I've configured our RADIUS client (pfSense) and Windows 2008 NPS for authentication via RADIUS. The set-up is a Captive portal where LAN users authenticate with Active Directory.
When looking at our event logs, I see the following error after a log-in test.
Network Policy Server denied access to the user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CAMPUS\testuser
Account Name: testuser
Account Domain: CAMPUS
Fully Qualified Account Name: campus.mydomain.local/Users/Administrator
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 0.0.0.0
NAS IPv6 Address: -
NAS Identifier: pfsense.campus.mydomain.local
NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: pfSense
Client IP Address: 192.168.1.6
Authentication Details:
Proxy Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: AGDC01.campus.mydomain.local
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 65
Reason: The connection attempt failed because network access permission for the user account was denied. To allow network access, enable network access permission for the user account, or, if the user account specifies that access is controlled through the matching network policy, enable network access permission for that network policy.
This is regardless of the user I authenticate with. Within AD, our users are set-up to "Control access through NPS Network Policy." I look forward to some assistance because I am pretty stuck.
Best Answer
I'm sure I am not the first one who encountered this so I'm answering my own question. Within NPS, there the following must be changed and the issue will be resolved.
Within NPS, goto:
This corrected the issue and just to be safe and Ordered the policies as follows: