0

For a school I implemented eduroam two years ago and from time to time we add new students in the AD. Five days ago I added 40 more new students but I changed the CN's (or what in New-ADUser is called "-Name") format:

from "name.surname" to "SURNAME, NAME" (quotes excluded), hence

earlier it was

CN=name.surname, OU=CLASS_A, OU=STUDENTS, DC...

now it is

CN=SURNAME, NAME, OU=CLASS_A, OU=STUDENTS, DC...

an eduroam's username normally is <string with no blanks>@<yourschool>.<tld> so that the RADIUS proxies can route the auth request based on @<yourschool>.<tld> , So I must keep such a format.

Now, the new users cannot be authenticated anymore by NPS.

All the tests I ran back my thesis (i.e. that NPS uses CN to authenticate) but I cannot find any Microsoft document that states that.

  1. Could anybody share the link to such doc?
  2. is it a way to change the check from CN (if proved by answer of point 1)) to another user's recor like sAMAccountNAme or UPN?

I'm sure I'm touching something deep in AD but I hope somebody has tripped into this issue and has found a answer.

TIA

P.S. I guess the alternative would be to use FreeRADIUS but I would rather explore the options to still make within NPS/AD

Alex
  • 65
  • 9
  • Did you solve this? I have a similar issue in where NPS uses UPN but I would like it to use CN instead to match the username given in RADIUS to a user in the Active Directory. – Johnathan Dec 01 '22 at 13:56
  • Hi @Johnathan, I don't remember any more. At the moment auth works and I think I was wrong in stating that NPS uses CN, instead it uses UPN. Hence I'm afraid you can't use CN. Sorry for the confusion I brought. – Alex Dec 02 '22 at 14:31

1 Answers1

0

• Please check the Windows Server event security log for more details on the issue for NPS authentication because that might shed some more light on the actual issue that you might be facing. Till then, please clear the cache and temporary files from the server and restart the whole infrastructure regarding NPS, i.e., domain controller, NPS Server, Access points and other related devices through which users can login through NPS.

• Once restarted, please try to authenticate any allowed user through NPS once again and check. Also, as you are using NPS as a radius server proxy, please check for the attribute manipulation rules for message forwarding since the CNs are changed in their order/format in your AD. Specifically, regarding the username which is provided by the access client and is included by the NAS in the Radius access-request message. The value of this attribute is a character string that typically contains a realm name and a user account name.

• To correctly replace or convert realm names in the username of a connection request, you must configure attribute manipulation rules for the User-Name attribute on the appropriate connection request policy.

Also, find the below links regarding your query whether which attribute you can use to authenticate in case of NPS. In it, it clearly stated that user principal name should be used as an attribute as a best practice: -

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices#performance-tuning-nps

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices#using-nps-in-large-organizations

Please check the below documentation link for your condition: -

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy#key-steps-3

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9