Authentication failed for log time Off PCs

Tue, 30 Jun 2009 12:44:46 Z

All logtime off (1weeks-1month) PCs after start ending "Authentication failed" and 802.1x managed port must be set to normal mode "without 802.1x".

NAPSTAT windows is empty,manually unplug/plug network cable -> authentication failed.
IN NPS log is not any items about this computers.

Others - day by day used PCs working fine.

OS Windows Vista w/SP1 (PC Dell Optiplex 755, 960, Fujutsu Siemens Esprimo P5916)

Catalyst C2960 with last IOS and corect setup dot1x

Affected PCs (1week or more off) -> Catalyst not understand anwer from NPS and authentication timeouted and port status notconnect.

Is this known problem ?

Authentication failed for log time Off PCs

Fri, 03 Jul 2009 05:26:33 Z

Hi,

If I understand the problem correctly, some computers are failing 802.1X authentication. Other computers are fine.

This appears to be a client side problem. What is the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)? How many computers are affected? Have you checked the computer certificate on these clients?

-Greg

Authentication failed for log time Off PCs

Fri, 03 Jul 2009 06:05:50 Z

Hi Greg,

all computers the same configuration (many hardware identicaly), some (long time not used) failing 802.1X (NPS server send not understand response to C2960, authentication timeouted).

Auth. method -> PEAP-MSCHAPv2
Affected 10 computes - 2 weeks Off (in this week I disable Windows Defender via GPO and Microsoft Update send http://support.microsoft.com/default.aspx/kb/971026)

How I check computer certificate ?

Thanks
L.

Authentication failed for log time Off PCs

Fri, 03 Jul 2009 06:46:14 Z

Hi,

I am guessing that you don't see failed authentication attempts on NPS because the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.

To verify the client has a domain certificate:

1. Click Start and click Run.
2. Type mmc, and then press ENTER.
3. On the File menu, click Add/Remove Snap-in.
4. Click Certificates, click Add, select Computer account, and then click Next.
5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.

On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.

If that is not the problem, you might get some helpful information from event viewer on the client under Applications and Services Logs\Microsoft\Windows\Wired-Autoconfig\Operational, but sometimes the events here don't say much about why authentication failed.

You mentioned that you disabled Windows Defender via GPO and these computers were turned off for 2 weeks. Are you saying that you think these computers are noncompliant? What normally happens to noncompliant computers? Do you put them into a different VLAN?

-Greg

Authentication failed for log time Off PCs

Fri, 03 Jul 2009 07:49:25 Z

Hi,
certificates is OK

In logs sometimes error:

Wired 802.1X Authentication failed.

Network Adapter: Realtek RTL8169/8110 Family PCI Gigabit Ethernet NIC (NDIS 6.0)

Interface GUID: {eb612c21-a126-4ca1-b749-8b9764fe275b}

Peer Address: 001C0F9A5622

Local Address: 003005A260DB

Connection ID: 0x1

Identity: -

User: -

Domain: -

Reason: 0x50006

Reason Text: The authenticator is no longer present

Error Code: 0x0
xxxxxxxxxxxxxxxxxxxxxxx

but the same error in working state.

In NAP agent log:

Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
Source:        Microsoft-Windows-SystemHealthAgent
Date:          1.7.2009 14:17:57
Event ID:      1020
Task Category: None
Level:         Error
Keywords:
User:          NETWORK SERVICE
Computer:      PCUVT5.faf.cuni.cz
Description:
Automatic remediation for antispyware failed. Windows could not turn on Windows Defender.
Failure Code: 0x800704ec
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-SystemHealthAgent" Guid="{B1BEBB9A-24AA-4B83-9E4A-38C2A9A44377}" />
    <EventID>1020</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2009-07-01T12:17:57.088816700Z" />
    <EventRecordID>596</EventRecordID>
    <Correlation />
    <Execution ProcessID="1288" ThreadID="3416" />
    <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
    <Computer>PCUVT5.faf.cuni.cz</Computer>
    <Security UserID="S-1-5-20" />
</System>
<EventData>
    <Data Name="FailureCode">0x800704ec</Data>
    <Data Name="FailureString">
    </Data>
</EventData>
</Event>

Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
Source:        Microsoft-Windows-NetworkAccessProtection
Date:          1.7.2009 14:24:37
Event ID:      30
Task Category: None
Level:         Error
Keywords:
User:          NETWORK SERVICE
Computer:      PCUVT5.faf.cuni.cz
Description:
The System Health Agent 79745 has returned an error code 3.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-NetworkAccessProtection" Guid="{4EF850D8-BF30-4E64-A917-EE21B9BE1F0A}" />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2009-07-01T12:24:37.058346300Z" />
    <EventRecordID>610</EventRecordID>
    <Correlation />
    <Execution ProcessID="1288" ThreadID="3716" />
    <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
    <Computer>PCUVT5.faf.cuni.cz</Computer>
    <Security UserID="S-1-5-20" />
</System>
<UserData>
    <NapEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="myNs">
      <SHAId>3</SHAId>
      <Error>3</Error>
    </NapEvent>
</UserData>
</Event>

After two weeks off - yes NONCOMPLIANT, but authentication failed. After five restart NIC, restart PC ....
Yes I use separate VLAN for Noncomplant network.

L.

Authentication failed for log time Off PCs

Fri, 03 Jul 2009 08:34:27 Z

Thats new message in Wired_autocinfig log, after start this problem:

Log Name:      Microsoft-Windows-Wired-AutoConfig/Operational
Source:        Microsoft-Windows-Wired-AutoConfig
Date:          29.6.2009 8:50:03
Event ID:      15514
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:      PCKFCHKL6.faf.cuni.cz
Description:
Wired 802.1X Authentication failed.

Network Adapter: Intel(R) 82566DM-2 Gigabit Network Connection
Interface GUID: {e7423c21-b37b-49a4-b928-0f1b6a80f544}
Peer Address: 001CF640ED99
Local Address: 00219B53353A
Connection ID: 0x1
Identity: -
User: -
Domain: -
Reason: 0x70004
Reason Text: Netwik not respond for authentication requests.
Error Code: 0x0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Wired-AutoConfig" Guid="{b92cf7fd-dc10-4c6b-a72d-1613bf25e597}" />
    <EventID>15514</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-29T06:50:03.513Z" />
    <EventRecordID>3454</EventRecordID>
    <Correlation />
    <Execution ProcessID="1112" ThreadID="1744" />
    <Channel>Microsoft-Windows-Wired-AutoConfig/Operational</Channel>
    <Computer>PCKFCHKL6.faf.cuni.cz</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
    <Data Name="InterfaceGuid">{E7423C21-B37B-49A4-B928-0F1B6A80F544}</Data>
    <Data Name="InterfaceDescription">Intel(R) 82566DM-2 Gigabit Network Connection</Data>
    <Data Name="SwitchMAC">001CF640ED99</Data>
    <Data Name="LocalMAC">00219B53353A</Data>
    <Data Name="ConnectionID">0x1</Data>
    <Data Name="Identity">-</Data>
    <Data Name="User">-</Data>
    <Data Name="Domain">-</Data>
    <Data Name="ReasonCode">0x70004</Data>
    <Data Name="ReasonText">Netwik not respond for authentication requests.</Data>
    <Data Name="ErrorCode">0x0</Data>
</EventData>
</Event>

and from NetworkAccessProtection log:

Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
Source:        Microsoft-Windows-NetworkAccessProtection
Date:          29.6.2009 8:49:23
Event ID:      30
Task Category: None
Level:         Error
Keywords:
User:          NETWORK SERVICE
Computer:      PCKFCHKL6.faf.cuni.cz
Description:
The System Health Agent 79745 has returned an error code 2.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-NetworkAccessProtection" Guid="{4ef850d8-bf30-4e64-a917-ee21b9be1f0a}" />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-29T06:49:23.700Z" />
    <EventRecordID>15462</EventRecordID>
    <Correlation />
    <Execution ProcessID="1464" ThreadID="4064" />
    <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
    <Computer>PCKFCHKL6.faf.cuni.cz</Computer>
    <Security UserID="S-1-5-20" />
</System>
<UserData>
    <NapEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="myNs">
      <SHAId>2</SHAId>
      <Error>2</Error>
    </NapEvent>
</UserData>
</Event>

Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
Source:        Microsoft-Windows-SystemHealthAgent
Date:          29.6.2009 8:50:03
Event ID:      1020
Task Category: None
Level:         Error
Keywords:
User:          NETWORK SERVICE
Computer:      PCKFCHKL6.faf.cuni.cz
Description:
Automatic remediation for antispyware failed. Windows could not turn on Windows Defender.
Failure Code: 0x800705b4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-SystemHealthAgent" Guid="{b1bebb9a-24aa-4b83-9e4a-38c2a9a44377}" />
    <EventID>1020</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-29T06:50:03.481Z" />
    <EventRecordID>15485</EventRecordID>
    <Correlation />
    <Execution ProcessID="1464" ThreadID="804" />
    <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
    <Computer>PCKFCHKL6.faf.cuni.cz</Computer>
    <Security UserID="S-1-5-20" />
</System>
<EventData>
    <Data Name="FailureCode">0x800705b4</Data>
    <Data Name="FailureString">
    </Data>
</EventData>
</Event>

Authentication failed for log time Off PCs

Fri, 03 Jul 2009 17:30:03 Z

Hi,

If you have disabled Windows Defender in GPO, you must remove this requirement from the WSHV. I'm a little confused about why all computers are not reporting a problem if you have used a GPO to disable a health requirement.

What happens if you turn off a health requirement for one of the computers on your network that is working fine? Does it move to the noncompliant VLAN, remediate, and then move back to the compliant VLAN?

I am wondering if there is a problem with your remediation network in general, or if the problem is only with the 10 computers.

-Greg

Authentication failed for log time Off PCs

Fri, 03 Jul 2009 19:17:11 Z

Hi,
I use FCS (another antispyware solutions). WSHV not use only Defender antispyware.

Another computer working OK, on this computers is actually forefront antispyware antipyware/definitions.

Only 10 computers is one week off (in this week ....).

L.

Authentication failed for log time Off PCs

Sat, 22 Aug 2009 18:40:28 Z

Hi Rudi,

Has the password expired on the computers that fail to authenticate?

-Greg

Authentication failed for log time Off PCs

Mon, 24 Aug 2009 14:13:57 Z

Hi Greg,
No password is not expired.
This is randmomly problem and in this case cisco not understand answer from NPS/Radius server. I prepare debug of this from cicco catalyst.

Thanks,
Ladislav

Authentication failed for log time Off PCs

Mon, 24 Aug 2009 23:44:28 Z

Hi Ladislav,

Have you tried updating Cisco IOS to the most recent version? I have found some cases where older IOS does not work 100% with NPS.

-Greg

Authentication failed for log time Off PCs

Tue, 25 Aug 2009 09:36:32 Z

Hi Greg,
I use two series cisco switch:

series C2950 with IOS 12.1(22)EA13
series C2960 with IOS 12.2(50)SE

Ladislav

Authentication failed for log time Off PCs

Tue, 25 Aug 2009 17:23:53 Z

Hi Ladislav,

Those should be recent enough versions of IOS. I have found you need 12.1(22)EA9 on the 2950.

In the case of the switch not understanding the response from NPS, I think you are taking the right approach to use debug.

-Greg