Issue with RADIUS authentication for some users

notesguru99 · ‎Nov 25 2021

Hi,

We have an issue with a small number of users that are unable to authenticate via the Network Policy Server we have created in Windows Server 2016. We use this along with our Watchguard Firewall to authenticate staff on the SSL VPN with 2FA. This works fine for 99% of staff, we just have a couple of staff that are unable to connect, the NPS server just rejects them all of the time. We have multiple firewalls and multiple NPS servers (local to each site) and each acts the same - these couple of users are rejected.

To explain in more detail this is what occurs.

User logs into the VPN from their laptop
the firewall is linked to our NPS service on Windows 2016 server
user is a member of the group and is authenticated
response is sent to the users phone via the azure 2fa app

For the couple of users that cannot authenticate they are rejected at stage 2 - and we can see in the NPS logs that the names are displayed differently than the ones that can authenticate without any issue. We cannot see any difference in the user accounts in AD or Azure.

The user accounts are not locked out, or expired or anything like that, using 2FA for Office 365 works fine for these users too.

As you can see from this extract from our NPS logs the user Jim.Morrison can authenticate successfully but the user Cat.Stevens is unable to authenticate and the only difference we can tell is how the names are displayed in this log. Do you have any ideas how we can fix this and allow Cat to authenticate via NPS?

"NPS-SERVER","IAS",11/02/2021,10:42:59,1,"jim.morrison","domain.local/Moore and Smalley/Users/Preston/Corporate Finance/Jim Morrison",,,,,,"10.x.x.x",0,0,"10.x.x.x","Preston Firewall",,,,,,,8,"VPN Policy",0,"311 1 10.x.x.x 10/29/2021 18:02:44 2981",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

"NPS-SERVER","IAS",11/02/2021,10:42:59,3,,"domain.local/Moore and Smalley/Users/Preston/Corporate Finance/Jim Morrison",,,,,,,,0,"10.x.x.x","Preston Firewall",,,,,,,8,"VPN Policy",21,"311 1 10.x.x.x 10/29/2021 18:02:44 2981",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

"NPS-SERVER","IAS",11/02/2021,10:47:42,1,"cat.stevens","Domain\cat.stevens",,,,,,"10.x.x.x",0,0,"10.x.x.x","Preston Firewall",,,,,,,8,,0,"311 1 10.0.x.x 10/29/2021 18:02:44 2982",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

"NPS-SERVER","IAS",11/02/2021,10:47:42,3,,"Domain\cat.stevens",,,,,,,,0,"10.x.x.x","Preston Firewall",,,,,,,8,,21,"311 1 10.x.x.x 10/29/2021 18:02:44 2982",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

"NPS-SERVER","IAS",11/02/2021,10:48:37,1,"cat.stevens","Domain\cat.stevens",,,,,,"10.x.x.x",0,0,"10.x.x.x","Preston Firewall",,,,,,,8,,0,"311 1 10.x.x.x 10/29/2021 18:02:44 2983",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

"NPS-SERVER","IAS",11/02/2021,10:48:37,3,,"Domain\cat.stevens",,,,,,,,0,"10.x.x.x","Preston Firewall",,,,,,,8,,21,"311 1 10.x.x.x 10/29/2021 18:02:44 2983",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

Firewall support says its not their problem, Microsoft say this is an on premise problem so go away (we don't pay for on prem support) so you are my last hope!

somnio0505 · ‎Dec 29 2021

Hi, @notesguru99

In your NPS log, There is difference at Fully Qualified Account Name.

[Fully Qualified Account Name]

jim.morrison"," domain.local/Moore and Smalley/Users/Preston/Corporate Finance/Jim

cat.stevens"," Domain\cat.stevens"

I know the "Fully Qaulified Account Name" not exist in AD attributes.

It seems like cname (canonical name) according to NPS api docs.

Please check cname of two users.

Thanks.

Products (65)

Special Topics (44)

Video Hub (978)

Most Active Hubs

Most Active Hubs

Video Hub

Issue with RADIUS authentication for some users

Issue with RADIUS authentication for some users

Re: Issue with RADIUS authentication for some users