Problem with network policy rule in Network Policy Server

Posted by Robert Moir on Server Fault See other posts from Server Fault or by Robert Moir
Published on 2011-06-06T10:36:36Z Indexed on 2011/07/01 0:24 UTC
Read the original article Hit count: 444

Trying to configure RADIUS for a college network, and have run into the following frustration:

I can't set an "AND" condition for group membership of authenticated objects in the network policy rules, e.g. I'm trying to create a NPS rule that says, essentially "IF user is a member of [list of user groups] And is authenticating from a computer in [wireless computer group] then allow access.

This does not work

The screenshot above is the rule I am having trouble with. It does not work as written. The rule underneath it, which is identical in every aspect except the conditions rule, does work.

This does work

I've tried changing the non-working rule to define each set of groups as "Windows group" rather than specifically as machine and user groups, with no change.

With the "faulty" rule enabled and the working one disabled, any attempt to login with a valid account from a machine that is in the wireless computers group gives a 6273 audit event in the windows event log: Reason code 66 - "the user attempted to use an authentication method that is not enabled on the matching network policy". Disabling the "faulty" rule, enabling the other rule and logging in with the same account and computer works just fine.

© Server Fault or respective owner

Related posts about networking

Related posts about windows-server-2008-r2