question

Marcus-9726 avatar image
0 Votes"
Marcus-9726 asked CandyLuo-MSFT commented

NPS Network Policy Define Access Client IPv4 Address not working

Currently I have one NPS RADIUS server setup for multiple forests (two-way trust). There is one VPN server connecting to the RADIUS server to authenticate users from both forests. So far this is working good with the below network policy conditions:
111984-image.png


However, I have a request to add in the evaluation on user client IPv4 address. So I went to add in the Client Access IPv4 Address conditions but after that users failed to authenticate. Modified policy as below:

112005-image.png


The user machine network segment is 192.168.1.x. Therefore I added this segment into the network policy but its not working. When I removed this condition, users can authenticate without any issue. Error from event logs is as below:

111974-image.png


windows-server-infrastructure
image.png (150.0 KiB)
image.png (142.6 KiB)
image.png (133.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT commented

Hi ,

I have tested in my lab with following results:

If we configure client's IP in Access Client IPv4 Address , NPS will deny it.

112412-2.png

If we use Calling Station ID , then it will work.

112320-1.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




2.png (51.2 KiB)
1.png (51.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Candy,

Thanks a lot, this fixed my issue.

0 Votes 0 ·

You are welcome. :)

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT converted comment to answer

Might check the NPS log to see whether the Client's IP address shows up as Calling Station ID.

Here is a similar thread, check if it is helpful with you:

Network Policy Condition "Access Client IPv4 Address" does not work


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered Marcus-9726 edited

Hi ,

I would suspect it is related with syntax. If you want to specify a range of IP addresses that begin with 192.168.1, the syntax is: 192\.168\.1\..+

112057-image.png

For your reference:

Examples for network policy attributes

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (39.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @CandyLuo-MSFT ,

Does the syntax pattern applies to all other conditions as well from Connection Request Policy/Network Policy ?

0 Votes 0 ·

From official document ,you can use Regular Expressions syntax to specify the conditions of network policy attributes and RADIUS realms. Have you tried the syntax of 192\.168\.1\..+ in Access Client IPv4 Address condition? Could it be work?

0 Votes 0 ·

Hi Candy,

I've tried to change the syntax but still not able to authenticate with the same error logged in NPS event log.

112134-image.png


0 Votes 0 ·
image.png (136.2 KiB)
image.png (134.7 KiB)