We are trying to upgrade our Domain Controllers to Server 2016 from 2008 R2 and are having some issues with Radius. Server 2008 R2 works fine authenticating Windows 7 & 10 machines. With Server 2016, it works fine authenticating Windows 7, but Windows 10 machines have been unable to authenticate. We were looking through event viewer and see no logs for connection attempts from the Windows 10 machines. Only logs relevant is from the NPS accounting log file which doesn't help highlight the issue for us. The Meraki logs gives us an EAP error.
Client VPN authentication from Windows 7 & 10 machines also have no trouble authenticating against this server. Granted, VPN isn't utilizing PEAP like the Wireless authentication is.
Has anyone run into anything like this?
Look at a successful authentication for Windows 7. Now look at a failed one for Windows 10. Did the Windows 10 one use the same policy? I'm guessing no. If not them compared your policy match criteria what what is in the event log entry.
So both clients are using the same RADIUS policy. Does the RADIUS server says it allowed or denied the Windows 10 users?
Got lots of useful stuff to check from these two documents when we were setting it up.
If your WIndows 7 computers are authenticating and the WIndows 10 ones aren't then it sounds like you verified the first thing which is to make sure they are using the same policy. Can double check this with rsop.msc from a command line on one of the computers. Is your policy using user or computer authentication? If so do you have the policy assigned to only allow certain groups or OU? If so, make sure your Windows 10 user/computer are in that group/OU. If user auth try one of the users you used on a Windows 7 computer and login on the Windows 10 computer. Also may not be a bad idea to hardwire one of the Windows 10 computers to your network and do a 'gpupdate /force' to make sure it has the latest policy versions.
We may not be experts at reading the logs, but it looks like it accepts the computer, but doesn't accept the user - for Windows 10 machines only. Windows 7 machines and users authenticate just fine.
We have been through those documents numerous times. We've set up new policies using them, and it hasn't helped us. Directions look like they are for Server 2008 R2 and Windows 7. It looks like NAP is no longer used with Server 2016.
We use both user and computer policy. We do have the policy assigned to only allow certain groups but we test with a windows 7 and 10 machine right next to use with our own account. It works with Windows 7, and doesn't work with Windows 10. We've done numerous gpudpate /force, but maybe I'll take another look at our GPO just to make sure there isn't a setting there that they've done away with in Windows 10.
Looking at my Group Policy settings, the only thing that is different is the Encryptions. Meraki just has AES, but I have 2 AES options. AES-CCMP, and AES-GCMP. CCMP is what it is currently set at. Does anybody know if Windows 10 or Server 2016 works with both of those protocols? Grasping at straws at this point.
You shoul be using AES-CCMP. Meraki does not support AES-GCMP. Most WiFi NICs also do not support AES-GCMP.
What group are you permitting in RADIUS? I often use the group "Everyone" if I want everything to be able to authenticate.
You need to include both the machines and the users. Does this group contain both?
If not, you could include "Domain Computers".
Are you running the Network Policy and Access services from your Domain Controllers or from a standalone server? Have you considered making a dedicated Radius server to decouple your Network Policy Auth from your AD servers? That way you can update your DC's to 2016 while you troubleshoot the Auth issue?
We're running them from our Domain Controllers. We haven't really considered it, we aren't that big so that's why we haven't. IMO we've troubleshot about all we can. We're just looking now to see if anybody else has had this problem or can confirm it works with Windows Server 2016 & Windows 10 machines.
We will look into having a dedicated Radius server to get us by, but I would still like to figure this out.
You'd probably be better off posting in the TechNet forums - https://social.technet.microsoft.com/Forums/en-US/home
When we transitioned over to Windows 10 we ran into an issue with Win10 machines not connecting to the hidden SSIDs. They just wouldn't do it. We had to broadcast the SSIDs for them to connect. This was with a IAS setup on 2003 and then NPS on 2012 R2. We're not on 2016 yet, so I can't help ya there.
Some other things to check:
- I assume you're using a group in AD, and putting machines into that? Make sure your machine builder is adding them into that group.
- Certificates - in your Network Policy on NPS, Constraints tab, Authentication Methods, PEAP - edit. Make sure your certificate is valid and not expired.
Active Directory and the groups are fine.
I did end up posting on TechNet. Somebody posting said more research was needed.