HPE Community
PCM
1851084 Members
2737 Online
104056 Solutions
New Discussion

HP PCM+ v4 and Radius/NPS authentication for administrators

 
GJvanWeelden
Visitor

‎02-13-2012 07:59 AM

‎02-13-2012 07:59 AM

HP PCM+ v4 and Radius/NPS authentication for administrators

Hi,

 

I try to configure HP pcm v4 server so administrators can login to the PCM client with the active directory username and password. This is not working for me. I am looking for the configuration of the NPS policy to be set.

 

srv-pcm01 => PCM+ v4 Server, radius server configured to srv-nps01 server ip with shared secret.

srv-nps01 => Windows 2008 R2 SP1 Network Policy Server

 

Connection Request Policy => Enabled,
 - Type of network access server = unspecified
 - Conditions = Client Friendly Name = srv-pcm01
 - Settings = default (no changes)

Network Policy => enabled
 - Grant access Enabled
 - Type of network access server = unspecified
 - Conditions = Client Friendly Name = srv-pcm01, user groups = domain\NetworkAdmins
 - Constraints = MS-CHAP-v2, MS-CHAP and CHAP Enabled
 - Settings = default (no changes)

 

I've enabled CHAP in the network policy. The error in the nps log is the provided user credentials are not correct. I tried several users and passwords and that's not the problem.

 

Who can help me?

0 Kudos
1 REPLY 1
Chrisd131313
Trusted Contributor

‎10-26-2012 04:44 AM

‎10-26-2012 04:44 AM

Re: HP PCM+ v4 and Radius/NPS authentication for administrators

Hi,

 

Your NPS policy looks correct (the only difference to the policy I have is I use the NAS-Identifier rather than the Client-Friendly-Name to distinguish the requestor source).

 

I have just tried setting mine up with CHAP and it fails to authenticate stating the following...

 

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date:  26/10/2012
Time:  06:33:47
User:  N/A
Computer: NPSserver
Description:
User username was denied access.
 Fully-Qualified-User-Name = domain\username
 NAS-IP-Address = <not present>
 NAS-Identifier = hostname
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = hostname
 Client-IP-Address = x.x.x.x
 NAS-Port-Type = <not present>
 NAS-Port = <not present>
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = MD5-CHAP
 EAP-Type = <undetermined>
 Reason-Code = 19
 Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0a 20 07 80               . .€   

 

Based on the above I would say that you need to enable "Store password with reversible encryption" on the AD user accounts you want to use with CHAP.

 

I have my PCM setup to use PAP and this works fine with out enabling "Store password with reversible encryption".

 

Hope this helps.

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.