I was doing some general housekeeping the other day on one of our NPS servers and I noticed with alarming regularity that some users were found into authenticate and get it correctly authorized EAP token.
When I did a little bit more analysis on all these users, I noticed that they have not hit the correct access policy, rather than hitting the correct policy, they were hitting the default policy that denied the access as below:
However if we look at the event data will can observe, it would appear it has not used the correct policy:
If we look at the policies it should have used the "Absolute - Autopilot" policy not the default block policy:
This means it has not matched the criteria for that policy because this user is not in a group they should be in which means this user was never going to match this policy, so the deny is expected as that is the "catch all" block group in NPS.
If we look at the policies it should have used the "Absolute - Autopilot" policy not the default block policy:
This means it has not matched the criteria for that policy because this user is not in a group they should be in which means this user was never going to match this policy, so the deny is expected as that is the "catch all" block group in NPS.
The question is how many other people are getting this block and denied EAP token?
Lets investigate with a script that will remotely query the event log of the NPS server and report the username of the affected users but only show one user in the report which avoids duplication of users, ensure you update the $NPSServers variable with valid servers.
Script : NPS-NoGroupChecker.ps1
# Define the array of NPS servers
$NPSServers = @("nps1.bear.local", "nps2.bear.local") # Replace with your server names
# Get the current script directory for log file output
$scriptPath = Split-Path -Parent $MyInvocation.MyCommand.Path
$logFile = Join-Path $scriptPath "NPSPolicyUsers.log"
# Clear or create the log file
"" | Set-Content $logFile
# Hash table to track unique UPNs
$uniqueUsers = @{}
foreach ($server in $NPSServers) {
Write-Host "Processing server: $server"
try {
# Get events with ID 6273 from the Security log
$events = Get-WinEvent -ComputerName $server -FilterHashtable @{
LogName = 'Security'
ID = 6273
} -ErrorAction Stop
foreach ($event in $events) {
# Convert the event message to a string for parsing
$eventMessage = $event.Message
# Check if the specific policy name exists in the event
if ($eventMessage -match "Network Policy Name:\s+Connections to other access servers") {
# Extract the username from the event
if ($eventMessage -match "Account Name:\s+(.+?)[\r\n]") {
$username = $Matches[1].Trim()
# Only process if this UPN hasn't been seen before
if (-not $uniqueUsers.ContainsKey($username)) {
$uniqueUsers[$username] = $true
# Create log entry with timestamp
$logEntry = "{0} - Server: {1}, User: {2}" -f (Get-Date), $server, $username
# Append to log file
Add-Content -Path $logFile -Value $logEntry
Write-Host "Logged event for new user: $username"
} else {
Write-Verbose "Skipping duplicate user: $username"
}
}
}
}
}
catch {
Write-Error "Error processing server $server`: $_"
Add-Content -Path $logFile -Value "$(Get-Date) - Error processing server $server`: $_"
}
}
Write-Host "Processing complete. Log file saved to: $logFile"
Write-Host "Total unique users found: $($uniqueUsers.Count)"
Then the script is run the report will list all the usernames of the people that, in this instant have not been added to the group that controls access, so it might be a good idea to add them for authentication to succeed.