locked
Computers having issue reauthenticating RRS feed

  • Question

  • I am having issues with NPS when computers are trying to re-authenticate. Before diving into my issue I'll post my setup. 

    Workstations are connected to two different switches that have 802.1x enabled by port. 

    I have two Server 2012 domain controllers with NPS role installed. One switch is an Extreme Networks x450a-48T and the other is a x150-48T. Both are running ExtremeXOS version 12.6.3.2.

    The issue I am having is that according to the switch, it is having issues talking to my NPS servers. If this happens when a computer is trying to re-authenticate, the authentication fails disconnecting them from the network for either a few seconds or a couple of minutes. Looking at the time stamp in the logs between the NPS servers and the switch, the errors are within seconds of each other so I cannot tell which one was actually first.

    On the server, I get this in the event viewer (identifiable information changed):

    Time: 4/22/2014 10:50:37 AM

    Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information. User: Security ID: domain\computername$ Account Name: host/computername.domain.local Account Domain: domain Fully Qualified Account Name: domain\computername$ Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: - Calling Station Identifier: <mac address> NAS: NAS IPv4 Address: <switch ip> NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Ethernet NAS Port: 1015 RADIUS Client: Client Friendly Name: <switch name> Client IP Address: <switch ip> Authentication Details: Connection Request Policy Name: wired Network Policy Name: user-office port-based Authentication Provider: Windows Authentication Server: NPS1.domain.local Authentication Type: EAP EAP Type: - Account Session Identifier: - Reason Code: 1 Reason: An internal error occurred. Check the system event log for additional information.


    And then when I look at the switch, it has: 

    04/22/2014 11:52:02.72 <Info:nl.ClientAuthenticated> Network Login 802.1x user host/computername.domain.local logged in MAC <mac address> port 15 VLAN(s) "user-office", authentication Radius
    
    04/22/2014 11:50:46.58 <Info:nl.ClientReAuth> Network Login user host/computername.domain.local unauthenticated as reauthentication failed, Mac <mac address> port 15 VLAN(s) "user-office"
    
    04/22/2014 11:50:46.57 <Warn:AAA.RADIUS.noRespForDot1xReq> No response from RADIUS server (NPS1 address) for 802.1x request sent from switch.
    
    04/22/2014 11:50:46.57 <Warn:AAA.RADIUS.serverSwitch> Switch to server (NPS2 address)
    
    04/22/2014 11:50:43.56 <Warn:AAA.RADIUS.resendPkt> Resend packet to Authentication Server address (NPS1 address) current packet count is 2
    
    04/22/2014 11:50:40.56 <Warn:AAA.RADIUS.resendPkt> Resend packet to Authentication Server address (NPS1 address) current packet count is 1
    

    I see that the NPS server says the reason code is 1 which means it was an internal error which leads me to believe that the switch cannot contact the NPS server during the time when the server is having an error. I have found the logging failures can lead to not allowing a client to authenticate but I have logging enabled locally only and within the logging settings, I have "If logging fails, discard connection requests." so even if it was a logging failure, that should not prevent the client from authenticating.

    Any guidance as to what is causing this problem for me and how to fix it?

    Tuesday, April 22, 2014 5:24 PM

Answers

  • I have disabled reauthentication and have no had any issues since then. Not sure if I really need reauthentication anyway. Any device that connects will either pass if its a legit device or fail if it is not. I don't see the need to reauthenticate a device that has already passed. I don't have any worries about a device being accepted and then me removing it from the approved list and worrying that it still remains authenticated on my network. If that was the case, I would just disable the port on the switch in switch it is connected to. 

    Marking this as answer since it got rid of the issue but not sure if everyone will see removing the reauthentication as a solution. 

    • Edited by dom8925 Monday, July 14, 2014 4:38 PM
    • Marked as answer by dom8925 Monday, July 14, 2014 4:38 PM
    Friday, July 11, 2014 9:07 PM

All replies

  • Hi,

    First, troubleshoot the issue by following article.

    Access Request Was Discarded

    http://technet.microsoft.com/en-us/library/dd348465.aspx

    Since error code 1 indicates NPS server error, please verify the configuration:

    Configure a Wireless Access Point as an NPS RADIUS Client

    http://technet.microsoft.com/en-us/library/dd283005(WS.10).aspx

    NPS RADIUS Client

    http://technet.microsoft.com/en-us/library/cc735367(v=ws.10).aspx

    Checklist: Configure NPS for Secure Wireless Access

    http://technet.microsoft.com/en-us/library/cc771696.aspx

    802.1X Authenticated Wireless Deployment Guide

    http://technet.microsoft.com/en-us/library/dd283093(v=ws.10).aspx

    Hope this helps.

    Thursday, April 24, 2014 6:30 AM
  • Thanks but none of those articles help. I do not use SQL logging and my configs are working except for the switches having timeouts to the server.

    Anyone else?

    Thursday, April 24, 2014 2:36 PM
  • bump
    Monday, May 5, 2014 8:29 PM
  • bump again. Anyone have any clues?
    Tuesday, May 20, 2014 2:19 PM
  • Just a wild guess:

    Is the NPS' server certificate still valid? This discussion implies that an expired cert. could cause an "internal error". Or has the certificate been renewed recently?

    Though I have never seen issues with renewed certificates myself this post says you might need to switch to the new certificate manually. I would try to explicitly select the new certificate in the NPS config.

    In any case, I'd check certificate validation (including CRLs) at the server by running

    certutil -verify -urlfetch [servercert].crt

    at the NPS, probably with CAPI2 logging enabled (in eventviewer, among the MS-specific logging options) and check for any cert. errors. This is to check if NPS can validate its own certificate correctly.

    How has the certificate been generated

    With web servers I had also seen very weird "internal" SChannel errors if the wrong crypto provider has been picked.

    Elke

    Friday, May 23, 2014 6:37 AM
  • Certificate is valid. I deployed NPS about a year ago and had those issues before. My original cert had expired already but I renewed it about a month ago following the steps above. 

    Computers are able to authenticate so the certificate is valid. It's just that it fails to re-authenticate sometimes. Someones I can go a day with no computer failing, other days computers fail multiple times in the day. 


    • Edited by dom8925 Tuesday, June 17, 2014 2:19 PM
    Friday, May 23, 2014 8:48 PM
  • Still need help if anyone has any insights. 
    Tuesday, June 17, 2014 2:20 PM
  • I have not really more insights - I guess more debugging is required. If possible, I would try to compare working versus failing authentication

    Just wanted to add more information on logging options though these logs might not be easy to read:

    EAPHost Tracing

    netsh ras tracing

    I guess the challenge is to reproduce the failing request though.

    Elke
    (Sorry, accidentally deleted my post before instead of editing. this is the edited replacement.)

    Tuesday, June 17, 2014 9:48 PM
  • I have disabled reauthentication and have no had any issues since then. Not sure if I really need reauthentication anyway. Any device that connects will either pass if its a legit device or fail if it is not. I don't see the need to reauthenticate a device that has already passed. I don't have any worries about a device being accepted and then me removing it from the approved list and worrying that it still remains authenticated on my network. If that was the case, I would just disable the port on the switch in switch it is connected to. 

    Marking this as answer since it got rid of the issue but not sure if everyone will see removing the reauthentication as a solution. 

    • Edited by dom8925 Monday, July 14, 2014 4:38 PM
    • Marked as answer by dom8925 Monday, July 14, 2014 4:38 PM
    Friday, July 11, 2014 9:07 PM
  • Re your question Not sure if I really need reauthentication anyway.

    It is often used to achieve something as close as possible to "two-factor" authentication by both machine and user accounts. When the machine boots first the computer account is authenticated; when the user logs on the computer account is logged off; when the user logs off the computer logs on again.

    However, NPS does not really track if it sees computer authentication "plus" user authentication "coming from the same machine", and you need to control the related GPO / registry setting on a machine in order to really enforce "machine plus user" authentication. If a user configures a private PC for user authentication only and types in domain credentials he would be allowed to logon - so re-authentication could be considered less secure than computer-only authentication if the goal is to block non-managed machines.

    Details depends on your policy and condition - this argument was for using mainly computer and/or machine groups.

    Monday, July 14, 2014 4:24 PM
  • Re your question Not sure if I really need reauthentication anyway.

    It is often used to achieve something as close as possible to "two-factor" authentication by both machine and user accounts. When the machine boots first the computer account is authenticated; when the user logs on the computer account is logged off; when the user logs off the computer logs on again.

    However, NPS does not really track if it sees computer authentication "plus" user authentication "coming from the same machine", and you need to control the related GPO / registry setting on a machine in order to really enforce "machine plus user" authentication. If a user configures a private PC for user authentication only and types in domain credentials he would be allowed to logon - so re-authentication could be considered less secure than computer-only authentication if the goal is to block non-managed machines.

    Details depends on your policy and condition - this argument was for using mainly computer and/or machine groups.

    I am using computer-only authentication. 
    Monday, July 14, 2014 4:32 PM
  • I am using computer-only authentication.

    Yes - I understood your previous reply in this way. I just wanted to explain what arguments are commonly used for reauthentication ... it was meant as a support for your argument against re-authentication.

    Monday, July 14, 2014 4:36 PM
  • I am using computer-only authentication.

    Yes - I understood your previous reply in this way. I just wanted to explain what arguments are commonly used for reauthentication ... it was meant as a support for your argument against re-authentication.

    Oh ok.
    Monday, July 14, 2014 4:37 PM