Why would NPS suddenly stop authenticating users?

windows-server-2008 rras radius nps
24,508

Solution 1

The domain controller certificate had expired.

That prevented connections that required the Protected EAP authentication method. Re-issuing the domain controller certificate immediately allowed RADIUS requests to authenticate normally.

Solution 2

This error can also occur if the Domain Certificate auto renews. NPS doesn't handle it well.

According to http://digitaljive.wordpress.com/2012/04/02/windows-nps-stops-authenticating-wireless-users/, you have to switch to a different certificate, apply it, and then switch back to the auto-renewed certificate.

Share:
24,508

Related videos on Youtube

Nic
Author by

Nic

Updated on September 18, 2022

Comments

  • Nic
    Nic almost 2 years

    We use a computer running Windows Server 2008 (32-bit) with the RRAS and NPS roles to authenticate users for VPN and wireless access over RADIUS.

    This configuration has been working great for more than a year, but starting this morning the server has started denying all requests. As far as I know, the only change was installing Windows Updates last night.

    • It isn't a connectivity or firewall problem. The server replying to all RADIUS requests with Access-Reject.
    • There is only one connection request policy, and it processes all requests on this server 24/7.
    • For testing purposes, I have created one network policy that should approve all requests 24/7. The log file (C:\Windows\System32\LogFiles\IN1110.log) indicates that this policy is being selected, but the server still replies with Access-Reject.
    • I have verified that all servers which send RADIUS requests are listed in the RADIUS clients, and there are no entries in the event log about invalid RADIUS clients.

    However, I am seeing a strange System event being logged each time the server responds to a RADIUS request. We don't use MGM or multicast at all, so I don't know how to track this down.

    Warning
RasServer, 50015
Specified interface was not present in MGM.

    I have already tried rebooting the server, and reinstalling RRAS/NPS. (Side note: when removing NPS, all configuration is preserved, and is still present after the reinstall.) Short of setting up a completely new server, I'm at my wits end.

    Has anybody else had problems like this with RRAS/NPS?

    2011-10-17 Update: Added the complete text of Event ID 6274

    Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:                        CFL\nic
    Account Name:                       nic
    Account Domain:                     CFL
    Fully Qualified Account Name:       cfl.local/People/Prince George/Nic Waller

Client Machine:
    Security ID:                        NULL SID
    Account Name:                       -
    Fully Qualified Account Name:       -
    OS-Version:                         -
    Called Station Identifier:          00-17-9A-09-A8-1D:CFL
    Calling Station Identifier:         CC-08-E0-EE-BA-82

NAS:
    NAS IPv4 Address:                   192.168.123.12
    NAS IPv6 Address:                   -
    NAS Identifier:                     D-Link Access Point
    NAS Port-Type:                      Wireless - IEEE 802.11 
    NAS Port:                           1

RADIUS Client:
    Client Friendly Name:               DWL-7100AP Wireless Access Point
    Client IP Address:                  192.168.123.12

Authentication Details:
    Proxy Policy Name:                  Always authenticate requests on this server
    Network Policy Name:                Permit wireless RADIUS via EAP DWL-7100AP
    Authentication Provider:            Windows 
    Authentication Server:              PG-DC2.cfl.local
    Authentication Type:                EAP
    EAP Type:                           -
    Account Session Identifier:         -
    Reason Code:                        1
    Reason:                             An internal error occurred. Check the system event log for additional information.

    Update: Actually, some requests are being approved. It looks only only 802.1x requests with the EAP authentication type are failing. Upon looking at the certificate situation, it looks like the server's certificate had expired and was preventing PEAP authentication.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

NPS Policy doesn't to respect the "Control access through NPS Policy" user attribute
Authenticate Cisco ASA to Windows 2008 domain
NPS EAP authentication failing after Windows Update
Windows 10 won't connect to RRAS VPN
Windows Server 2008 R2, RRAS and NAT
WIFi Authentication with Windows Active Directory
802.1x auth without certificate on clients
RRAS VPN - Clients don't receive DNS suffix
RRAS won’t start with 8007042a or event ID 7024, aka the “routing remote access unable to load Iprtrmgr.dll”
Why is my LAN saying "unidentified network"? (Help setting up server architecture)