Pages

Showing posts with label RADIUS. Show all posts
Showing posts with label RADIUS. Show all posts

Monday, June 12, 2017

Non domain joined Windows 10 client unable to connect to wireless network with 802.1X authentication

Problem

You have a Cisco Wireless Controller setup to use a Microsoft Network Policy (RADIUS) server to authenticate wireless clients via 802.1X and while Android devices and all Windows clients that are joined to the domain have no issues connecting to the network, non-domain joined Windows 10 workstations are unable to. 

Attempting to join the network with a non-domain joined Windows 10 device shows the following Audit Failure log written in the Security logs of the NPS server:

image

Log Name: Security

Source: Microsoft Windows security

Event ID: 6273

Level: Information

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
     Security ID:            CONTOSO\tluk
     Account Name:            CONTOSO\tluk
     Account Domain:            CONTOSO
     Fully Qualified Account Name:    CONTOSO\tluk

Client Machine:
     Security ID:            NULL SID
     Account Name:            -
     Fully Qualified Account Name:    -
     OS-Version:            -
     Called Station Identifier:        00-17-df-a8-e0-50:CONTOSO_Corp
     Calling Station Identifier:        60-57-18-a7-ea-18

NAS:
     NAS IPv4 Address:        192.168.220.254
     NAS IPv6 Address:        -
     NAS Identifier:            Cisco_7d:fe:e4
     NAS Port-Type:            Wireless - IEEE 802.11
     NAS Port:            13

RADIUS Client:
     Client Friendly Name:        CONTOSO Test
     Client IP Address:            192.168.220.254

Authentication Details:
     Connection Request Policy Name:    CONTOSO
     Network Policy Name:        Secure Wireless Connections 3
     Authentication Provider:        Windows
     Authentication Server:        CONTOSODC01.Contoso.com
     Authentication Type:        PEAP
     EAP Type:            -
     Account Session Identifier:        35393361643862372F36303A35373A31383A61373A65613A31382F3739383139
     Logging Results:            Accounting information was written to the local log file.
     Reason Code:            16
     Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

image

The error presented in Windows 10 during the login is shown in the following screenshots:

image

image

Verifying and connecting

image

Can’t connect to this network

image

Solution

One of the reasons why this error would be be presented to non domain joined Windows 10 client is if the NPS / RADIUS server is configured with a certificate issued by an internal Microsoft CA that is not trusted by the Windows 10 device since it is not joined to the domain.  The way around this is to either install the issuing Root CA certificate on the Windows 10 device or configure the SSID network manually and do validate the certificate.  The following outlines these steps:

Begin by opening the Network and Sharing Center then click on Set up a new connection or network:

image

Select Manually connect to a wireless network:

image

Fill in the appropriate configuration:

image

Once the new SSID network has been created, proceed by clicking on Change connection settings:

image

Click on the Security tab:

image

Click on the Settings button:

image

Uncheck the Verify the server’s identity by validating the certificate option:

image

image

Configure the above usually does the trick so that the following prompt is displayed the next time an attempt is made to connect:

clip_image002

However, if you continue to encounter the same error then proceed by clicking on the Advanced settings button:

image

Enable the Specify authentication mode: option:

image

image

Change the configuration to User authentication then click on Save credentials:

image

Enter the appropriate credentials:

image

The SSID should now no longer prompt for credentials and will automatically connect to the SSID network with the saved credentials.

Posted by at No comments:
Labels: , ,

Monday, January 9, 2017

Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft Windows 2012 R2 NPS (Network Policy Server) server

I’ve recently worked with a client to troubleshoot RADIUS authentication issues between their Cisco Nexus as a RADIUS client and their Microsoft Windows 2012 R2 NPS (Network Policy Server) server as the RADIUS server and after determining the issue, the client asked me why I never wrote a blog post on the steps that I took to troubleshoot issues like these so this post serves as a way to demonstrate the process.

The first place I look when a RADIUS client is not able to successfully authenticate against Active Directory through a Windows 2012 R2 NPS server is the directory:

C:\Windows\System32\LogFiles

Where the following IN####.log (YYMM) logs are found:

image

Each of the IN logs contain connection attempts from RADIUS clients over a month so if I am troubleshooting RADIUS issues that are occurring at that point in time then I would:

  1. Open the latest log file
  2. Move the cursor to the last entry of the log file
  3. Use the Find feature (CTRL + F) and search for the RADIUS client’s IP address

The following is an example of an entry from a client with an IP address 10.92.9.11 that I am troubleshooting:

image

Being able to locate the IP address of the problematic client in the log above allows me to:

  1. Verify that the client is indeed reaching out to NPS server with the RADIUS request
  2. Determine the exactly time of the request

Item #2 is important to have because the next step is to open the event logs of the NPS server and navigate into the Security events:

image

Those who have ventured into these logs would know that a lot of entries are written into this log especially if it was a domain controller.  The timestamp obtained in the log file above will allow us to navigate to the section of the logs where we’ll find the relevant entries.  Since the error message on the Nexus login was an “invalid password or user name”, I went ahead and filtered the Security events with the Keywords: Audit Failure:

image

Navigating to the entries with the same timestamp displays event IDs 6273 and 4625 entries that provide information about why the login failed:

image

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:
domain\argotest
Account Name:
argotest
Account Domain:
domain
Fully Qualified Account Name:
domain.internal/domain/Users/Test Accounts/argotest

Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:
-
OS-Version:
-
Called Station Identifier:
-
Calling Station Identifier:
-

NAS:
NAS IPv4 Address:
10.92.9.11
NAS IPv6 Address:
-
NAS Identifier:
-
NAS Port-Type:
Virtual
NAS Port:
0

RADIUS Client:
Client Friendly Name:
NX-1
Client IP Address:
10.92.9.11

Authentication Details:
Connection Request Policy Name:
Use Windows authentication for all users
Network Policy Name:
Connections to other access servers
Authentication Provider:
Windows
Authentication Server:
SVRARDC01.domain.internal
Authentication Type:
PAP
EAP Type:
-
Account Session Identifier:
-
Logging Results:
Accounting information was written to the local log file.
Reason Code:
65
Reason:
The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

image

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:
NULL SID
Account Name:
argotest
Account Domain:
domain
Fully Qualified Account Name:
domain\argotest

Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:
-
OS-Version:
-
Called Station Identifier:
-
Calling Station Identifier:
-

NAS:
NAS IPv4 Address:
10.92.9.11
NAS IPv6 Address:
-
NAS Identifier:
-
NAS Port-Type:
Virtual
NAS Port:
0

RADIUS Client:
Client Friendly Name:
NX-1
Client IP Address:
10.92.9.11

Authentication Details:
Connection Request Policy Name:
Use Windows authentication for all users
Network Policy Name:
-
Authentication Provider:
Windows
Authentication Server:
SVRARDC01.domain.internal
Authentication Type:
PAP
EAP Type:
-
Account Session Identifier:
-
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

image

An account failed to log on.

Subject:
Security ID:
SYSTEM
Account Name:
SVRARDC01$
Account Domain:
domain
Logon ID:
0x3E7

Logon Type: 3

Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
argotest
Account Domain:
domain

Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A

Process Information:
Caller Process ID:
0x384
Caller Process Name:
C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
 
Source Network Address:
-
Source Port:
-

Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
-
Package Name (NTLM only):
-
Key Length:
0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

image

Reviewing the events above should give you more insight as to why the authentication process is failing but note that the information could be misleading at times as if you read all of the events above, it would seem like the authentication process is failing because the user name and password is incorrect but the problem in the situation above was that an incorrect group was placed into the actual NPS policy thus causing the authentication to fail.

Hope this helps anyone who may be looking for information on how to troubleshoot NPS authentication issues.

Posted by at 2 comments:
Labels: , , ,
Subscribe to: Posts (Atom)