none
NPS Wireless Authentication suddenly not working. reason code 16

    Question

  • This week it seems that the NPS server has decided to stop authenticating Wireless clients running windows 7.

    I have been over a similar older thread here and after trying the suggestions there still had no luck 

    https://social.technet.microsoft.com/Forums/windowsserver/en-us/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16?prof=required

    NPS is setup to authenticate 802.11 wireless clients with PEAP

    The NPS server as a cert based on RAS/ IAS template with subject and subject alternate names filled, the clients have valid client certs and trust the domain based CA.

    The RADIUS client is working normally and the shared secret has been changed several times as in the previous post suggestions.

    Any more ideas?

    Tuesday, June 26, 2018 5:35 PM

All replies

  • Hi,

    Thanks for your question.

    Please check the following article talks about Configuring 802.1X Wired Authentication on a Windows 7 Client.

    https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client

    Please make sure the service “Wired AutoConfig” is running on the win7 clients. And check its network adapter’s is configured correctly as below.

    If it is required to identify the authenticating clients by certificates, we also need to add and use certificate within PEAP on the client.

    Furthermore, please check the NPS server is configured correctly and use valid certificate, we can refer to the following more detailed,

    https://blogs.technet.microsoft.com/wsnetdoc/2018/02/08/get-peap-with-mschap-v2-working-with-nps-on-windows-server/

    For PEAP to work correctly, the following must be configured:

    1 The network connection on the client computer must be configured to perform PEAP authentication.

    2 The network access point must be configured to forward (aka pass-thru) authentication requests to the RADIUS server. This typically also requires that a shared secret is configured on the network access point which matches a corresponding shared secret on the RADIUS server.

    3 A certificate with the server authentication purpose and correct subject alternative name must be installed on NPS. Note: This procedure must be completed prior to configuring PEAP on NPS (step 4 below).

    4 NPS must be configured to perform PEAP authentication. The preferred method to configure NPS is using the scenario wizard in the NPS console. To use the wizard, click NPS in the console tree and then under Standard Configuration in the right-hand pane, select an item from the drop-down list that matches the type of network connection used by the client device (ex: VPN or wireless). When the configuration scenario is selected, click the corresponding Configure text that is displayed under the drop-down to launch the wizard.

    Hope above information can help you.  

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Wednesday, June 27, 2018 3:39 AM
  • Michael,

    I will try to reset the configuration based on the Article on PEAP you sent though I believe the configuration is already set to those specifications.

    Also, since these clients are wireless isn't it the WLAN AutoConfig and not the Wired AutoConfig  service that should be running?

    Thanks

    Wednesday, June 27, 2018 7:46 PM
  • Hi,

    Thanks for your reply.

    I'm sorry for I'm wrong about Wired AutoConfig. It's applied to Wired Authentication. Perhaps it's unnecessary.

    We need to configure wireless network policies GPO, please check the following article,

    https://blogs.technet.microsoft.com/networking/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows/

    Hope this helps. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, June 29, 2018 9:29 AM
  • Hi,

    How are things going on?

    Please let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 2, 2018 7:38 AM
  • Hi ,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Sunday, July 8, 2018 2:58 PM
  • We noticed the same thing on a customer NPS on saturday (2018-07-07). All of a sudden PEAP with MSCHAPv2 (user/password) stopped working. They had to rollback the NPS to a backup from a couple of weeks ago to make it work again. Not sure if we will see the problem again though.

    Running an Aruba Wireless controller (MC7220) against Windows 2008 R2 NPS. No patching or reboots had been done during this period. Certificates are all valid.

    Both Ipads and PC's stopped working.

    W10 PC's gave error 

    0x40420016

    EAPHost logs this information event when the client and server aren't configured with compatible EAP types.

    Tuesday, July 10, 2018 11:51 AM