locked
Migrating 2003 IAS server to 2008 NPS Wireless Authentication 301 Error RRS feed

  • Question

  • I currently have wireless authentication working through Server 2003 with an IAS server and everything works properly.  However we're experimenting with moving to NPS for NAP on the wired network, so I'm trying to migrate the wireless network to NPS so we can have the same NAP protections there as well.  I cannot get the NPS server to do a basic authentication.  The last line, the access reject is giving code 301.  The following event shows in the event log:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          8/21/2009 8:19:47 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      HAIL-VM-NAP02.***
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   ***\***
     Account Name:   ***\***
     Account Domain:   ***
     Fully Qualified Account Name: ***\***

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  000B860970A0
     Calling Station Identifier:  001E4C13E4EA

    NAS:
     NAS IPv4 Address:  10.1.2.8
     NAS IPv6 Address:  -
     NAS Identifier:   10.1.2.7
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   1

    RADIUS Client:
     Client Friendly Name:  ***
     Client IP Address:   10.1.2.7

    Authentication Details:
     Proxy Policy Name:  NAP 802.1X (Wireless)
     Network Policy Name:  802.1X (Wireless)
     Authentication Provider:  Windows
     Authentication Server:  *.*.*.*
     Authentication Type:  PEAP
     EAP Type:   -
     Account Session Identifier:  -
     Reason Code:   301
     Reason:    Received Crypto-Binding TLV is invalid.

    Here are the logged lines in the NPS log:
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,,,0,"311 1 ::1 08/21/2009 08:08:59 41",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,,,0,"311 1 ::1 08/21/2009 08:08:59 41",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,,,0,"311 1 ::1 08/21/2009 08:08:59 42",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,,,0,"311 1 ::1 08/21/2009 08:08:59 42",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,,,0,"311 1 ::1 08/21/2009 08:08:59 43",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,,,0,"311 1 ::1 08/21/2009 08:08:59 43",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,,,0,"311 1 ::1 08/21/2009 08:08:59 44",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,,,0,"311 1 ::1 08/21/2009 08:08:59 44",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,,,0,"311 1 ::1 08/21/2009 08:08:59 45",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,,,0,"311 1 ::1 08/21/2009 08:08:59 45",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,,5,,0,"311 1 ::1 08/21/2009 08:08:59 46",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,5,,0,"311 1 ::1 08/21/2009 08:08:59 46",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,5,,0,"311 1 ::1 08/21/2009 08:08:59 47",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,5,,0,"311 1 ::1 08/21/2009 08:08:59 47",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,5,,0,"311 1 ::1 08/21/2009 08:08:59 48",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,5,,0,"311 1 ::1 08/21/2009 08:08:59 48",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,11,"802.1X (Wireless)",0,"311 1 ::1 08/21/2009 08:08:59 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x01494E47414C4C53",,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,11,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,11,"802.1X (Wireless)",0,"311 1 ::1 08/21/2009 08:08:59 49",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,1,"***\***","***\***","000B860970A0","001E4C13E4EA",,,"10.1.2.7","10.1.2.8",1,0,"10.1.2.7","***",,,19,,,1,11,"802.1X (Wireless)",0,"311 1 ::1 08/21/2009 08:08:59 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
    "HAIL-VM-NAP02","IAS",08/21/2009,08:19:47,3,,"***\***",,,,,,,,0,"10.1.2.7","***",,,,,,,11,"802.1X (Wireless)",301,"311 1 ::1 08/21/2009 08:08:59 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,



    No settings on the wireless client are changed, so I don't believe it can be the problem.

    The only setting changed on the wireless controller is the radius server from 10.6.50.9 (IAS) to 10.6.50.11 (NPS).  So that shouldn't be a problem.

    So that leaves me having set up the NPS server incorrectly somehow.

    Please help.

    Friday, August 21, 2009 1:51 PM

All replies

  • Hi,

    The NPS server will always send a cryptobinding TLV, and there is no option to disable this. However, it does not require cryptobinding from the client unless the option (disconnect clients without cryptobinding) is enabled. Can you check and see if this setting is enabled in the policy that your client computer is matching?

    On the Settings tab, click Authentication Methods. In EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit. One of the available options in the Edit Protected EAP Properties dialog box is to Disconnect Clients Without Cryptobinding.






    Also, did you delete the client machine information or is it showing up blank?

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  000B860970A0
     Calling Station Identifier:  001E4C13E4EA


    -Greg

    Saturday, August 22, 2009 4:47 AM
  • Disconnect Clients without Cryptobinding is unchecked.

    And the machine is coming back exactly like that, that section of the log is uneditted.

    Thanks
    Jason
    Monday, August 24, 2009 1:14 PM
  • I've since tried it with both "Disconnect clients without cryptobinding" checked and unchecked.  The error message is identical in either case.
    Monday, August 31, 2009 1:40 PM
  • Hi,

    This question is still not answered but has fallen off the first page of the forum so it may not be getting the attention needed.

    Please let me know if there is any further information about this issue. I will also try to summarize the current question and get an answer if possible, or move the question to another forum if it is not appropriate for the NAP forum.

    Greg Lindsay

    Friday, March 19, 2010 8:22 PM
  • Hi,

    This question is still not answered but has fallen off the first page of the forum so it may not be getting the attention needed.

    Please let me know if there is any further information about this issue. I will also try to summarize the current question and get an answer if possible, or move the question to another forum if it is not appropriate for the NAP forum.

    Greg Lindsay

    Friday, March 19, 2010 8:22 PM
  • I am running into the same issue.  I have checked and unchecked Disconnect Clients Without Cryptobinding with the same result.
    Wednesday, April 21, 2010 11:27 PM
  • I am also running into the same issue.  I have checked and unchecked Disconnect Clients Without Cryptobinding with the same result. Have tried replacing Server Cert, re-doing the policies, nothing seems to change - The logs never show that EAP is ever established - thus the blank EAP Type.
    Friday, June 25, 2010 3:30 PM
  • I am currently working with Microsoft on this issue. So far no joy. I will post if they resolve this issue.
    Thursday, July 15, 2010 7:48 PM
  • Hi

    Any resolution by Microsoft?

    Monday, August 23, 2010 4:55 PM
  • The resolution in my case was to disable the DELL WLAN controller (Broadcom) and let Windows control wireless. It appears to be an issue with the Broadcom drivers. I have not been able to resove the issue with the Broadcom as of yet. 
    • Proposed as answer by craymond Wednesday, June 22, 2011 3:24 PM
    • Unproposed as answer by craymond Wednesday, June 22, 2011 3:24 PM
    Tuesday, September 14, 2010 5:50 PM
  • The solution was to update the Broadcom drivers in our case. If you download the Broadcom WLAN software and drivers, and install it, the only thing that it updated was the software. For some reason it did not install the drivers. Once the driver was removed and then the new software and driver was installed, everything worked. It may just be a driver issue.
    • Proposed as answer by craymond Wednesday, June 22, 2011 3:52 PM
    Wednesday, June 22, 2011 3:52 PM
  • What Broadcom drivers did you use? Did you get the authentication to run on Dell Wireless utility or did you have to switch over to 'Wireless Zero Configuration'. In my case, Windows Explorer crashes and restarts when I click on PEAP proerties on a XP machine. We have a group policy for the Wireless Settings. It seems like there is no communication taking place if I use WIndows WIreless Service. But on the Dell Wireless utility - I get the 'Crypto Binding TLV not valid' error on the NPS. So if changing the Broadcom drivers does the trick and if I can use the Dell Wireless Utility, atleast I will have Wireless working for the user. 

    Wednesday, August 3, 2011 3:32 PM