locked
NPS not working after migrating from 2008R2 to 2012R2 RRS feed

  • Question

  •      We have a 2008R2 domain that is being upgraded to 2012R2. We use NPS as a RADIUS server for our wireless, and it runs on a few of our domain controllers. I know that might not be best practice, and we will probably change that next summer, but it has always worked fine.  I have migrated the NPS database before from 2008R2 to 2008R2 DCs and not had any problems. 

         I migrated the NPS database from a 2008R2 DC to a new 2012 DC and it looks like everything came across fine.  I can see my policies, certificates, and radius clients there, but it is failing.  The NPS server role filter on the event logs shows event ID 6272 showing it is granting access, but I am not getting the 6278 event ID that I normally also get.  I am not seeing any errors.  I look through the IAs log and hard to decipher. Does anyone have any ideas or can point me to a good troubleshooting site for this?

         <Event><Timestamp data_type="4">07/29/2016 10:52:45.101</Timestamp><Computer-Name data_type="1">DC-ALPHA</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">10.124.30.50</NAS-IP-Address><NAS-Port data_type="0">0</NAS-Port><NAS-Identifier data_type="1">10.122.50.50</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Calling-Station-Id data_type="1">34028684D672</Calling-Station-Id><Called-Station-Id data_type="1">000B86B7354F</Called-Station-Id><Service-Type data_type="0">2</Service-Type><Framed-MTU data_type="0">1100</Framed-MTU><Vendor-Specific data_type="2">000039E70507475245454E</Vendor-Specific><Vendor-Specific data_type="2">000039E706104141412D477265656E2D54657374</Vendor-Specific><Vendor-Specific data_type="2">000039E70A0C41646D696E2D54657374</Vendor-Specific><Vendor-Specific data_type="2">000039E70C0957696E646F7773</Vendor-Specific><Client-IP-Address data_type="3">10.122.50.50</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Dallas-7205</Client-Friendly-Name><User-Name data_type="1">host/LT-150431.contoso.com</User-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CONTOSO_DOMAIN\LT-150431$</SAM-Account-Name><Class data_type="1">311 1 10.124.66.4 07/26/2016 02:22:19 23644</Class><NP-Policy-Name data_type="1">Authenticate Computers (computer role)</NP-Policy-Name><Authentication-Type data_type="0">11</Authentication-Type><Class data_type="1">computer</Class><Fully-Qualifed-User-Name data_type="1">contoso.com/Workstations/Wireless Laptops/LT-150431</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

    Thanks,


    Dave






    • Edited by DaveBryan37 Thursday, August 18, 2016 5:55 PM
    Thursday, August 18, 2016 5:53 PM

Answers

  • The problem ended up being that it selected the incorrect certificate for Radius that did not have the fqdn for subject.  I went into the properties for that policy and selected a different internal certificate that worked.

    Dave



    • Marked as answer by DaveBryan37 Tuesday, September 27, 2016 9:38 PM
    • Edited by DaveBryan37 Tuesday, September 27, 2016 10:09 PM
    Tuesday, September 27, 2016 9:38 PM

All replies

  • Hi,

    >>Does anyone have any ideas or can point me to a good troubleshooting site for this?

    Please follow this link to verify the NPS migration:

    https://technet.microsoft.com/en-us/library/dn530780(v=ws.11).aspx

    Since it shows nothing error in log,we suggest you to follow the official migrate guide and test again:

    Migrate Network Policy Server to Windows Server 2012 R2

    https://technet.microsoft.com/en-us/library/dn530778(v=ws.11).aspx

    If this issue still occurs,you maight want to post your query in Migration forum for further assistance:

    https://social.technet.microsoft.com/Forums/office/en-US/home?forum=winserverMigration

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.


    Friday, August 19, 2016 7:25 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Tuesday, August 23, 2016 8:14 AM
  • No - Same issue, but trying different server.  Copied the same config to a different new 2012R2 server using the correct steps and it also has issues, but it is giving me errors which I can troubleshoot. 

    Dave



    • Edited by DaveBryan37 Wednesday, September 7, 2016 5:05 PM
    Wednesday, September 7, 2016 4:56 PM
  • Hi,

    Ok,if you need help,feel free to ask here.


    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 8, 2016 3:00 AM
  • The problem ended up being that it selected the incorrect certificate for Radius that did not have the fqdn for subject.  I went into the properties for that policy and selected a different internal certificate that worked.

    Dave



    • Marked as answer by DaveBryan37 Tuesday, September 27, 2016 9:38 PM
    • Edited by DaveBryan37 Tuesday, September 27, 2016 10:09 PM
    Tuesday, September 27, 2016 9:38 PM