Navigating network access issues can be frustrating, especially when dealing with cryptic error messages. Recently, after disabling default policies on a 2016 NPS (Network Policy Server), I encountered a common yet perplexing problem: Reason Code 48, indicating that “The connection request did not match any configured network policy.” This shift occurred after deactivating the default policies, specifically:
- Connection Request Policies > Use Windows authentication for all users.
- Network Policies > Connections to other access servers.
- Network Policies > Connections to Microsoft Routing and Remote Access server.
Previously, with these default policies enabled, the system logged Reason code 66 (“The user attempted to use an authentication method that is not enabled on the matching network policy.”). Disabling them changed the error, but didn’t solve the underlying connectivity issue for my Staff WiFi network.
Understanding the Configuration and the Error
My Staff WiFi Network Policy is configured with three key conditions:
- Condition: NAS Port Type, Value: Wireless – IEEE 802.11 OR Wireless – Other
- Condition: User Groups, Value: MYDOMAINMeraki Staff Group
- Condition: Machine Groups, Value: MYDOMAINMeraki Computer Group
The test laptop in question is indeed a member of the MYDOMAINMeraki Computer Group
, and the user account is part of the MYDOMAINMeraki Staff Group
. Despite meeting these conditions, the connection attempts resulted in Reason Code 48.
Upon each connection attempt, two Event Viewer logs are generated, approximately 10 seconds apart, both showing Reason Code 48: one for the user and one for the machine. Here’s an example of the event log details:
-------------------------------------------------------------------------------------------------------------
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAIN\ElectroDan
Account Name: MYDOMAIN\ElectroDan
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\ElectroDan
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.26
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -
RADIUS Client:
Client Friendly Name: Meraki - Purchasing
Client IP Address: 10.99.108.26
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: -
Authentication Provider: Windows Authentication
Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 41413346334133424138354636383335
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
-------------------------------------------------------------------------------------------------------------
And the second log entry, for the machine account:
-------------------------------------------------------------------------------------------------------------
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAIN\ITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\ITSPARE01$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.25
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -
RADIUS Client:
Client Friendly Name: Meraki - Accounts
Client IP Address: 10.99.108.25
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: -
Authentication Provider: Windows Authentication
Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 41433342464337434233394535444334
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
-------------------------------------------------------------------------------------------------------------
Key Observations
Two points stand out from these logs:
-
Machine Account in User Section: The machine account (
MYDOMAINITSPARE01$
) is incorrectly listed in the ‘User’ section of the event log, while the ‘Client Machine’ section remains empty. This anomaly suggests a potential misinterpretation of the authentication request type by NPS. -
Multiple Access Points: The second log entry, concerning the machine account, is registering via a different Access Point (Meraki – Accounts) compared to the first entry (Meraki – Purchasing). Both APs are within range of the test laptop, indicating the laptop might be attempting connections through both simultaneously or sequentially.
Next Steps for Troubleshooting
Reason Code 48 essentially means that NPS could not find a Network Policy that matched the incoming connection request based on the configured conditions. To resolve this, consider the following troubleshooting steps:
- Policy Order: Ensure the
WiFi_Staff
Network Policy is correctly placed in the policy order. Policies are evaluated sequentially, and a policy lower in the list might be inadvertently catching the request first if its conditions are too broad. - Condition Accuracy: Double-check the conditions within the
WiFi_Staff
policy. Verify the spelling and format of the User Groups and Machine Groups are accurate and that these groups are indeed populated correctly in Active Directory. - NAS Port Type Verification: Confirm that the NAS Port Type condition (
Wireless - IEEE 802.11 OR Wireless - Other
) accurately reflects the port type being used by the Meraki Access Points. - Authentication Methods: Review the Authentication Methods configured within the
WiFi_Staff
Network Policy. Ensure that the authentication methods enabled are compatible with the client devices and the network environment. EAP methods, as indicated in the logs, often require specific configurations on both the NPS and client sides. - Connection Request Policies: Examine the Connection Request Policies. While the default “Use Windows authentication for all users” was disabled, ensure no other Connection Request Policies are interfering or misrouting the requests before they reach the
WiFi_Staff
Network Policy.
By systematically reviewing these areas, you can pinpoint why the connection requests are failing to match the intended Network Policy and effectively resolve the Reason Code 48 error. And while ensuring your network is secure and accessible, remember that preparedness extends to all aspects of safety, from network configurations to having a reliable Car Window Breaker Tool Mod 11009e in your vehicle for emergencies.