NTRadPing gets rejected by Win2016 NPS

%3CLINGO-SUB%20id%3D%22lingo-sub-988111%22%20slang%3D%22en-US%22%3ENTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-988111%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20fathom%20NPS%20(RADIUS)%20in%20Windows%20Server%202016%2C%20but%20all%20efforts%20are%20failing.%20I%20have%20peeled%20back%20to%20just%20a%20basic%20client%20(Win10)%20to%20server%20connection%20on%20the%20same%20LAN%20and%20using%20NTRadPing%20to%20test%20an%20authentication%20request%20...%20but%20all%20efforts%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20latest%20is%20%22%3CSTRONG%3Eresponse%3A%20Access-Reject%3C%2FSTRONG%3E%22.%20There%20is%20nothing%20logged%20in%20the%20event%20viewer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20intention%20is%20to%20use%20RADIUS%20authentication%20for%20some%20appliance%20VPN%20connections%20(not%20RRAS).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20test%20NPS%20configuration%20is%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26gt%3B%20NPS%20%3CSTRONG%3Eenabled%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Eregistered%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20RADIUS%20client%20is%20created%20and%20defined%20as%20IP%20address%20of%20'my_laptop'%3C%2FP%3E%3CP%3E%26gt%3B%20Shared%20Secret%20is%20%3CSTRONG%3Esame%3C%2FSTRONG%3E%20as%20defined%20%3CSTRONG%3Eon%20client%20and%20server%20side%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20Vendor%20name%20is%20%22%3CSTRONG%3ERADIUS%20Standard%3C%2FSTRONG%3E%22%3C%2FP%3E%3CP%3E%26gt%3B%20Connection%20Request%20Policy%3A%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%3B%20Type%20of%20network%20access%20server%20is%20%3CSTRONG%3EUnspecified%3C%2FSTRONG%3E%2C%20Condition%20defined%20is%20Access%20Client%20IPv4%20Address%20is%20%3CSTRONG%3E'my_laptop'%20IP%3C%2FSTRONG%3E%2C%20Settings%20is%20set%20to%20%3CSTRONG%3EAuthentication%20requests%20on%20this%20server%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20Network%20Policy%3A%26nbsp%3B%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%3B%26nbsp%3B%3CSTRONG%3EGrant%20access%3C%2FSTRONG%3E%20if%20connection%20request%20matches%20this%20policy%3B%20Ignore%20user%20accounts%20dial-in%20properties%3B%26nbsp%3BType%20of%20network%20access%20server%20is%20%3CSTRONG%3EUnspecified%3C%2FSTRONG%3E%3B%20%3CSTRONG%3EWindows%20Groups%3C%2FSTRONG%3E%20defined%20where%20%3CSTRONG%3Euser%20authenticating%20is%20a%20member%3C%2FSTRONG%3E%20of%20the%20security%20group%3B%20%3CSTRONG%3EMachine%20Groups%3C%2FSTRONG%3E%26nbsp%3Bdefined%20where%20client%20machine%20%3CSTRONG%3E'my_laptop'%20connecting%20is%20a%20member%3C%2FSTRONG%3E%20of%20the%20security%20group%3B%20%3CSTRONG%3EAuthentication%20Methods%3C%2FSTRONG%3E%20has%20%3CSTRONG%3Eall%20%22less%20secure%22%20methods%20selected%3C%2FSTRONG%3E%2C%20except%20the%20last%20one%3B%20%3CSTRONG%3ERADIUS%20Attributes%3C%2FSTRONG%3E%20has%20%3CSTRONG%3EStandard%3C%2FSTRONG%3E%20defines%20as%20%3CSTRONG%3EFramed-Protocol%20%3C%2FSTRONG%3Eas%3CSTRONG%3E%20PPP%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EService-Type%20%3C%2FSTRONG%3Eas%3CSTRONG%3E%20Framed%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20everything%20else%20is%20default%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20change%20the%20NTRadPing%20request%20type%20to%20%3CSTRONG%3EStatus%20Server%3C%2FSTRONG%3E%2C%20then%20I%20get%20an%20event%20logged%20on%20the%20NPS%20server%20...%26nbsp%3B%3CSTRONG%3EA%20RADIUS%20message%20with%20the%20Code%20field%20set%20to%2012%2C%20which%20is%20not%20valid%2C%20was%20received%20on%20port%201812%20from%20RADIUS%20client%20%3CMY_LAPTOP%3E.%20Valid%20values%20of%20the%20RADIUS%20Code%20field%20are%20documented%20in%20RFC%202865.%3C%2FMY_LAPTOP%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIs%20this%20because%20NTRadPing%20is%20old%20and%20no%20longer%20complies%3F%20If%20so%2C%20how%20else%20can%20I%20do%20basic%20RADIUS%20testing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20to%20find%20some%20very%20basic%20setup%20for%20RADIUS%20(NPS)%20in%20Windows%20but%20all%20attempts%20to%20get%20this%20working%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20necessary%20ports%20open%20on%20the%20firewall%20too%20...%201812%2C%201813%2C%201645%20%26amp%3B%201646.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJason%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-988111%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068502%22%20slang%3D%22en-US%22%3ERe%3A%20NTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068502%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anybody%20have%20any%20idea%20on%20getting%20NPS%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1294391%22%20slang%3D%22en-US%22%3ERe%3A%20NTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1294391%22%20slang%3D%22en-US%22%3EDid%20you%20ever%20get%20a%20response%20or%20figure%20out%20why%20NTRadPing%20was%20not%20working%20with%20your%20NPS%20Radius%20in%20Server%202016%3F%20I%20am%20trying%20to%20figure%20out%20the%20same%20issue%20and%20it%20is%20dogging%20me.%20Appreciate%20any%20information.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406829%22%20slang%3D%22en-US%22%3ERe%3A%20NTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447556%22%20target%3D%22_blank%22%3E%40jay26cee%3C%2FA%3E%26nbsp%3BTry%20changing%20your%20condition%20from%20%22Access%20Client%20IPv4%20Address%22%20to%20%22Client%20IPv4%20Address%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20make%20sure%20you%20enable%20logging%20under%20Accounting%20and%20create%20your%20log%20files%20in%20a%20format%20you%20can%20manage.%20Because%20you%20are%20being%20rejected%20by%20NPS%2C%20it%20doesn't%20create%20an%20Event%20Log%20entry%2C%20but%20it%20will%20record%20in%20the%20NPS%20accounting%20logs.%3C%2FP%3E%3CP%3EWhen%20creating%20your%20Network%20Policy%2C%20start%20at%20the%20widest%20breadth%20-%20only%20one%20condition.%20Make%20sure%20it%20works%2C%20then%20add%20another.%20Same%20for%20any%20constraints.%20Get%20it%20working%20at%20the%20lowest%20level%2C%20then%20build%20additional%20complexity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*Source*%3C%2FP%3E%3CP%3EI'm%20running%20two%20NPS%20on%20Server%202016%20with%20two%20network%20policies%2C%20including%20one%20that%20is%20only%20client%20IP%20(used%20for%20health%20monitor)%20and%20one%20that%20is%20a%20bit%20more%20extensive.%20The%20client%20IP%20one%20had%20the%20same%20issue%20until%20I%20changed%20the%20condition.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406955%22%20slang%3D%22en-US%22%3ERe%3A%20NTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406955%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674897%22%20target%3D%22_blank%22%3E%40DeeRex%3C%2FA%3E%26nbsp%3BThanks.%20Will%20have%20to%20look%20into%20this%20in%20the%20near%20future%20-%20got%20a%20lot%20going%20on%20right%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20update%20once%20done.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1447932%22%20slang%3D%22en-US%22%3ERe%3A%20NTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447556%22%20target%3D%22_blank%22%3E%40jay26cee%3C%2FA%3E%26nbsp%3BI'm%20in%20the%20same%20error%20%3F%20Did%20you%20manage%20to%20solve%20it%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1447963%22%20slang%3D%22en-US%22%3ERe%3A%20NTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447963%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F430428%22%20target%3D%22_blank%22%3E%40mmendozaf%3C%2FA%3E%26nbsp%3B-%20unfortunately%2C%20I%20have%20not%20been%20able%20to%20revisit%20this%20yet.%20Have%20a%20look%20at%20what%20DeeRex%20wrote%20and%20see%20what%20you%20can%20do%3F%20I%20might%20only%20get%20a%20change%20to%20look%20into%20this%20in%20a%20couple%20of%20weeks.%20But%2C%20I%20will%20definitely%20post%20any%20updates%20on%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1569601%22%20slang%3D%22en-US%22%3ERe%3A%20NTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1569601%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447556%22%20target%3D%22_blank%22%3E%40jay26cee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20had%20a%20similar%20issue%20myself%20setting%20up%20NPS%20on%20Server%202016%2C%20originally%20thought%20it%20was%20because%20I%20was%20exporting%20our%20old%20NPS%20Configuration%20from%20a%202008R2%20box%2C%20but%20still%20happened%20on%20a%20different%20server%20on%20a%20fresh%20setup.%3C%2FP%3E%3CP%3EI%20would%20recommend%20having%20a%20look%20at%20those%20NPS%20Audit%20Logs%2C%20usually%20in%20C%3A%5CWindows%5CSystem32%5CLogFiles%5C%20and%20in%20particular%20look%20at%20the%20%22Reason-code%22%20field%20right%20up%20the%20end%20of%20an%20entry.%20I%20was%20receiving%20Reason%20Code%2022%2C%20which%20seemingly%20relates%20to%20not%20having%20a%20CA%20certificate%20installed%20on%20the%20local%20client.%20On%20a%20lark%20I%20checked%20the%20Personal%20Computer%20Certificates%20on%20the%20NPS%20server%20and%20found%20that%20it%20didn't%20actually%20have%20one.%20I%20generated%20a%20new%20one%2C%20tried%20to%20connect%20to%20the%20RADIUS%20WiFi%20network%20and%20it%20worked.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThough%20I%20am%20still%20running%20into%20some%20issues%20with%20NTRadPing%2C%20eh.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all,

 

I am trying to fathom NPS (RADIUS) in Windows Server 2016, but all efforts are failing. I have peeled back to just a basic client (Win10) to server connection on the same LAN and using NTRadPing to test an authentication request ... but all efforts fail.

 

The latest is "response: Access-Reject". There is nothing logged in the event viewer.

 

The intention is to use RADIUS authentication for some appliance VPN connections (not RRAS).

 

My test NPS configuration is as follows:

 

> NPS enabled and registered

> RADIUS client is created and defined as IP address of 'my_laptop'

> Shared Secret is same as defined on client and server side

> Vendor name is "RADIUS Standard"

> Connection Request Policy: Enabled; Type of network access server is Unspecified, Condition defined is Access Client IPv4 Address is 'my_laptop' IP, Settings is set to Authentication requests on this server

> Network Policy:  EnabledGrant access if connection request matches this policy; Ignore user accounts dial-in properties; Type of network access server is Unspecified; Windows Groups defined where user authenticating is a member of the security group; Machine Groups defined where client machine 'my_laptop' connecting is a member of the security group; Authentication Methods has all "less secure" methods selected, except the last one; RADIUS Attributes has Standard defines as Framed-Protocol as PPP and Service-Type as Framed

> everything else is default

 

If I change the NTRadPing request type to Status Server, then I get an event logged on the NPS server ... A RADIUS message with the Code field set to 12, which is not valid, was received on port 1812 from RADIUS client <my_laptop>. Valid values of the RADIUS Code field are documented in RFC 2865.

Is this because NTRadPing is old and no longer complies? If so, how else can I do basic RADIUS testing?

 

I have tried to find some very basic setup for RADIUS (NPS) in Windows but all attempts to get this working fail.

 

I have the necessary ports open on the firewall too ... 1812, 1813, 1645 & 1646.

 

Thanks.

 

Jason

7 Replies

Does anybody have any idea on getting NPS to work?

Did you ever get a response or figure out why NTRadPing was not working with your NPS Radius in Server 2016? I am trying to figure out the same issue and it is dogging me. Appreciate any information.

@jay26cee Try changing your condition from "Access Client IPv4 Address" to "Client IPv4 Address"

 

Also make sure you enable logging under Accounting and create your log files in a format you can manage. Because you are being rejected by NPS, it doesn't create an Event Log entry, but it will record in the NPS accounting logs.

When creating your Network Policy, start at the widest breadth - only one condition. Make sure it works, then add another. Same for any constraints. Get it working at the lowest level, then build additional complexity.

 

*Source*

I'm running two NPS on Server 2016 with two network policies, including one that is only client IP (used for health monitor) and one that is a bit more extensive. The client IP one had the same issue until I changed the condition.

 

@DeeRex Thanks. Will have to look into this in the near future - got a lot going on right now.

 

Will update once done.

@jay26cee I'm in the same error ? Did you manage to solve it ?

@mmendozaf - unfortunately, I have not been able to revisit this yet. Have a look at what DeeRex wrote and see what you can do? I might only get a change to look into this in a couple of weeks. But, I will definitely post any updates on here.

@jay26cee 

 

I've had a similar issue myself setting up NPS on Server 2016, originally thought it was because I was exporting our old NPS Configuration from a 2008R2 box, but still happened on a different server on a fresh setup.

I would recommend having a look at those NPS Audit Logs, usually in C:\Windows\System32\LogFiles\ and in particular look at the "Reason-code" field right up the end of an entry. I was receiving Reason Code 22, which seemingly relates to not having a CA certificate installed on the local client. On a lark I checked the Personal Computer Certificates on the NPS server and found that it didn't actually have one. I generated a new one, tried to connect to the RADIUS WiFi network and it worked. 

 

Though I am still running into some issues with NTRadPing, eh.