Network Policy Server for VPN & Wifi authentication

[jdetmold]

I have been trying to setup Server 2008 R2 Network Policy Server to authenticate my VPN and Wifi.

I have VPN working with pfsense pptp so far in my test environment. I would like all authentication to be done with username and password not certificate.

the clients will be on windows mac and iphone/ipad

From both windows mac and iphone i can now access my pptp VPN with Network Policy Server Authentication.

However Wifi is another issue, I keep getting the error "The user attempted to use an authentication method that is not enabled on the matching network policy." unfortunately i cant seem to figure out what needs to be enabled... is Network Policy Server capable of doing username & password authentication without certificates?

if anyone can point me in the right direction that would be a huge help!

 

[Eickst]

IIRC, you can't do MS-CHAPv2 without doing PEAP, so you need at least one certificate on the server.

Here's a good link on NPS for wireless-
http://techblog.mirabito.net.au/?p=87

 

[jdetmold]

thanks I'll give that a try!

 

[jdetmold]

ok I have it working on my mac and iphone, only after I accept the certificate
but windows is a no go

I get:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			test\liz
	Account Name:			liz
	Account Domain:			test
	Fully Qualified Account Name:	test\liz

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		
	Calling Station Identifier:		

NAS:
	NAS IPv4 Address:		<ap ip address>
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		wifi
	Client IP Address:			<ap ip address>

Authentication Details:
	Connection Request Policy Name:	Secure Wireless Connections
	Network Policy Name:		Secure Wireless Connections
	Authentication Provider:		Windows
	Authentication Server:		pdc-server.test.local
	Authentication Type:		PEAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			265
	Reason:				The certificate chain was issued by an authority that is not trusted.

 

[Jason0352]

jdetmold, I have the exact same problem as you with my Windows hosts; have you ever found a solution to this problem?

 

[Chilly]

Do you have a AD CS set up with a CA on your test domain? Or are you using a self signed certificate?.

 

[Jason0352]

Everything is on the same box - NPS, AD, AD CS, CA, DNS. Droid phones are also working fine.

 

[Eickst]

Sorry I forgot about this thread.

In windows, try creating a profile for the wireless and uncheck the box that says "verify server certificate". If it works after that then you know what your problem is.

 

[Chilly]

Also ensure you've added the CA root certificate in the trusted root authority on the windows machine

 

[cdr_74_premium]

Any solution to that one? I spent all evening trying to fix it, no dice so far.