4

We use a computer running Windows Server 2008 (32-bit) with the RRAS and NPS roles to authenticate users for VPN and wireless access over RADIUS.

This configuration has been working great for more than a year, but starting this morning the server has started denying all requests. As far as I know, the only change was installing Windows Updates last night.

  • It isn't a connectivity or firewall problem. The server replying to all RADIUS requests with Access-Reject.
  • There is only one connection request policy, and it processes all requests on this server 24/7.
  • For testing purposes, I have created one network policy that should approve all requests 24/7. The log file (C:\Windows\System32\LogFiles\IN1110.log) indicates that this policy is being selected, but the server still replies with Access-Reject.
  • I have verified that all servers which send RADIUS requests are listed in the RADIUS clients, and there are no entries in the event log about invalid RADIUS clients.

However, I am seeing a strange System event being logged each time the server responds to a RADIUS request. We don't use MGM or multicast at all, so I don't know how to track this down.

Warning
RasServer, 50015
Specified interface was not present in MGM.

I have already tried rebooting the server, and reinstalling RRAS/NPS. (Side note: when removing NPS, all configuration is preserved, and is still present after the reinstall.) Short of setting up a completely new server, I'm at my wits end.

Has anybody else had problems like this with RRAS/NPS?

2011-10-17 Update: Added the complete text of Event ID 6274

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:                        CFL\nic
    Account Name:                       nic
    Account Domain:                     CFL
    Fully Qualified Account Name:       cfl.local/People/Prince George/Nic Waller

Client Machine:
    Security ID:                        NULL SID
    Account Name:                       -
    Fully Qualified Account Name:       -
    OS-Version:                         -
    Called Station Identifier:          00-17-9A-09-A8-1D:CFL
    Calling Station Identifier:         CC-08-E0-EE-BA-82

NAS:
    NAS IPv4 Address:                   192.168.123.12
    NAS IPv6 Address:                   -
    NAS Identifier:                     D-Link Access Point
    NAS Port-Type:                      Wireless - IEEE 802.11 
    NAS Port:                           1

RADIUS Client:
    Client Friendly Name:               DWL-7100AP Wireless Access Point
    Client IP Address:                  192.168.123.12

Authentication Details:
    Proxy Policy Name:                  Always authenticate requests on this server
    Network Policy Name:                Permit wireless RADIUS via EAP DWL-7100AP
    Authentication Provider:            Windows 
    Authentication Server:              PG-DC2.cfl.local
    Authentication Type:                EAP
    EAP Type:                           -
    Account Session Identifier:         -
    Reason Code:                        1
    Reason:                             An internal error occurred. Check the system event log for additional information. 

Update: Actually, some requests are being approved. It looks only only 802.1x requests with the EAP authentication type are failing. Upon looking at the certificate situation, it looks like the server's certificate had expired and was preventing PEAP authentication.

Nic
  • 13,025
  • 16
  • 59
  • 102

2 Answers2

3

The domain controller certificate had expired.

That prevented connections that required the Protected EAP authentication method. Re-issuing the domain controller certificate immediately allowed RADIUS requests to authenticate normally.

Nic
  • 13,025
  • 16
  • 59
  • 102
1

This error can also occur if the Domain Certificate auto renews. NPS doesn't handle it well.

According to http://digitaljive.wordpress.com/2012/04/02/windows-nps-stops-authenticating-wireless-users/, you have to switch to a different certificate, apply it, and then switch back to the auto-renewed certificate.

scott-pascoe
  • 221
  • 1
  • 4