Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4519
Views
5
Helpful
1
Replies

Windows NPS 2016 and WPA2-Enterprise

patoberli
VIP Alumni
VIP Alumni

‎06-28-2019 12:50 AM - edited ‎07-05-2021 10:37 AM

Hello All

I just replaced one of my old Server 2008R2 NPS servers with a freshly installed Server 2016 installation. I exported the NPS configuration on the old and imported it on the new one and also registered the new one correctly in AD.

Did some testing with my WPA2-Enterprise PEAP MSCHAPv2 SSID and was successful. 

 

Yesterday I finally switched the new server active and disabled the old one. This worked great, for Windows 10 and at least Android clients, but I quickly received complaints that some "legacy" Windows 7 and some OS X clients were unable to connect.

 

The NPS logfile showed in the Event Viewer - Security logfile the error:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			username
	Account Name:			username
	Account Domain:			….
	Fully Qualified Account Name:	username

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		54-a2-74-2e-e8-c0:Secure
	Calling Station Identifier:		macaddress-of-failing-client---------

NAS:
	NAS IPv4 Address:		172.16.102.11
	NAS IPv6 Address:		-
	NAS Identifier:			wlc-5520-1
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			8

RADIUS Client:
	Client Friendly Name:		Wireless Radius Clients
	Client IP Address:			172.16.102.11

Authentication Details:
	Connection Request Policy Name:	Secure Wireless Connections
	Network Policy Name:		WLAN-212
	Authentication Provider:		Windows
	Authentication Server:		servername
	Authentication Type:		PEAP
	EAP Type:			-
	Account Session Identifier:		35643135623930382F......
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			269
	Reason:				The client and server cannot communicate, because they do not possess a common algorithm.

Problem is, Server 2016 has TLS 1.0 disabled by default for all services!

Solution, as per the manual here: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

I enabled TLS 1.0 for Client and for Server (Server would probably be enough) and also set the key DisabledByDefault to 0. I then rebooted the server (a restart of the NPS service would probably have been enough, but a reboot is saver) and now it works again for Windows 7 and I hope for OS X (awaiting confirmation there). 

 

I hope this helps somebody saving some troubleshooting time!

Patrick

Labels:
1 Reply 1

Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎07-16-2019 07:26 PM

Thanks @patoberli for sharing the issue and solution in detail.

 

Similar issue I have worked with ISE, When I disable the TLS 1.0 and 1.1 on the ISE end. Client authentication will get failed as the client is sending request on TLS 1.0/1.1. Post enabling the TLS 1.0/1.1 on ISE it started working. 

 

HTH Someone

 

 

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card