🛜 NPS with 802.1x : Account Lockouts


If you are using 8021.X with a NPS server (This is the new name for a RADIUS server) in a Wi-Fi setting, this is commonly known as WPAx-Enterprise

Personal v Enterprise SSID

You can tell the differences between enterprise and general connections by what you are asked when you try connect to an SSID.

If you are connecting to an SSID that uses the personal protocol, this is what is known as a PSK - or a pre-shared key - The key is pre-shared because you need to know it in order to join the wireless network, that will look something like this:

If you are connected to an SSID That uses the enterprise protocol, This is commonly referred to as 8021.X which is the authentication protocol used to talk to an external authentication server in this example that server is NPS, that will look like this when you attempt to connect:

Enterprise SSID - overview

In the example here, the NPS server is set up PEAP-TLS with the secured password protocol encapsulated within the PEAP request, this means when you enter your credentials to connect to the SSID, this will usually be your company credentials linked to your domain controllers, Once you enter your username and password you will then be presented with a certificate that is hosted on the NPS server - Once you accept that certificate, you will be Seamlessly login to the wireless network using your company credentials.

ADDS password policy and NPS

Everyone should be used to password requirements, this will be how long the password needs to be and whether it needs to be complex or not but many companies require you to change your password after so many days or months - this is where you can have a problem with with this process.

8021.X and bad passwords

The Wi-Fi network really needs to fail your bad password attempt quicker than lockout policy, So take for example your lockout policy is 4 attempts, But you wireless network configuration is set up to try your password 5 times before failing, In this example with your lockout policy is sooner than your wireless network is willing to try the password - means this will ultimately results in users account being locked out after they change their company credentials.

🔒 Failed lockout events

The usual way of troubleshooting these lockouts Is by the form of the event ID 4740, However, you will notice that the caller computer for these 8021.x request is blank, this is down to the fact that it’s transverse through multiple domain controllers.

PDC not causing lockout?

The clue if this is happening to your company or lab is that the lockout will not occur on the PDC emulator role, It will occur on a random domain controller that is not always the PDC.

NPS local Lockout Disabled by default 🤨🥊

The requirements for this lockout to occur is simply summarized as the NPS server does not handle lockout and is passing them onto the domain controller that is then enforcing the policy, now ideally, you would want the invalid password to be detected by your NPS server, and then locally lock them out, instead of locking them out out of everything that requires their company credentials, by default NPS is not designed to handle this configuration, as now using hindsight I’m more than aware of!

Check NPS local lockout

First, let’s look at the default settings for NPS, The location in the Registry we need to concentrate on is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

AccountLockout NPS Registry Default Values

This is what he said with an OOBE (Out of the box experience) and is the resulting configuration if you install a server with NPS without any customization:


MaxDenials Value

This tells NPS how many "denied" logins you can get before the lockout triggers, the default value is 0 (zero) which indicates that account lockout is turned off, this is not what we want at all

ResetTime Value

This tells NPS how long the lockout lasts before being reset, the default value is 0xb40 that is hexadecimal for 2,880 minutes (two days) which ironically is a pointless key as this system is disabled.

Optimised AccountLockout NPS Values

We do not need the default values, as we have a password policy that locks out after 5 attempts so this cannot be disabled as this will pass the "failed attempt" to the domain controller, so we need to modify both of these values as below:

MaxDenials Value

This for this example needs to be set to 2 (two) rather than 0 (zero) - that is 3 attempts less than the lockout values in the password policy.

ResetTime Value

This for this example needs to be set to 30 (hexadecimal) rather than b40 (hexadecimal) - that is 30 minutes reset time.

That should then look like this:



All you need now is to restart your NPS service with this:

Restart-Service IAS

Then you will find the new settings are active and your account lockout due to 802.1x issues are not resolved.



Previous Post Next Post

نموذج الاتصال