none
message-authenticator attribute that is not valid- NPS/ciscoACS

    Question

  • Hi Team, we have some wifi ap authenticating AD users through cisco ACS5.3 and ACS point to IAS on win2003 servers for radius proxy, this works well. One of the sites need to setup a NPS on win2008, so I was planning  to turn the previous IAS to be backup server and new NPS to be primary. After I did the same setting on the NPS as the old IAS and changed the order on ACS, which point to NPS for primary Radius proxy, I got the error'' message-authenticator attribute that is not valid'' in the event log and users authentication discarded. And it  didn't go to secondary IAS for authentication either. The settings are almost same, only thing is I couldn't find " Ignor-user-dialin-properties" in the NPS while it exists in IAS. Is this setting a must? (where is it on NPS?)I also tried to re-type the share secret, same issue. Any advice please? And why the IAS did not take effect when the authentication didn't work on the primary NPS? Thanks!


    Thanks and best regards, -- KF

    Monday, January 21, 2013 3:38 PM

Answers

  • Hi,

    There may be some problem about the pre-shared key if you directly export the setting from 2003 IAS and import it into 2008 NPS. I suggest that you can try to thoroughly remove all the setting on the NPS server. Uninstall and reinstall the NPS server role if possible. Then reconfigure all things manually to see the result.

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, February 01, 2013 8:21 AM

All replies

  • Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Thursday, January 24, 2013 6:00 AM
  • Hi,

    When you add the Cisco switch as the RADIUS client, please ensure that the Client-Vendor type is "RADIUS Standard", enter a shared secret, and ensure that "Request must contain the Message Authenticator attribute" is unchecked.

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, January 25, 2013 2:52 AM
  • Hi Scott,yes, I did as you mentioned. and in I fact I copied the same settings from the IAS on win2003 server, which works on the IAS. But not works on the win2008 NPS. any advice please?thanks

    Thanks and best regards, -- KF

    Friday, January 25, 2013 3:52 AM
  • Hi,

    There may be some problem about the pre-shared key if you directly export the setting from 2003 IAS and import it into 2008 NPS. I suggest that you can try to thoroughly remove all the setting on the NPS server. Uninstall and reinstall the NPS server role if possible. Then reconfigure all things manually to see the result.

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, February 01, 2013 8:21 AM