Problem with network policy rule in Network Policy Server
Posted
by
Robert Moir
on Server Fault
See other posts from Server Fault
or by Robert Moir
Published on 2011-06-06T10:36:36Z
Indexed on
2011/07/01
0:24 UTC
Read the original article
Hit count: 444
Trying to configure RADIUS for a college network, and have run into the following frustration:
I can't set an "AND" condition for group membership of authenticated objects in the network policy rules, e.g. I'm trying to create a NPS rule that says, essentially "IF user is a member of [list of user groups] And is authenticating from a computer in [wireless computer group] then allow access.
The screenshot above is the rule I am having trouble with. It does not work as written. The rule underneath it, which is identical in every aspect except the conditions rule, does work.
I've tried changing the non-working rule to define each set of groups as "Windows group" rather than specifically as machine and user groups, with no change.
With the "faulty" rule enabled and the working one disabled, any attempt to login with a valid account from a machine that is in the wireless computers group gives a 6273 audit event in the windows event log: Reason code 66 - "the user attempted to use an authentication method that is not enabled on the matching network policy". Disabling the "faulty" rule, enabling the other rule and logging in with the same account and computer works just fine.
© Server Fault or respective owner