We use a computer running Windows Server 2008 (32-bit) with the RRAS and NPS roles to authenticate users for VPN and wireless access over RADIUS.
This configuration has been working great for more than a year, but starting this morning the server has started denying all requests. As far as I know, the only change was installing Windows Updates last night.
- It isn't a connectivity or firewall problem. The server replying to all RADIUS requests with Access-Reject.
- There is only one connection request policy, and it processes all requests on this server 24/7.
- For testing purposes, I have created one network policy that should approve all requests 24/7. The log file (
C:\Windows\System32\LogFiles\IN1110.log) indicates that this policy is being selected, but the server still replies with Access-Reject. - I have verified that all servers which send RADIUS requests are listed in the RADIUS clients, and there are no entries in the event log about invalid RADIUS clients.
However, I am seeing a strange System event being logged each time the server responds to a RADIUS request. We don't use MGM or multicast at all, so I don't know how to track this down.
Warning
RasServer, 50015
Specified interface was not present in MGM.
I have already tried rebooting the server, and reinstalling RRAS/NPS. (Side note: when removing NPS, all configuration is preserved, and is still present after the reinstall.) Short of setting up a completely new server, I'm at my wits end.
Has anybody else had problems like this with RRAS/NPS?
2011-10-17 Update: Added the complete text of Event ID 6274
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CFL\nic
Account Name: nic
Account Domain: CFL
Fully Qualified Account Name: cfl.local/People/Prince George/Nic Waller
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-17-9A-09-A8-1D:CFL
Calling Station Identifier: CC-08-E0-EE-BA-82
NAS:
NAS IPv4 Address: 192.168.123.12
NAS IPv6 Address: -
NAS Identifier: D-Link Access Point
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: DWL-7100AP Wireless Access Point
Client IP Address: 192.168.123.12
Authentication Details:
Proxy Policy Name: Always authenticate requests on this server
Network Policy Name: Permit wireless RADIUS via EAP DWL-7100AP
Authentication Provider: Windows
Authentication Server: PG-DC2.cfl.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
Update: Actually, some requests are being approved. It looks only only 802.1x requests with the EAP authentication type are failing. Upon looking at the certificate situation, it looks like the server's certificate had expired and was preventing PEAP authentication.
Best Answer
The domain controller certificate had expired.
That prevented connections that required the
Protected EAPauthentication method. Re-issuing the domain controller certificate immediately allowed RADIUS requests to authenticate normally.