locked
NPS Reason code 23 RRS feed

  • Question

  • Hello,

    I'm trying to get a 2nd NPS server working on our trusted forests.  One server works, but the 2nd one gives me errors like this I've xxx'ed out company specific information:


    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: xxx
    Account Name: xxx
    Account Domain: xxx
    Fully Qualified Account Name: xxx
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 000B86B7A15F
    Calling Station Identifier: F02475AF11E8

    NAS:
    NAS IPv4 Address: 10.208.0.20
    NAS IPv6 Address: -
    NAS Identifier: 10.208.0.21
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 0

    RADIUS Client:
    Client Friendly Name: xxx
    Client IP Address: 10.208.0.2

    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: xxx
    Authentication Type: EAP
    EAP Type: Microsoft: Smart Card or other certificate
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 23
    Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    I have mirrored the configuration from the working server to the non-working server and re-issued all the certs for the non-working server.  I'm not finding anything particularly useful in the In* logs.  Would anyone be willing and able to shed some light on this for me please?

    thank you in advance.

    Figured it out...I highly recommend using the IAS log viewer from DeepSoftware.com.  Turns out some machines were authenticating and others were not which changed the whole troubleshooting process.  We ended up re-requesting certificates for the machines that were not authenticating and all is working now.  The IAS gives you a realtime READABLE view of the IAS logs.  Cannot recommend it enough.

    Friday, July 20, 2018 5:35 PM

All replies

  • Hi,

    Thanks for your question.

    According to the error code 23 and the error message, the problem may occurred while authentication with EAP.

    There are some basic requirements for the client certificates and server certificates, first check to see if the certificates(details tab of certificate’s properties will display the information) meet the minimum requirements. Reference link:

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    http://support.microsoft.com/kb/814394/en-us

    Delete the certificates which are out of use. Besides, try to reissue the certificate and then delete the old one. Check to see if it will be helpful.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 23, 2018 8:30 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 26, 2018 9:42 AM
  • Hello and thank you for the response, your suggestions did not solve the problem.  I have been through the link you sent to verify the nps server certs do meet the requirements and they do.  I did re-issue the certs on one of the window 08 machines and made sure old certs were deleted.  I also created two new win16 servers for NPS and issued certs to no avail...still getting the reason code 23.  Any other ideas on what I could check?  

    Thursday, July 26, 2018 1:38 PM
  • Do you have any command line tricks I could use to get better diagnostics?  Can you tell me where the EAP logs are?  I see the NPS logs and the event logs, but I have never seen any EAP logs.  
    Thursday, July 26, 2018 2:40 PM
  • Hi,

    Thanks for your reply.

    You can check the entries in EAP log which located under “%windir%\System32\Logfiles ”.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 27, 2018 7:04 AM