DC first, otherwise DNS will dictate.
drmpAuthor Commented:
We added the site and subnet but still no luck.....
checking the WLC
Craig BeckCommented:
Check that you're giving the correct DNS suffix in the DHCP scope for the Wireless.
drmpAuthor Commented:
The name "domainname          :1d" could not be registered on the interface with IP address The computer with the IP address did not allow the name to be claimed by this computer.

Getting the above on test laptop event net BT
drmpAuthor Commented:
The subnet was keyed in wrong.....darn rokkie mistake.
After the correct subnet was in place, now laptops know what site their in, DHCP and namespace all working just fine...thanks for all the help along the way
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.