Authentication Issues with NPS and Wireless 802.1x

I configured a AD NPS server to authenticate users in a particular AD Group ( not computers).  Users are unable to connect, I see the errors in the NPS logs : Event ID 6273 Reason  Code: 48.  and the Authentication Type is EAP.  and it Is denying access to the computer account, event though the user is entering their AD credential is the form of domain\Usename
LVL 3
mario_andresMessaging ArchitedAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
We need to compare the settings for the NPS Network Policy, and for the wireless connection on the client.
It would probably be best if you could provide screenshots of both.
Dirk KotteSECommented:
the full text fro eventlog deny-message would be usefull.
mario_andresMessaging ArchitedAuthor Commented:
Here is the what I am getting in the event viewer.....

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  Domain\LAPTOP-LRUU00C8$
      Account Name:                  host/LAPTOP-LRUU00C8.Domain.com
      Account Domain:                  Domain
      Fully Qualified Account Name:      Domain\LAPTOP-LRUU00C8$

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            14-91-82-62-4A-02:Lamppost
      Calling Station Identifier:            2C-6E-85-42-4D-25

NAS:
      NAS IPv4 Address:            10.1.10.8
      NAS IPv6 Address:            -
      NAS Identifier:                  -
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            APNAME
      Client IP Address:                  10.1.10.8

Authentication Details:
      Connection Request Policy Name:      Secure Wireless Connections
      Network Policy Name:            -
      Authentication Provider:            Windows
      Authentication Server:            Vulcan.Domain.com
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            30344642343636342D3030303030303132
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  48
      Reason:                        The connection request did not match any configured network policy.
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

mario_andresMessaging ArchitedAuthor Commented:
Here is a screenshot of the config.... please let me know is this helps.
NPSConfig.jpg
mario_andresMessaging ArchitedAuthor Commented:
what is funny about this issue.  Some users are able to connect, all laptop users are part of the Wireless AD group.  why would the authentication type be EAP ? the users is typing their credeintials...... (domain\username) and password.... but the computer is what being authenticated.
footechCommented:
Open the properties of the Network Policy, go to the Constraints tab, under Authentication Methods select the EAP type and click Edit - please post a screenshot of this.
Back under Authentication Methods, you should be able to uncheck MS-CHAP-v2 and MS-CHAP (not needed - these are different than PEAP MS-CHAP-v2).

Are you wanting to authenticate users, or computers?
Are the wireless settings configured via Group Policy, or just on individual computers?
Dirk KotteSECommented:
possible the "NAS Port type" don't match.
if there are no other policies remove this selector or try to use another...
footechCommented:
FWIW, the NAS Port Type as set is what I would expect to see for authenticating wireless users.  I would expect if this wasn't correct then no users would be able to connect.
mario_andresMessaging ArchitedAuthor Commented:
Here are properties for EAP settings

Thank you!
EAP.png
EAP2.png
footechCommented:
I don't see anything wrong with your server config.
You could uncheck all the items that appear under "Less secure authentication methods".  They're not necessary for wireless clients, but I have seen where a controller or AP uses that type for test functionality.

At this point I would be looking at the client connection settings.
And I'll ask these again:
Are you wanting to authenticate users, or computers?
Are the wireless settings configured via Group Policy, or just on individual computers?

It sounds like you only want to authenticate users, and that you have no Group Policy which configures the client settings, but I want to make sure.  Configuring the wireless settings via GPO ensures that the (Windows) clients don't have to worry about getting things right.  Of course, this only applies to domain-joined Windows machines.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mario_andresMessaging ArchitedAuthor Commented:
Footech

   I am authenticating users not computers. I do not use GPO for clients settings.  I will try creating  the wireless profile manually  using PEAP and report back.
mario_andresMessaging ArchitedAuthor Commented:
I will try creating manually as suggested. Thank you,.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.