I just replaced one of my old Server 2008R2 NPS servers with a freshly installed Server 2016 installation. I exported the NPS configuration on the old and imported it on the new one and also registered the new one correctly in AD.
Did some testing with my WPA2-Enterprise PEAP MSCHAPv2 SSID and was successful.
Yesterday I finally switched the new server active and disabled the old one. This worked great, for Windows 10 and at least Android clients, but I quickly received complaints that some "legacy" Windows 7 and some OS X clients were unable to connect.
The NPS logfile showed in the Event Viewer - Security logfile the error:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
Security ID: username
Account Name: username
Account Domain: ….
Fully Qualified Account Name: username
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 54-a2-74-2e-e8-c0:Secure
Calling Station Identifier: macaddress-of-failing-client---------
NAS IPv4 Address: 172.16.102.11
NAS IPv6 Address: -
NAS Identifier: wlc-5520-1
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 8
Client Friendly Name: Wireless Radius Clients
Client IP Address: 172.16.102.11
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: WLAN-212
Authentication Provider: Windows
Authentication Server: servername
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: 35643135623930382F......
Logging Results: Accounting information was written to the local log file.
Reason Code: 269
Reason: The client and server cannot communicate, because they do not possess a common algorithm.
Problem is, Server 2016 has TLS 1.0 disabled by default for all services!
I enabled TLS 1.0 for Client and for Server (Server would probably be enough) and also set the key DisabledByDefault to 0. I then rebooted the server (a restart of the NPS service would probably have been enough, but a reboot is saver) and now it works again for Windows 7 and I hope for OS X (awaiting confirmation there).
I hope this helps somebody saving some troubleshooting time!
Thanks @patoberli for sharing the issue and solution in detail.
Similar issue I have worked with ISE, When I disable the TLS 1.0 and 1.1 on the ISE end. Client authentication will get failed as the client is sending request on TLS 1.0/1.1. Post enabling the TLS 1.0/1.1 on ISE it started working.
Regards, Sathiyanarayanan Ravindran
Please rate the post and accept as solution, if my response satisfied your question:)
Security has become one of the greatest concerns for every company alike. The industry is moving towards a fast paced and customer-oriented network infrastructure which automatically increases the vulnerabilities a network is exposed to. As the industry t...
We got some new Apple Macbook Air, when connected to wifi, we found the link speed was only 54Mbits, but other laptops like DELL or Panasonic were working fine, the link speed was at least 800 Mbits. we are using Cisco WLC 5504 and 2702I ap.and the funny ...
In today’s world where business needs to be up and available 24X7, one of the major challenges faced by a lot of companies is the seamless uptime of their network infrastructure. Any company’s primary focus is always on keeping its infrastructure ready fo...
As a network administrator keeping up with the methods of today is more challenging, and not relying solely on traditional ways of configuration and management is demanding. APIs have become a buzz word, and supporting it shows that your de...
We’re looking for network operators and engineers to complete a 2-minute icon preference study.
The icon choice will help us better represent information on a Cisco software product.
Click here: https://ciscoux.az1.qualtrics.com/jfe/form/SV_6saOh5...