question

RicardoIto-0212 avatar image
0 Votes"
RicardoIto-0212 asked ·

Devices cannot autheticate by NPS

Hello guys!

Some users cannot authenticate via Network Policy Server (Radius Client).
At Event Viewer I see this message:


Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: GRUPOPEREIRA\NOTNATHALLYAMOR$
Account Name: host/notnathallyamor.grupopereira.local
Account Domain: GRUPOPEREIRA
Fully Qualified Account Name: grupopereira.local/Dispositivos/Notebooks/SP/Escritorio/NOTNATHALLYAMOR
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 02-9F-C2-75-99-40:Grupo Pereira
Calling Station Identifier: 64-32-A8-10-DD-53
NAS:
NAS IPv4 Address: 10.246.110.183
NAS IPv6 Address: -
NAS Identifier: 029fc2759940
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -
RADIUS Client:
Client Friendly Name: SP-ESCSPO-04-AP01
Client IP Address: 10.246.110.183
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: SRVADMS.grupopereira.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 34323334424443314346373142353037
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.



Any idea?

windows-server-infrastructure
· 2
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.

0 Votes 0 ·

Please try to mark the replies which help you. It will encourage the person who help you.

Appreciate your understanding. :)

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered ·

Hi ,

First make sure AD users are set-up to Control access through NPS Network Policy in ADUC.

74497-image.png

Or configure NPS to ignore User account dial-in properties:

74596-image.png

Then check if users can authenticate via Network Policy Server.

Best Regards,

Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (26.9 KiB)
image.png (28.6 KiB)
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RicardoIto-0212 avatar image
0 Votes"
RicardoIto-0212 answered ·

Hi Candy!
Is there any problem if I check both?

· 1
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No problem. NPS just will ignore User account dial-in properties.

0 Votes 0 ·
RicardoIto-0212 avatar image
0 Votes"
RicardoIto-0212 answered ·

Hi Candy!
Is there something I can do at Windows 10 Clients ? Some Clients persists not connect.

· 5
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What's the error message in NPS log when those clients cannot connect? What's the error message on client side when those clients cannot connect? Post the error message for us to do troubleshooting.

0 Votes 0 ·

Hi Candy!

By client side: "Cannot connect this network"


By NPS side:


Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 18/03/2021 08:48:17
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SRVADMS.grupopereira.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: GRUPOPEREIRA\NOTTHIAGOTOLEDO$
Account Name: host/notthiagotoledo.grupopereira.local
Account Domain: GRUPOPEREIRA
Fully Qualified Account Name: GRUPOPEREIRA\NOTTHIAGOTOLEDO$

 Reason Code:            48
 Reason:                The connection request did not match any configured network policy.

0 Votes 0 ·

Hi Candy.
This is the error message:

Event ID: 6273
Task Category: Network Policy Server
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: GRUPOPEREIRA\CGR0163WKPPR06$
Account Name: host/CGR0163WKPPR06.grupopereira.local
Account Domain: GRUPOPEREIRA
Fully Qualified Account Name: GRUPOPEREIRA\CGR0163WKPPR06$

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: SRVADMS.grupopereira.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 41373638303532433538373844314141
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.

0 Votes 0 ·

Sometimes works sometimes not

0 Votes 0 ·

This error is general and it is difficult for us to find the cause. We need to analyze Radius traffic to find the cause. However, analysis of Radius traffic is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information.

If you want to find the cause , I would suggest you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

0 Votes 0 ·