locked
help: config NAP support for Switch, RRS feed

  • Question

  • Our test environment contains:
    DC1:Win2003 Enterprise AD    (IP:10.153.128.57)
    NPS1:Longhorn build 5384     (IP:10.153.128.18)
    Client1:Vista Ultimate       (IP:10.153.128.100)
    Switch:H3C S3502             (IP:10.153.128.36)

    Configuration process, accordiing to NAP_802.1X_StepByStep.doc, does not show any error. But our test user can not pass the authentication.
    By checking some log files, we found there are some internal error information in NPS1's OS event log. I put the log file and a relative network packet file
    (readable by Ethereal version 0.99.0) into the attachment. Please help us solve the problem. Thanks.

     

    Event ID:      3

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      NPS1

    Description:

    Access request for user CONTOSO\user1 was discarded.

     Fully-Qualified-User-Name = <undetermined>

    ...

    Reason-Code = 1

     Reason = An internal error occurred. Check the system event log for additional information.

    ...

    Log Name:      System

    Source:        IAS

    Date:          4/7/2007 1:04:17 AM

    Event ID:      3

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      NPS1

    Description:

    Access request for user CONTOSO\user1 was discarded.

     Fully-Qualified-User-Name = <undetermined>

     Machine-Name = <not present>

    ...

    Reason-Code = 96

     Reason = The authentication request was not processed because the session timed out.

    Event Xml:

    ...
    Wednesday, April 11, 2007 5:45 AM

Answers

  • It seems this was in issue with incompatible versions of Longhorn Beta Server and Vista RTM clients.

    Be sure to use the latest versions in your NAP environments!

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights

    Wednesday, June 6, 2007 10:42 PM

All replies

  • The first place I would check would be your certificate configuration at the NPS Server.

     

    One way to perhaps remove this from consideration is to ensure that the client side configuration has the box for 'validate server certificate' unchecked.

     

    Another way to rule this out is to ensure that the client has the proper Trusted Root Certificate Authority certificate installed into the trusted root store - the client must be able to establish the chain (from end to root) of the certificate used by the NPS server when starting the PEAP negotiation.

     

     

    I note that in trimming down your post, the authentication method is not shown - can you re-post with the complete event texts?  (this posting box >should< be able to handle it)  The complete events should give us a little bit more information to work with.

     

     

    -Chris

     

    Chris.Edson@online.microsoft.com *
    SDET, Network Access Protection
    * Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, April 11, 2007 6:08 PM
  • Hi Chris. Thanks for your response.

    I've tried many times to post just one complete event. But it always failed.

    I'll send them to you by email.

    Thursday, April 12, 2007 2:59 AM
  • Hi Chris. We've checked the client side configuration. It was for sure that the box for 'validate server certificate' kept unchecked.

    Thursday, April 12, 2007 11:19 AM
  • I will post results of discussion with Zhijian when we come to a conslusion...

     

    -Chris

     

    Chris.Edson@online.microsoft.com *
    SDET, Network Access Protection
    * Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, April 12, 2007 9:05 PM
  • Sorry, I completely overlooked something from your initial posting.

    I notice that you are using a Beta 2 Longhorn Server and a Vista Released client machine.

     

    In order for you to use released Vista as your client, you will need a Longhorn Server with a more recent build than Beta 2.

     

    -Chris

     

    Chris.Edson@online.microsoft.com *
    SDET, Network Access Protection
    * Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, April 13, 2007 12:49 AM
  • The problem is still there when using Longhorn build 6001. Here is one event:

    Log Name:      System
    Source:        NPS
    Date:          4/18/2007 7:16:57 PM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NPS1.contoso.com
    Description:
    Access request for user CONTOSO\user1 was discarded.
     Fully-Qualified-User-Name = CONTOSO\user1
     Machine-Name = <not present>
     OS-Version = <not present>
     NAS-IP-Address = 10.153.128.36
     NAS-IPv6-Address = <not present>
     NAS-Identifier = s3502
     Called-Station-Identifier = <not present>
     Calling-Station-Identifier = 0011-113b-8322
     Client-Friendly-Name = 802.1x switch
     Client-IP-Address = 10.153.128.36
     Client-IPv6-Address = <not present>
     NAS-Port-Type = Ethernet
     NAS-Port = 8193
     Connection-Request-Policy-Name = Require Protected EAP
     Policy-Name = <undetermined>
     Authentication-Provider = Windows
     Authentication-Server = NPS1.contoso.com
     Account-Session-Identifier=<not present>
     Reason-Code = 1
     Reason = An internal error occurred. Check the system event log for additional information.

    Thursday, April 19, 2007 3:02 AM
  • The problem is still there when using Longhorn build 6001. Here is one event:

    Date:          4/18/2007 7:16:57 PM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NPS1.contoso.com
    Description:
    Access request for user CONTOSO\user1 was discarded.
     Fully-Qualified-User-Name = CONTOSO\user1
     Machine-Name = <not present>
     OS-Version = <not present>
     NAS-IP-Address = 10.153.128.36
     NAS-IPv6-Address = <not present>
     NAS-Identifier = s3502
     Called-Station-Identifier = <not present>
     Calling-Station-Identifier = 0011-113b-8322
     Client-Friendly-Name = 802.1x switch
     Client-IP-Address = 10.153.128.36
     Client-IPv6-Address = <not present>
     NAS-Port-Type = Ethernet
     NAS-Port = 8193
     Connection-Request-Policy-Name = Require Protected EAP
     Policy-Name = <undetermined>
     Authentication-Provider = Windows
     Authentication-Server = NPS1.contoso.com
     Account-Session-Identifier=<not present>
     Reason-Code = 1
     Reason = An internal error occurred. Check the system event log for additional information.

    Thursday, April 19, 2007 3:06 AM
  • The problem is still there when using Longhorn build 6001. Here is one trimmed-down event:

    Date:          4/18/2007 7:16:57 PM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NPS1.contoso.com
    Description:
    Access request for user CONTOSO\user1 was discarded.
     Fully-Qualified-User-Name = CONTOSO\user1
    ......
     Reason-Code = 1
     Reason = An internal error occurred. Check the system event log for additional information.

    Thursday, April 19, 2007 3:15 AM
  • The problem is still there when using Longhorn build 6001. Here is one trimmed-down event:

    Date:          4/18/2007 7:16:57 PM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NPS1.contoso.com
    Description:
    Access request for user CONTOSO\user1 was discarded.
     Fully-Qualified-User-Name = CONTOSO\user1
    ......

    Thursday, April 19, 2007 3:16 AM
  • The problem is still there when using Longhorn build 6001. Here is one trimmed-down event:

    Date:          4/18/2007 7:16:57 PM
    Event ID:      3
    Task Category: None
    Level:         Error
    ......

    Thursday, April 19, 2007 3:16 AM
  • Hi,

     

    On the client, make sure that in the Protected EAP Properties dialog box, you have checked Enable Quarantine checks.

     

    Depending on the build of Longhorn server, you may also be encountering a problem with the Windows Firewall, so I want you to turn this off temporarily and retry your connection attempt.

     

    Also please verify that you have the same shared secret entered on your switch and the Longhorn server.

     

    Please let me know if this helps.

     

     

    Thursday, April 19, 2007 10:18 PM
  • Hi Greg,

    1. Yes. We really checked that box.

    2. We've tried turning off the Firewall, but the problem is still there.

    3. We really set the same shared secrets on the switch and LH server.

    Friday, April 20, 2007 7:18 AM
  • Please provide the results of the following procedure:

    • On the client, open an administrator command prompt (click start, click all programs, click accessories, right-click command prompt, click run as administrator).
    • Open Event Viewer on the client and navigate to Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational
    • Also open Event Viewer on the NPS server and navigate to Windows Logs\System
    • In the administrator command prompt, type: net stop napagent && net start napagent

    What new events are generated on the client and server?

     

     

    Friday, April 20, 2007 2:41 PM
  • We are also pursuing this issue offline with Zhijian.

    I will post a summary when we have more results.

     

    -Chris

     

    Chris.Edson@online.microsoft.com *
    SDET, Network Access Protection
    * Remove the "online" make the address valid.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, April 20, 2007 11:38 PM
  • It seems this was in issue with incompatible versions of Longhorn Beta Server and Vista RTM clients.

    Be sure to use the latest versions in your NAP environments!

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights

    Wednesday, June 6, 2007 10:42 PM
  • Chris is right. With the newest Longhorn version(Longhorn Service Pack 1,V1.26), we have got through the test on our switch working with NAP. Thanks a lot.

    Please close this thread.

    Thursday, June 7, 2007 12:46 AM
  • Chris is right. With the newest Longhorn version(Longhorn Service Pack 1,V1.26), we have got through the test on our switch working with NAP. Thanks a lot.

    Please close this thread.

    Thursday, June 7, 2007 1:15 AM