After the holiday break, I returned to troubleshooting an issue on my 2016 NPS Server. I had previously disabled some default policies:
- Connection Request Policies > Use Windows authentication for all users.
- Network Policies > Connections to other access servers.
- Network Policies > Connections to Microsoft Routing and Remote Access server.
Disabling these default policies resolved the “Reason code: 66” errors (“The user attempted to use an authentication method that is not enabled on the matching network policy.”). However, I then began encountering “Reason code: 48” errors, indicating “The connection request did not match any configured network policy.”
This new error, “Reason code 48,” occurs when a connection request is made to the Network Policy Server (NPS), but none of the configured network policies match the criteria of the request.
Investigating Network Policy Configuration
I have a specific Network Policy configured for my Staff WiFi network, designed with three conditions:
- Condition: NAS Port Type, Value: Wireless – IEEE 802.11 OR Wireless – Other
- Condition: User Groups, Value: MYDOMAINMeraki Staff Group
- Condition: Machine Groups, Value: MYDOMAINMeraki Computer Group
My test laptop is correctly placed within the “Meraki Computer Group,” and the user account I am using for testing is a member of the “Meraki Staff Group.” Despite this configuration, I consistently receive the “Reason Code: 48” error each time I attempt to connect to the Staff WiFi. The error is logged twice per connection attempt: first for the user account, and then, approximately 10 seconds later, for the machine account.
Below are the detailed event logs captured from the Network Policy Server:
-------------------------------------------------------------------------------------------------------------
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAIN\ElectroDan
Account Name: MYDOMAIN\ElectroDan
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\ElectroDan
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.26
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -
RADIUS Client:
Client Friendly Name: Meraki - Purchasing
Client IP Address: 10.99.108.26
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: -
Authentication Provider: Windows Authentication
Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 41413346334133424138354636383335
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
-------------------------------------------------------------------------------------------------------------
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAIN\ITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\ITSPARE01$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.25
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -
RADIUS Client:
Client Friendly Name: Meraki - Accounts
Client IP Address: 10.99.108.25
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: -
Authentication Provider: Windows Authentication
Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 41433342464337434233394535444334
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
-------------------------------------------------------------------------------------------------------------Key Observations from the Event Logs
Analyzing the event logs, I’ve identified a couple of potentially relevant points:
-
Machine Account in User Section: The machine account (MYDOMAINITSPARE01$) is unexpectedly listed in the “User” section of the event log. The “Client Machine” section remains empty for this entry. This could indicate an issue in how the machine authentication is being processed or identified by NPS.
-
Different Access Points (APs): The second log entry, associated with the machine account (MYDOMAINITSPARE01$), is registering through a different Access Point (Meraki – Accounts) compared to the first entry (Meraki – Purchasing). Both APs are within range of the test laptop, which might suggest a roaming or AP selection issue is contributing to the policy mismatch.
These observations provide a starting point for further investigation into why the connection requests are not matching the configured “Staff WiFi Network Policy,” leading to the “Reason code 48” error. Further troubleshooting will be needed to pinpoint the root cause and establish a successful wireless authentication process.
