locked
802.1x Authentication fails, Reason Code 23 RRS feed

  • Question

  • Hi,

    we are currently trying to implement 8201.x for a wired network (NAP will be the next step) and I have done this several times before, but this time it really sucks. NPS logs the following event:  Event ID 6273, Reason Code 23, Reason: An error occured during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log file for EAP errors. (Authentication Method is PEAP)

    I have sniffed the authentication process:

    1. Switch sends "Radius Access Request" to NPS
    2. NPS answers with "Radius Access Challenge"
    3. Switch sends "Request Identity" and "Request PEAP" to Client
    4. Client sends "Client Hello"
    5. Switch sends "Server Hello, Server Certificate, Server Hello Done"
    6. Client sends "Client Certificate, Client Key Exchange etc."
    7. Switch returns "Failure - EAP Code 4, ID 3"

    In the meantime, NPS sends a "Radius Access Challenge" to the switch but it never receives an answer from the switch. The switch even resends the Radius Access Request for two more times. Finally, the NPS seems to give up and sends a "Reject".

    Questions:
    * Is it possible that the switch causes the problem? (we have re-checked client and server config, certificates etc. twice)
    * I always thought PEAP would establish a TLS tunnel before authentication? I cannot see it.
    * I can see that the client and the switch do exchange certificates. But the certificate is coming from the server, not from the switch. Sounds too much like magic for me.

    I know that there are some postings on this forum covering the same error message, but noone was able to resolve his problem.

    Thank you for your help!

     

     

     

     

     

    Saturday, December 11, 2010 12:42 PM

Answers

  • No, unfortunately not yet. Which kind of switches are you using?
    Tuesday, December 28, 2010 9:40 PM
  • Hi,

    I finally solved the problem. Although the SSL Tunnel was established and the authentication of the client was completed the NPS finally sent a RADIUS error number 4 which was interpreted as RADIUS reject by the switch. All CAPI2 (client + NPS) did not show any crypto API related problems.

    After a reboot I found ONE schannel error in the NPS's eventlog. I reissued the NPS's certificate (the old one looked perfectly o.k.) and that's it. It is now working perfectly.

    Regards,

    Dagmar

    @Qunshu Zhang: You have offered to review my log files and I anonymized them and uploaded them to the link you postet here. After that I have not heard from you again. It is perfectly ok for me if you do have time for stuff like this, but it did wait for your reply.

    Saturday, February 12, 2011 10:08 AM

All replies

  • Hi,

    after having done some more research I still have not solved the problem. At least I now know where the problem appears:

    Client sends computer certificate --> switch sends RADIUS ACCESS REQUEST to NPS
    NPS sends RADIUS ACCESS CHALLENGE to switch --> to client
    .... several RADIUS ACCESS REQUEST/CHALLENGE packets are required to complete authentication

    Finally, NPS sends a RADIUS Failure (Code 4). In this moment it also writes  Event ID 6273, Reason Code 23, Reason: An error occured during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log file for EAP errors. (Authentication Method is PEAP) to the Eventlog.

    The NPS Log does not contain any errors. Certificates seem to be all right (no red entries in CAPI2 Log). We configured computer-only authentication, Client runs Windows 7 Enterprise x86.

    Any suggestions?

     

    Sunday, December 12, 2010 8:40 AM
  • Hi Dagmar,

     

    Thanks for posting here.

     

    I noticed that switch returned a failure after client sent “Client Certificate, Client Key Exchange etc.”, so I suspect that this issue may relate with the incorrect certification on client , could you try re-enroll a new certification from server and try again ?

     

    Meanwhile, could you upload the captured traffic data and event logs on clients which relate with this issue to the links below for further investigation

     

    https://sftus.one.microsoft.com/choosetransfer.aspx?key=0d0fd4f4-5de2-4520-8415-5d59c3d8224a

    Password: Gpl[ImhNTQC

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 13, 2010 7:27 AM
  • Thank you for your answer. I will re-check the client certificate.

    If something was wrong with the client's certificate, shouldn't there be an entry in the NPS Eventlog? Or in the CAPI2 Eventlog on the client or on the server?

    I will submit the network traces tomorrow.

    Thanks.

    Dagmar

    Monday, December 13, 2010 11:04 PM
  • I have uploaded the requested files. I have also added the IASSAM.LOG from the NPS Server which says that the client is authenticated correctly.

    Regards,

    Dagmar

    Tuesday, December 14, 2010 8:21 AM
  • Hi Dagmar,

    Thanks for uploading, i will try analysis it and check if can give some suggestions for you .

    Thanks.

    Tiger Li

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, December 14, 2010 8:36 AM
  • Hi Dagmar,

    Could you tell us the address or host name of client ,NPS server and switch device and the model of switch?

    Thanks.

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, December 14, 2010 9:15 AM
  • Hi,

    sorry, I forgot to add that type of information.

    The hardware devices used are a switch and a NAC device from Enterasys. I will post the model information tomorrow. The NAC device is working as a Radius proxy (and nothing else at this stage of the project). Unfortunately it does not make any difference if the connection is tested with or without the NAC device. Switch is Enterasys B5K125-24P, NAC is NAC V20 (the same as NAC A20).

    Client: 10.1.0.99, TEST.x.x.x

    NPS: 10.1.100.200

    NAC: 10.20.100.2

    I have also uploaded the client's svchost_RASTLS.log.

    Kind regards,

    Dagmar

    Tuesday, December 14, 2010 8:59 PM
  • Hi Dagmar,

    Thank you for your update.

    I am currently looking into this issue and will give you an update as soon as possible.
     
    Thank you for your understanding and support.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, December 15, 2010 9:40 AM
  • Hi Dagmar,

    We may need more information for troubleshooting.

    Could you please enable tracing on NPS and client with perform “ netsh ras set tracing rastls enabled “ and try to authenticate again ?

    Meanwhile ,please also upload the RASTLS log where under path “%SystemRoot%\Tracing” on both sides to the path that I posted in previous reply.

    Thanks

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, December 18, 2010 8:36 AM
  • Hi,

    I have uploaded the files required.

    Thank you for your help,

    Dagmar

     

    Saturday, December 18, 2010 9:18 AM
  • I have a question, Are your NPS server the windows server 2008 R2 or Windows server 2008 R2 SP1 beta/RC? Thanks.
    Clarification: Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, December 21, 2010 6:12 AM
  • It is Windows Server 2008 R2 SP1.

    Thanks!

    Tuesday, December 21, 2010 8:06 PM
  • can you see this issue after uninstalling sp1? Thanks.


    Clarification: Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, December 21, 2010 10:34 PM
  • and also, is that sp1 rc or beta? Thanks.
    Clarification: Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, December 21, 2010 10:41 PM
  • Sorry, I confused servers when I typed "winver" (we installed SP1 for testing puposes on a Hyper-V machine). But the NPS is running on VmWare and it is Version 6.1 (Build 7600).

    Regards, Dagmar

     

    Wednesday, December 22, 2010 5:34 AM
  • Hi,

    is there something new going on?

    Kind regards,

    Dagmar

     

    Monday, December 27, 2010 1:17 PM
  • did you get this fixed i have similar issue?
    Tuesday, December 28, 2010 3:44 PM
  • No, unfortunately not yet. Which kind of switches are you using?
    Tuesday, December 28, 2010 9:40 PM
  • Hi,

    I finally solved the problem. Although the SSL Tunnel was established and the authentication of the client was completed the NPS finally sent a RADIUS error number 4 which was interpreted as RADIUS reject by the switch. All CAPI2 (client + NPS) did not show any crypto API related problems.

    After a reboot I found ONE schannel error in the NPS's eventlog. I reissued the NPS's certificate (the old one looked perfectly o.k.) and that's it. It is now working perfectly.

    Regards,

    Dagmar

    @Qunshu Zhang: You have offered to review my log files and I anonymized them and uploaded them to the link you postet here. After that I have not heard from you again. It is perfectly ok for me if you do have time for stuff like this, but it did wait for your reply.

    Saturday, February 12, 2011 10:08 AM