locked
Authentication failed for log time Off PCs RRS feed

  • Question

  • All logtime off (1weeks-1month) PCs after start ending "Authentication failed" and 802.1x managed port must be set to normal mode "without 802.1x".

    NAPSTAT windows is empty,manually unplug/plug network cable -> authentication failed.
    IN NPS log is not any items about this computers.

    Others - day by day used PCs working fine.

    OS Windows Vista w/SP1 (PC Dell Optiplex 755, 960, Fujutsu Siemens Esprimo P5916)

    Catalyst C2960 with last IOS and corect setup dot1x


    Affected PCs (1week or more off) -> Catalyst not understand anwer from NPS and authentication timeouted and port status notconnect.

    Is this known problem ?
    Tuesday, June 30, 2009 12:44 PM

All replies

  • Hi,

    If I understand the problem correctly, some computers are failing 802.1X authentication. Other computers are fine.

    This appears to be a client side problem. What is the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)? How many computers are affected? Have you checked the computer certificate on these clients?

    -Greg
    Friday, July 3, 2009 5:26 AM
  • Hi Greg,

    all computers the same configuration (many hardware identicaly), some (long time not used) failing 802.1X (NPS server send not understand response to C2960, authentication timeouted).

    Auth. method -> PEAP-MSCHAPv2
    Affected 10 computes - 2 weeks Off (in this week I disable Windows Defender via GPO and Microsoft Update send http://support.microsoft.com/default.aspx/kb/971026)

    How I check computer certificate ?

    Thanks
    L.
    Friday, July 3, 2009 6:05 AM
  • Hi,

    I am guessing that you don't see failed authentication attempts on NPS because the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.

    To verify the client has a domain certificate:

    1. Click Start and click Run.
    2. Type mmc, and then press ENTER.
    3. On the File menu, click Add/Remove Snap-in.
    4. Click Certificates, click Add, select Computer account, and then click Next.
    5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
    6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.

    On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.

    If that is not the problem, you might get some helpful information from event viewer on the client under Applications and Services Logs\Microsoft\Windows\Wired-Autoconfig\Operational, but sometimes the events here don't say much about why authentication failed.

    You mentioned that you disabled Windows Defender via GPO and these computers were turned off for 2 weeks. Are you saying that you think these computers are noncompliant? What normally happens to noncompliant computers? Do you put them into a different VLAN?

    -Greg

    Friday, July 3, 2009 6:46 AM

  • Hi,
    certificates is OK

    In logs sometimes error:

    Wired 802.1X Authentication failed.

    Network Adapter: Realtek RTL8169/8110 Family PCI Gigabit Ethernet NIC (NDIS 6.0)

    Interface GUID: {eb612c21-a126-4ca1-b749-8b9764fe275b}

    Peer Address: 001C0F9A5622

    Local Address: 003005A260DB

    Connection ID: 0x1

    Identity: -

    User: -

    Domain: -

    Reason: 0x50006

    Reason Text: The authenticator is no longer present

    Error Code: 0x0
    xxxxxxxxxxxxxxxxxxxxxxx


    but the same error in working state.


    In NAP agent log:

    Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
    Source:        Microsoft-Windows-SystemHealthAgent
    Date:          1.7.2009 14:17:57
    Event ID:      1020
    Task Category: None
    Level:         Error
    Keywords:     
    User:          NETWORK SERVICE
    Computer:      PCUVT5.faf.cuni.cz
    Description:
    Automatic remediation for antispyware failed. Windows could not turn on Windows Defender.
    Failure Code: 0x800704ec
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-SystemHealthAgent" Guid="{B1BEBB9A-24AA-4B83-9E4A-38C2A9A44377}" />
        <EventID>1020</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x4000000000000000</Keywords>
        <TimeCreated SystemTime="2009-07-01T12:17:57.088816700Z" />
        <EventRecordID>596</EventRecordID>
        <Correlation />
        <Execution ProcessID="1288" ThreadID="3416" />
        <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
        <Computer>PCUVT5.faf.cuni.cz</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <EventData>
        <Data Name="FailureCode">0x800704ec</Data>
        <Data Name="FailureString">
        </Data>
      </EventData>
    </Event>

     Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
    Source:        Microsoft-Windows-NetworkAccessProtection
    Date:          1.7.2009 14:24:37
    Event ID:      30
    Task Category: None
    Level:         Error
    Keywords:     
    User:          NETWORK SERVICE
    Computer:      PCUVT5.faf.cuni.cz
    Description:
    The System Health Agent 79745 has returned an error code 3.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-NetworkAccessProtection" Guid="{4EF850D8-BF30-4E64-A917-EE21B9BE1F0A}" />
        <EventID>30</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2009-07-01T12:24:37.058346300Z" />
        <EventRecordID>610</EventRecordID>
        <Correlation />
        <Execution ProcessID="1288" ThreadID="3716" />
        <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
        <Computer>PCUVT5.faf.cuni.cz</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <NapEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="myNs">
          <SHAId>3</SHAId>
          <Error>3</Error>
        </NapEvent>
      </UserData>
    </Event>

     After two weeks off - yes NONCOMPLIANT, but authentication failed. After five restart NIC, restart PC ....
    Yes I use separate VLAN for Noncomplant network.

    L.

    Friday, July 3, 2009 7:49 AM
  • Thats new message in Wired_autocinfig log, after start this problem:

    Log Name:      Microsoft-Windows-Wired-AutoConfig/Operational
    Source:        Microsoft-Windows-Wired-AutoConfig
    Date:          29.6.2009 8:50:03
    Event ID:      15514
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      PCKFCHKL6.faf.cuni.cz
    Description:
    Wired 802.1X Authentication failed.

     Network Adapter: Intel(R) 82566DM-2 Gigabit Network Connection
     Interface GUID: {e7423c21-b37b-49a4-b928-0f1b6a80f544}
     Peer Address: 001CF640ED99
     Local Address: 00219B53353A
     Connection ID: 0x1
     Identity: -
     User: -
     Domain: -
     Reason: 0x70004
     Reason Text: Netwik not respond for authentication requests.
     Error Code: 0x0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Wired-AutoConfig" Guid="{b92cf7fd-dc10-4c6b-a72d-1613bf25e597}" />
        <EventID>15514</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2009-06-29T06:50:03.513Z" />
        <EventRecordID>3454</EventRecordID>
        <Correlation />
        <Execution ProcessID="1112" ThreadID="1744" />
        <Channel>Microsoft-Windows-Wired-AutoConfig/Operational</Channel>
        <Computer>PCKFCHKL6.faf.cuni.cz</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="InterfaceGuid">{E7423C21-B37B-49A4-B928-0F1B6A80F544}</Data>
        <Data Name="InterfaceDescription">Intel(R) 82566DM-2 Gigabit Network Connection</Data>
        <Data Name="SwitchMAC">001CF640ED99</Data>
        <Data Name="LocalMAC">00219B53353A</Data>
        <Data Name="ConnectionID">0x1</Data>
        <Data Name="Identity">-</Data>
        <Data Name="User">-</Data>
        <Data Name="Domain">-</Data>
        <Data Name="ReasonCode">0x70004</Data>
        <Data Name="ReasonText">Netwik not respond for authentication requests.</Data>
        <Data Name="ErrorCode">0x0</Data>
      </EventData>
    </Event>

     
    and from NetworkAccessProtection log:

    Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
    Source:        Microsoft-Windows-NetworkAccessProtection
    Date:          29.6.2009 8:49:23
    Event ID:      30
    Task Category: None
    Level:         Error
    Keywords:     
    User:          NETWORK SERVICE
    Computer:      PCKFCHKL6.faf.cuni.cz
    Description:
    The System Health Agent 79745 has returned an error code 2.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-NetworkAccessProtection" Guid="{4ef850d8-bf30-4e64-a917-ee21b9be1f0a}" />
        <EventID>30</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2009-06-29T06:49:23.700Z" />
        <EventRecordID>15462</EventRecordID>
        <Correlation />
        <Execution ProcessID="1464" ThreadID="4064" />
        <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
        <Computer>PCKFCHKL6.faf.cuni.cz</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <NapEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="myNs">
          <SHAId>2</SHAId>
          <Error>2</Error>
        </NapEvent>
      </UserData>
    </Event>

     

    Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
    Source:        Microsoft-Windows-SystemHealthAgent
    Date:          29.6.2009 8:50:03
    Event ID:      1020
    Task Category: None
    Level:         Error
    Keywords:     
    User:          NETWORK SERVICE
    Computer:      PCKFCHKL6.faf.cuni.cz
    Description:
    Automatic remediation for antispyware failed. Windows could not turn on Windows Defender.
    Failure Code: 0x800705b4
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-SystemHealthAgent" Guid="{b1bebb9a-24aa-4b83-9e4a-38c2a9a44377}" />
        <EventID>1020</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x4000000000000000</Keywords>
        <TimeCreated SystemTime="2009-06-29T06:50:03.481Z" />
        <EventRecordID>15485</EventRecordID>
        <Correlation />
        <Execution ProcessID="1464" ThreadID="804" />
        <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
        <Computer>PCKFCHKL6.faf.cuni.cz</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <EventData>
        <Data Name="FailureCode">0x800705b4</Data>
        <Data Name="FailureString">
        </Data>
      </EventData>
    </Event>

     

     

     

     

    Friday, July 3, 2009 8:34 AM
  • Hi,

    If you have disabled Windows Defender in GPO, you must remove this requirement from the WSHV. I'm a little confused about why all computers are not reporting a problem if you have used a GPO to disable a health requirement.

    What happens if you turn off a health requirement for one of the computers on your network that is working fine? Does it move to the noncompliant VLAN, remediate, and then move back to the compliant VLAN?

    I am wondering if there is a problem with your remediation network in general, or if the problem is only with the 10 computers.

    -Greg

    Friday, July 3, 2009 5:30 PM
  • Hi,
    I use FCS (another antispyware solutions). WSHV not use only Defender antispyware.

    Another computer working OK, on this computers is actually forefront antispyware antipyware/definitions.

    Only 10 computers is one week off (in this week ....).

    L.
    Friday, July 3, 2009 7:17 PM
  • Hi Rudi,

    Has the password expired on the computers that fail to authenticate?

    -Greg
    Saturday, August 22, 2009 6:40 PM
  • Hi Greg,
    No password is not expired.
    This is randmomly problem and in this case cisco not understand answer from NPS/Radius server. I prepare debug of this from cicco catalyst.

    Thanks,
    Ladislav
    Monday, August 24, 2009 2:13 PM
  • Hi Ladislav,

    Have you tried updating Cisco IOS to the most recent version? I have found some cases where older IOS does not work 100% with NPS.

    -Greg
    Monday, August 24, 2009 11:44 PM
  • Hi Greg,
    I use two series cisco switch:

    series C2950 with IOS 12.1(22)EA13
    series C2960 with IOS 12.2(50)SE

    Ladislav
    Tuesday, August 25, 2009 9:36 AM
  • Hi Ladislav,

    Those should be recent enough versions of IOS. I have found you need 12.1(22)EA9 on the 2950.

    In the case of the switch not understanding the response from NPS, I think you are taking the right approach to use debug.

    -Greg
    Tuesday, August 25, 2009 5:23 PM
  • Hi,

    This question is still not answered but has fallen off the first page of the forum so it may not be getting the attention needed.

    Please let me know if there is any further information about this issue. I will also try to summarize the current question and get an answer if possible, or move the question to another forum if it is not appropriate for the NAP forum.

    Greg Lindsay

    Friday, March 19, 2010 8:21 PM
  • Greg,

    You asked Rudi the following:

    Has the password expired on the computers that fail to authenticate?

    I have systems that are off the network longer than 30 days, and they cannot authenticate using machine credentials anymore.  NPS appears to be rejecting them.  However, I did some searches and it appears the machine account passwords are changed by the client, and the AD side doesn't expire.  So why is NPS rejecting them if they try to login with their machine account and NPS is saying the password is invalid?  Does the client send the machine account with the password age, and NPS sees it's expired from the client and supercedes AD?  Is there a solution for this, or do I need to set a GPO for these systems increasing their password age, or a solution inside of NPS to force it to authentiate NPS to check AD. This is causing lots of problems for our students.

    Derek O'Flynn

    LSUHSC


    Derek
    Tuesday, July 27, 2010 7:25 PM
  • May be this helps http://support.microsoft.com/kb/904943 ?
    Friday, July 30, 2010 1:07 PM