06-28-2019 12:50 AM - edited 07-05-2021 10:37 AM
Hello All
I just replaced one of my old Server 2008R2 NPS servers with a freshly installed Server 2016 installation. I exported the NPS configuration on the old and imported it on the new one and also registered the new one correctly in AD.
Did some testing with my WPA2-Enterprise PEAP MSCHAPv2 SSID and was successful.
Yesterday I finally switched the new server active and disabled the old one. This worked great, for Windows 10 and at least Android clients, but I quickly received complaints that some "legacy" Windows 7 and some OS X clients were unable to connect.
The NPS logfile showed in the Event Viewer - Security logfile the error:
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: username Account Name: username Account Domain: …. Fully Qualified Account Name: username Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: 54-a2-74-2e-e8-c0:Secure Calling Station Identifier: macaddress-of-failing-client--------- NAS: NAS IPv4 Address: 172.16.102.11 NAS IPv6 Address: - NAS Identifier: wlc-5520-1 NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 8 RADIUS Client: Client Friendly Name: Wireless Radius Clients Client IP Address: 172.16.102.11 Authentication Details: Connection Request Policy Name: Secure Wireless Connections Network Policy Name: WLAN-212 Authentication Provider: Windows Authentication Server: servername Authentication Type: PEAP EAP Type: - Account Session Identifier: 35643135623930382F...... Logging Results: Accounting information was written to the local log file. Reason Code: 269 Reason: The client and server cannot communicate, because they do not possess a common algorithm.
Problem is, Server 2016 has TLS 1.0 disabled by default for all services!
Solution, as per the manual here: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
I enabled TLS 1.0 for Client and for Server (Server would probably be enough) and also set the key DisabledByDefault to 0. I then rebooted the server (a restart of the NPS service would probably have been enough, but a reboot is saver) and now it works again for Windows 7 and I hope for OS X (awaiting confirmation there).
I hope this helps somebody saving some troubleshooting time!
Patrick
07-16-2019 07:26 PM
Thanks @patoberli for sharing the issue and solution in detail.
Similar issue I have worked with ISE, When I disable the TLS 1.0 and 1.1 on the ISE end. Client authentication will get failed as the client is sending request on TLS 1.0/1.1. Post enabling the TLS 1.0/1.1 on ISE it started working.
HTH Someone
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide