Wireless Access

Reply
Highlighted
Occasional Contributor II

Re: Server 2008 NPS Radius Timeouts..

I was able to narrow down my issue to iPhones/iPads with outdated cached Active Directory credentials. Here is how I was able to reproduce the issue:

 

  1. Join iWhatever to the wireless network using valid AD credentials.
  2. Change the AD password.
  3. Turn off the iWhatever (or just turn off the WiFi) and then turn it back on.
  4. If you let it sit at the home screen, it will try to connect with the outdated AD credentials over and over. For some reason instead of REJECTING the connection attempt, NPS decides to discard it.
  5. The Aruba controller rightfully doesn't see a response from NPS so it marks it as down.

Now if you try to use any data on the device at step #4 (for instance you load Safari or the Mail app) you *are* prompted for new credentials. One of my users incorrectly assumed it would be her Apple ID credentials and did not notify anyone when it didn't take her password so she gave up using data on my wireless network. Unfortunately the device would try to join the wireless network over and over every morning when she brought it in.

 

I am still confused as to why NPS is just discarding the request instead of answering one way or another. I do not know if the finger should be pointed at Apple or Microsoft. If the iWhatever actually prompted for credentials after it failed to join a network x number of times I think I wouldn't be having this issue...

Highlighted
Contributor I

Re: Server 2008 NPS Radius Timeouts..

How can EAP termination be done on the controller  ?

Highlighted
Guru Elite

Re: Server 2008 NPS Radius Timeouts..


@mahesh_shirke wrote:

How can EAP termination be done on the controller  ?


Mahesh_Shirke,

 

Please search the knowledgebase here: http://support.arubanetworks.com/KNOWLEDGEBASE/tabid/133/Default.aspx before posting in the forum.  It will save you a great deal of time.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: Server 2008 NPS Radius Timeouts..

I have the same situation where the NPS is discarding EAP silently and causing the controller to mark the server as down when there has been no 3x10 reply. Has anyone found out why no reply is given? I have Googled this one to exhaustion.

Highlighted

Re: Server 2008 NPS Radius Timeouts..

Was just wondering if anyone got a resolution to this issue? Seeing something similar...


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Contributor II

Re: Server 2008 NPS Radius Timeouts..

We have found in our environment that it is due to NPS 2008 silently discarding non PEAP authentication requests. The logs of the NPS server show:

 

Authentication Details:

                Connection Request Policy Name:           1-Secure Wireless Connections Aruba

                Network Policy Name:                   Secure Wireless Connections Aruba London

                Authentication Provider:                              Windows

                Authentication Server:                  MISRAD1.xxxx.domain-name.com

                Authentication Type:                     EAP

                EAP Type:                                            -

                Account Session Identifier:                          -

                Reason Code:                                    1

                Reason:                                                                An internal error occurred. Check the system event log for additional information.

 

A PEAP requiest shows:

 

Authentication Details:

            Connection Request Policy Name:          1-Secure Wireless Connections Aruba

            Network Policy Name:                     Secure Wireless Connections Aruba London

            Authentication Provider:                 Windows

            Authentication Server:                    MISRAD1.xxxx.domain-name.com

            Authentication Type:                       PEAP

            EAP Type:                             Microsoft: Secured password (EAP-MSCHAP v2)

            Account Session Identifier:                        -

 

Quarantine Information:

            Result:                                               Full Access

            Extended-Result:                             -

            Session Identifier:                            -

            Help URL:                             -

            System Health Validator Result(s):

                  -

 

The server admins are still working with Microsoft to ascertain why it is not rejecting the request as opposed to just discarding the request. A WS capture on the controller will show the 3x10 rules and timeout. This is mainly caused by BYOD clients that are not policy enforced. I have also had lengthy conversations with an Aruba TAC engineer about this. The controller will mark any server down on a 3x10 rule *even* if there is other radius traffic passing (request/challenge/approve/reject) which to me does not make sense. Apprently this has been the source of some debate within Aruba.

 

What has made matters worse is that in 6.3.1.5 SNMP has been updated to send these traps out. I have since disabled them:

 

wlsxAuthServerReqTimedOut                  Yes           Disabled

wlsxNAuthServerTimedOut                    Yes           Disabled

 

....and also set my dead timers to 0

 

Global User idle timeout = 15300 seconds
Auth Server dead time = 0 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds

 

It's not ideal, but stops the reporting and automatic ticket generation.

 

The Radius RFS states:

 

http://www.ietf.org/rfc/rfc3579.txt

 

“On receiving a valid Access-Request packet containing EAP-Message

attribute(s), a RADIUS server compliant with this specification and

wishing to authenticate with EAP MUST respond with an

Access-Challenge packet containing EAP-Message attribute(s).  If the

RADIUS server does not support EAP or does not wish to authenticate

with EAP, it MUST respond with an Access-Reject.”

 

We continue to work with Microsoft.

View solution in original post

Highlighted

Re: Server 2008 NPS Radius Timeouts..

Thanks for the detailed update!

 

Keep us posted. :)


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Contributor II

Re: Server 2008 NPS Radius Timeouts..

More often than not, it is also a Blackberry that does it.

Highlighted
Contributor II

Re: Server 2008 NPS Radius Timeouts..

We're seeing the same issues, and some time has passed on this ticket.  Were you ever able to come up with a better resolution?

 

Great thread, good details.

 

Just FYI, we're using Server 2012 NPS and seeing the same thing.

Highlighted
All-Decade MVP 2020

Re: Server 2008 NPS Radius Timeouts..

Is this causing your users AD accounts to be locked out or is the request discarded before it's processed to the domain?

 

I remember with older NPS servers we had this issue and could resolve this by using NPS lockout method described here:

http://technet.microsoft.com/en-us/library/dd197529(v=ws.10).aspx

 

With reset timers etc timed correctly with regards to your GPO of failed authentication attempts and lockout policy you'll achieve a state where the accounts can get "NPS locked out" but not domain locked. This is useful in some situations for example if you're wired or machine authenticated with your primary workstation and only use PEAP with user accounts with BYOD devices.

 

Not sure if this applies to your problems but might be worth a shot.

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: