Windows Network Policy Server Troubleshooting tip.
Check the NPS logs from event viewer, it will tell you which policy your attempt is hitting, from there you may figure out your problem:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: ictfella\testuser
Account Name: ictfella\testuser
Account Domain: ictfella
Fully Qualified Account Name: ictfella.local/Users/Danny Zhang
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172 NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: ICTFELLASW01
Client IP Address: 172.1.1.34
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: NPS01.ictfella.local
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Note
- The highlighted field are very useful
- The “reason” field is useless, it is not telling you the truth most of time.