locked
No AUTHORIZATION extensions, NPS Radius Server RRS feed

  • Question

  • Hi All

    I have an issue setting up Radius Server to authenticate users for Wireless Network Access. The NPS server is installed on our DC ( Windows 2008 R2 SP1). I'm using a Windows 7 client to connect to the Server. The errors I have in the IAS logs are:

    [2528] 11-29 10:32:41:110: NT-SAM Names handler received request with user identity ad\testradius.
    [2528] 11-29 10:32:41:110: Username is already an NT4 account name.
    [2528] 11-29 10:32:41:110: SAM-Account-Name is "AD\testradius".
    [2528] 11-29 10:32:41:110: Successfully created new RAP Based EAP session for user AD\testradius.
    [2528] 11-29 10:32:41:110: No AUTHENTICATION extensions, continuing
    [2528] 11-29 10:32:41:110: NT-SAM Authentication handler received request for AD\testradius.
    [2528] 11-29 10:32:41:110: Validating windows user account AD\testradius
    [2528] 11-29 10:32:41:110: Sending LDAP search to DC2.
    [2528] 11-29 10:32:41:110: Successfully validated windows account AD\testradius.
    [2528] 11-29 10:32:41:110: Allowed EAP type: 25
    [2528] 11-29 10:32:41:110: Succesfully created EAP Host session with session id 35
    [2528] 11-29 10:32:41:110: Processing output from EAP: action:1
    [2528] 11-29 10:32:41:110: Inserting outbound EAP-Message of length 6.
    [2528] 11-29 10:32:41:110: Issuing Access-Challenge.
    [2528] 11-29 10:32:41:110: No AUTHORIZATION extensions, continuing

    I followed the article on TechNet on setting up extension DLL.

    I get following errors after I completed registry edit:

    System\CurrentControlSet\Services\AuthSrv\Parameters doesn't exist; no extensions loaded.
     No Authentication extensions!
    Initializing LDAP.
    The registry value BackendServerTimeout does not exist. Using default 2
    Loading AuthorizationDLLs
    System\CurrentControlSet\Services\AuthSrv\Parameters doesn't exist; no extensions loaded.
    No Authorization extensions!

    I have removed NPS ( including the isa.xml file) role, and reinstalled it, exactly the same issue.

    Thanks for reading and assisting me.

    Thursday, November 28, 2013 11:44 PM

All replies

  • 

    Hi,

    This might be a certificate issue.

    1. Ensure the root CA certificates are installed correctly on the NPS server and wireless client computers:

    2. Ensure the server certificate are installed correctly on the NPS server.

    Another reason could be the AP was configred to use .4 as the addr.  NPS responded with .6 because that was his primary addr.

    Resolution

    Added the .4 addr to the NPS properties as its default addr.

    If this does not help, please provide more information. You can check logs such as IASSAM.log, IASLOG.LOG client side event log.

    Hope this helps.

    Friday, November 29, 2013 9:50 AM
  • Hi,

    How is everything going? Is the issue resolved?

    Any problem please feel free to let us know.

    Thank you.

    Monday, December 2, 2013 1:00 AM
  • Hi Daniel

    Thanks for the reply.

    I have checked the certificates on the Servers, and registered the root certificate on the client. However it's still not working.

    I tried to try the (EPA-MSCHAP v2) method, just in case it's something wrong with the certificates. I got very similar errors:

    [5448] 12-02 12:43:45:630: Successfully created new RAP Based EAP session for user AD\user1.
    [5448] 12-02 12:43:45:630: No AUTHENTICATION extensions, continuing
    [5448] 12-02 12:43:45:630: NT-SAM Authentication handler received request for AD\user1.
    [5448] 12-02 12:43:45:630: Validating windows user account AD\user1
    [5448] 12-02 12:43:45:630: Sending LDAP search to DC2.
    [5448] 12-02 12:43:45:630: Successfully validated windows account AD\user1
    [5448] 12-02 12:43:45:630: Allowed EAP type: 26
    [5448] 12-02 12:43:45:630: Succesfully created EAP Host session with session id 59
    [5448] 12-02 12:43:45:646: Processing output from EAP: action:1
    [5448] 12-02 12:43:45:646: Inserting outbound EAP-Message of length 29.
    [5448] 12-02 12:43:45:646: Issuing Access-Challenge.
    [5448] 12-02 12:43:45:646: No AUTHORIZATION extensions, continuing

    Is it possible there's something wrong with the NPS installation? I don't understand why there's no authorization extensions. I have done a fresh installation of NPS before the post, and deleted the existing isa.xml file.

    Thanks for your help.

    Monday, December 2, 2013 2:00 AM
  • Hi,

    Follow this guide below, including the subdirectory and try again.

    http://msdn.microsoft.com/en-us/library/windows/desktop/bb891985(v=vs.85).aspx

    As the error indicates that registry key doesn’t exist, just create them.

    Hope this helps.

    Wednesday, December 4, 2013 2:22 AM
  • Hi Daniel

    I have followed the link, set up key ExtensionDLLs & AuthorizationDLLs with the type REG_MULTI_SZ. I have restarted NPS, still getting the same issue:

    [1956] 12-04 15:22:50:129: Successfully validated windows account AD\user1
    [1956] 12-04 15:22:50:129: Allowed EAP type: 26
    [1956] 12-04 15:22:50:129: Succesfully created EAP Host session with session id 171
    [1956] 12-04 15:22:50:129: Processing output from EAP: action:1
    [1956] 12-04 15:22:50:129: Inserting outbound EAP-Message of length 29.
    [1956] 12-04 15:22:50:129: Issuing Access-Challenge.
    [1956] 12-04 15:22:50:129: No AUTHORIZATION extensions, continuing

     Do I need to enter additional data values to these keys?

    Thanks

    Wednesday, December 4, 2013 5:30 AM
  • Hi,

    Could you provide the entire log about the authentication process?

    Thank you.

    Wednesday, December 4, 2013 9:28 AM
  • From IASSAM

    [7544] 12-04 15:40:25:846: NT-SAM Names handler received request with user identity user1
    [7544] 12-04 15:40:25:846: Prepending default domain.
    [7544] 12-04 15:40:25:846: NameMapper::prependDefaultDomain
    [7544] 12-04 15:40:25:846: SAM-Account-Name is "AD\user1".
    [7544] 12-04 15:40:25:846: Successfully created new RAP Based EAP session for user AD\user1
    [7544] 12-04 15:40:25:846: No AUTHENTICATION extensions, continuing
    [7544] 12-04 15:40:25:846: NT-SAM Authentication handler received request for AD\user1.
    [7544] 12-04 15:40:25:846: Validating windows user account AD\user1
    [7544] 12-04 15:40:25:846: Sending LDAP search to DC2.ad
    [7544] 12-04 15:40:25:846: Successfully validated windows account AD\user1
    [7544] 12-04 15:40:25:846: Allowed EAP type: 26
    [7544] 12-04 15:40:25:846: Succesfully created EAP Host session with session id 227
    [7544] 12-04 15:40:25:846: Processing output from EAP: action:1
    [7544] 12-04 15:40:25:846: Inserting outbound EAP-Message of length 29.
    [7544] 12-04 15:40:25:846: Issuing Access-Challenge.
    [7544] 12-04 15:40:25:846: No AUTHORIZATION extensions, continuing

    From svchost_RASCHAP

    [7544] 12-04 15:40:25:846: EapChapBeginMSChapV2
    [7544] 12-04 15:40:25:846: ReadConnectionData
    [7544] 12-04 15:40:25:846: EapChapBeginCommon
    [7544] 12-04 15:40:25:846: ChapBegin(fS=1,bA=0x81)
    [7544] 12-04 15:40:25:846: ChapBegin done.
    [7544] 12-04 15:40:25:846: EapMSChapv2MakeMessage
    [7544] 12-04 15:40:25:846: EapMSChapv2SMakeMessage
    [7544] 12-04 15:40:25:846: EMV2_Initial
    [7544] 12-04 15:40:25:846: ChapMakeMessage,RBuf=0000000000000000
    [7544] 12-04 15:40:25:846: ChapSMakeMessage
    [7544] 12-04 15:40:25:846: CS_Initial...
    [7544] 12-04 15:40:25:846: MakeChallengeMessage...
    [7544] 12-04 15:40:25:846: GetChallenge.
    [7544] 12-04 15:40:25:846: GetChallenge: LsaCallAuthenticationPackage succeeded
    [7544] 12-04 15:40:25:846: GetChallenge.
    [7544] 12-04 15:40:25:846: GetChallenge: LsaCallAuthenticationPackage succeeded
    01 03 00 18 10 3F 6D 27 84 53 58 FB 84 0E D8 D8 |.....?m'.SX.....|
    CC 75 C6 7F 16 44 43 32 00 00 00 00 00 00 00 00 |.u..DC2........|

    From IASNAP

    [7544] 12-04 15:39:48:577: The request comes from NAS type 0
    [7544] 12-04 15:39:48:577: Applying CRP policy:Wireless EAP
    [7544] 12-04 15:39:48:577: Response type is 2, so disable Quarantine State
    [7544] 12-04 15:39:48:577: WARNING: No SHV Session Handle
    [7544] 12-04 15:39:48:577: The request is given quarantine state 3
    [7392] 12-04 15:39:50:574: The request comes from NAS type 0
    [7392] 12-04 15:39:50:574: Applying CRP policy:Wireless EAP
    [7392] 12-04 15:39:50:574: Response type is 2, so disable Quarantine State
    [7392] 12-04 15:39:50:574: WARNING: No SHV Session Handle
    [7392] 12-04 15:39:50:574: The request is given quarantine state 3
    [7544] 12-04 15:39:52:586: The request comes from NAS type 0
    [7544] 12-04 15:39:52:586: Applying CRP policy:Wireless EAP
    [7544] 12-04 15:39:52:586: Response type is 2, so disable Quarantine State
    [7544] 12-04 15:39:52:586: WARNING: No SHV Session Handle
    [7544] 12-04 15:39:52:586: The request is given quarantine state 3
    [7392] 12-04 15:39:54:583: The request comes from NAS type 0
    [7392] 12-04 15:39:54:583: Applying CRP policy:Wireless EAP
    [7392] 12-04 15:39:54:583: Response type is 2, so disable Quarantine State
    [7392] 12-04 15:39:54:583: WARNING: No SHV Session Handle
    [7392] 12-04 15:39:54:583: The request is given quarantine state 3
    [7544] 12-04 15:39:56:580: The request comes from NAS type 0
    [7544] 12-04 15:39:56:580: Applying CRP policy:Wireless EAP
    [7544] 12-04 15:39:56:580: Response type is 2, so disable Quarantine State
    [7544] 12-04 15:39:56:580: WARNING: No SHV Session Handle
    [7544] 12-04 15:39:56:580: The request is given quarantine state 3
    [7392] 12-04 15:40:15:846: The request comes from NAS type 0
    [7392] 12-04 15:40:15:846: Applying CRP policy:Wireless EAP
    [7392] 12-04 15:40:15:846: The request comes from NAS type 0
    [7392] 12-04 15:40:15:846: Applying RAP policy:Wireless EAP
    [7544] 12-04 15:40:17:843: The request comes from NAS type 0
    [7544] 12-04 15:40:17:843: Applying CRP policy:Wireless EAP
    [7544] 12-04 15:40:17:843: The request comes from NAS type 0
    [7544] 12-04 15:40:17:843: Applying RAP policy:Wireless EAP
    [7392] 12-04 15:40:19:840: The request comes from NAS type 0
    [7392] 12-04 15:40:19:840: Applying CRP policy:Wireless EAP
    [7392] 12-04 15:40:19:840: The request comes from NAS type 0
    [7392] 12-04 15:40:19:840: Applying RAP policy:Wireless EAP
    [7544] 12-04 15:40:21:837: The request comes from NAS type 0
    [7544] 12-04 15:40:21:837: Applying CRP policy:Wireless EAP
    [7544] 12-04 15:40:21:852: The request comes from NAS type 0
    [7544] 12-04 15:40:21:852: Applying RAP policy:Wireless EAP
    [7392] 12-04 15:40:23:849: The request comes from NAS type 0
    [7392] 12-04 15:40:23:849: Applying CRP policy:Wireless EAP
    [7392] 12-04 15:40:23:849: The request comes from NAS type 0
    [7392] 12-04 15:40:23:849: Applying RAP policy:Wireless EAP
    [7544] 12-04 15:40:25:846: The request comes from NAS type 0
    [7544] 12-04 15:40:25:846: Applying CRP policy:Wireless EAP
    [7544] 12-04 15:40:25:846: The request comes from NAS type 0
    [7544] 12-04 15:40:25:846: Applying RAP policy:Wireless EAP

    Thanks

    Thursday, December 5, 2013 4:21 AM
  • Hi,

    According to the error code, it seems that Extension DLLs didn’t work at all. The authentication process just by pass it.

    Maybe you should go to MSDN forum to confirm if your extension DLL is created correctly.

    http://social.msdn.microsoft.com/Forums/en-US/home

    Thursday, December 5, 2013 8:33 AM