NPS Server Sizing - Millions of Connections
Hello --
I am looking for server sizing requirements for the NPS server which could potentially serve millions of devices.
I've seen the previous post related to sizing found here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a4b21739-1416-416f-80d1-434e03e86434/sizing-reccomendations-for-nps
Any recommendations or documents you can provide would be helpful.
Thank You!
Hi,
Based on your description, you would like to find related documents about how many clients one NPS server can serve or how many authentication requests one NPS server can process.
As far as I know, there is no similar document from Microsoft about this.
Greg’s post gave detailed information about this issue. And the article which Greg provided
Best Practices for NPS(http://technet.microsoft.com/en-us/library/cc771746(v=WS.10).aspx ) is a good reference about NPS.
In this article, it mentions some best practices about using NPS in large organizations. Such as, if NPS server receive a very large number of authentication requests per
second, we can improve performance by increasing the number of concurrent authentications between NPS and the DC.
Best Regards,
Tina
Similar Messages
-
Need for NPS server certificate with PEAP-MS-CHAPv2
Hi,
I have a question about a small setup I'm currently testing. In a Wireless access with 802.1X authentication based on PEAP/MS-CHAPv2, and a NPS server (MS server 2012R2), I've noted reading technet documentation that the NPS server or other RADIUS server
do have a certificate (issued by a 3rd party CA or by an AD CS environment).
However, it remains for me a point I would like to clarify (sorry I surely have a bad understanding of documentation). If my client is configured for not "validate server certificate", do I still need to have a certificate on the NPS server ?
Well, I know it is not secured, but this will permit me to test without configuring an AD CS, and without buying a certificate.
Many thanks in advance for your answer.
Regards,
FabriceYou also need a server certificate in this case as the protection in Protected EAP is due to the encryption of the TLS session.
Not validating the server certificate just means that no additional check of the name is done, so the client would be able to connect to any RADIUS server - given that its certificate chain is valid. But the certificate chain as such is checked as in every
SSL handshake.
You don't need a certificate issued by a commercial CA though - you could use an inhouse PKI. For tests you could use a self-signed certificate as well.
Edit: If you want to test self-signed certificates the easiest way is probably to install the web server role and use its built-in option to create a self-signed certificate.
Elke -
RADIUS Authentication Problems with NPS Server Eventid 6274
Hi,
We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
Network Policy Server discarded the request for a user
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: host/hostname.domainname.com
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 40-20-B1-F4-BB-15:Wireless-SSID
Calling Station Identifier: C1-18-85-08-10-E1
NAS:
NAS IPv4 Address: 192.168.10.10
NAS IPv6 Address: -
NAS Identifier: AP name
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: name
Client IP Address: 192.168.10.10
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS servername
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 3
Reason: The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: domainname\username
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 20-18-B1-F4-BB-15:Wireless-SSID
Calling Station Identifier: 09-3E-8E-3E-5A-C9
NAS:
NAS IPv4 Address: 192.168.10.10
NAS IPv6 Address: -
NAS Identifier: AP name
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: name
Client IP Address: 192.168.10.10
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS server name
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 3
Reason: The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Message seen from the AP's logs:
(317)IEEE802.1X auth is starting (at if=wifi0.2)
(318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
(320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC
Output omitted
(330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
this matters?)
Please guide me on how to take this further
Thank you :)
//CrisHi,
NPS Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
Detailed information reference:
Event ID 6274 — NPS Accounting Request Message Processing
https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Config RADIUS on WLC 5508 - Problems comunication with NPS Server
Hi,
I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
My WLAN interface is in a different vlan than the management interface, is that a problem?
I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
the logs from the WLC shows this, but i have difficulties interpreting all this data:
*apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
Received EAPOL START from mobile 3c:c2:43:94:3e:bc
dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
I also note this: "Applying Local Bridging Interface Policy for station "
What does this means? -
I've been working on getting 802.1x set up. I've so far gotten WinXP clients to authenticate through our HP ProCurve switch to the NPS server using PEAP/EAP-MSCHAPv2, and to put different authorized users on different VLANs based on AD Groups, as well
as unauthorized users onto a separate VLAN. Also, the switch is using the NPS server for securing management logons.
However, when I configure and plug in a Nortel phone, I can see the EAP packets going to the switch, which then send the Access-Request message to the NPS server. On the NPS server, I can see that the NIC receives the Access-Request packet, but it
never responds to it. When I compare the packet to an Access-Request packet from a WinXP client, the only differences I can see are User-Name (1), Port (5), Port-ID (87), Calling-Station-ID (31) and the EAP-Message (79), which to me are the fields that
*should* be different. I can also see that the packet is coming in on the correct port (1812). Nothing gets logged in Event Viewer, nor in the NPS log (c:\windows\system32\logfiles\inDDMMYY.log).
It's my understanding that at least, I should be getting an IAS_NO_POLICY_MATCH in the log, as I haven't set up a policy for it yet. Also, if I set up a dummy policy to accept all requests on all days and times, using any authentication method, I still
get nothing.
The phone is set to use PEAP, but if I understand correctly, even if that was set wrong, I should at least see an Access-Challenge response packet from the server; PEAP doesn't factor in quite that early. Or do I misunderstand?
Any help would be appreciated.Thanks for the reply.
> At the command prompt, type the following command, and then press ENTER:
> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
I had read about that previously. I had checked whether it was enabled or not, and it only had failure enabled. So following the recomendation on that
page, I disabled both, then enabled both. So yes, it's currently enabled. And after this, I tried both the PC and phone again, and while I saw the PC's authentication succeed in the Event Log, I still see nothing for the phone.
> PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as Extensible
Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), that can operate through the TLS encrypted channel provided by PEAP.
Yeah, but
if I understand correctly (and I'm going to read your link right after I post this), after the switch sends the initial Access-Request message in the clear, the RADIUS server should then respond with an Access-Challenge to begin securing the connection beween
itself and the phone, regardless of what the phone has set for it's security type. If the phone can't talk in a way that the server is set to accept, then it won't respond to the Access-Challenge packet, but the server should be sending that Access-Challenge
in the first place. Or is there something I've missed in the Access-Request packet that specifies what security type(s) it can handle? I thought that happened after the Access-Challenge?
> Please also provide us the type of your Nortel IP Phone, because some types of Nortel IP Phone may only support EAP-MS-CHAP v1 which is not supported by Windows
2008. We also suggest that you might post your issue on Nortel forums to ask for some more help.
I'm
using a Nortel 1120e phone for testing; we also have 1140e phones that will be used with this when it's working, but they should be the same as far as this setup is concerned. I read somewhere that perhaps the Nortel phones only support PEAP-MD5, which
doesn't seem to be an option in NPS without a reghack. I'm also following up with our Nortel support locally, as the phone itself and the manual for the phone only says "PEAP" without specifying what it's using inside, but right now I'm trying to determine
whether the problem lies with the phone or the server or both. So I thought I'd ask the experts here.
FWIW,
I've been testing using a HP ProCurve 3400cl with the lastest firmware. I've managed to get the same setup on a Cisco Catalyst 3550 switch, also on it's latest firmware, and I get the same results. The PCs can authenticate, the phone can't; NPS
still isn't responding. -
Hi
1. How i have to do do server sizing ? Is there any books or LINKS which
guide us to do the sizing ?
Thanks in AdvanceActually, the things you need to consider for sizing aren't JUST the number of users, but also their mail habits.
If you're POP only, then storage size isn't so important, as POP users download and delete all their mails.
IMAP/Webmail users keep mail on the server.
You need to consider how many messages per day they send and receive, how large those messages are, and how many of your users connect at one time.
Neither Shane nor I are really expert with sizing. We're Support folks, and our experience is mostly fixing broken servers. The folks that do sizing are our sales engineers. They have access to the spreadsheets and such that we don't
It sounds like you're one of our resellers. Just give a call to your SE, and he'll help you with sizing. -
Hi All,
My project is implementing BI 7.0. Can any one suggest me reg server sizing.
My Problems: 1) Whether better to go for same client for both Functional guyz n
BW guyz on the same server.
2) If that is the case how to give connection bn R/3 n BI to go for
LO Extraction.
Currently we are in blue print stage n i am checking all these on IDES. Presently in IDES we all (both functionals n BI) working on same client on same server. Now when establing connection bn R/3 n BI, i am facing problem.
If any docs reg sizing for BI 7.0, please send to [email protected]
Help me
Thanks n Regards,
BalaHi Balu,
You can have R/3 and BI in same server and you can use different clients.
you can do RFC connections also between those clients.
Technically it is possible as per the Netweaver functionality.But server sizig should be done carefully. with this performance will be slow due to loads and running jobs.
you can have different servers also but u r client need to invest amount.
If it is use ful please assign points.
Regards,
chandu -
AD user login or services will affect if we add new NPS server in existing AD environment ?
Hi
We have three Domain controllers in our company in Windows 2008 R2 platform and different RODCs .We would like to add an additional NPS server in it.Existing AD user login or services will affect by this?Hi,
Based on my research, if the NPS server is a member of an AD DS domain, NPS uses the directory service as its user account database and is part of
a single sign-on solution. The same set of credentials is used for network access control and to log on to an AD DS domain. NPS will compare user credentials that it receives from network access servers with the credentials that are stored for the user
account in AD DS to perform authentication. Furthermore, NPS server uses network policy and checks user account dial-in properties in AD DS to authorize connection requests.
For more information, please refer to the link below:
Register the NPS Server in Active Directory Domain Services
http://technet.microsoft.com/en-us/library/cc754878.aspx
Best regards,
Susie -
Wireless with PEAP Authentication not working using new NPS server
All,
We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
But it is not working for me. I am getting the following error message on the NPS server.
Error # 1
=======
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADXXX
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: XXX-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Error # 2
======
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
I was wondering if anyone has any insight on what is going on.
Thanks, DsScott,
I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
I disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADHFSVNPSPI01$
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: DOT-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: AD\mscdzs
Account Name: AD\mscdzs
Account Domain: AD
Fully Qualified Account Name: AD\mscdzs
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 64-ae-0c-00-de-f0:DOT
Calling Station Identifier: a0-88-b4-e2-79-cc
NAS:
NAS IPv4 Address: 130.47.128.7
NAS IPv6 Address: -
NAS Identifier: WISM2B
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 29
RADIUS Client:
Client Friendly Name: WISM2B
Client IP Address: 130.47.128.7
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Attached are EAP logs & debug logs from the controller.
Thanks for all the help. I really appreciate. -
LobbyAmbassador / WCS -- 4xWLC's / NPS server
Hi,
Quick run down:
* v7.0.240
* WCS managing 4x WLC's
* Lobby Ambassador account created on WCS to manage users connecting to the WCS via RADIUS and have permissions to create guest accounts
* profile for guest access is created fine
- when logging in with the LOCAL lobby account created initially (not RADIUS) the default settings remain fine
- when logging in with RADIUS the default settings created in the profile do not remain the same, they can change
RADIUS ATTRIBUTES configured on the LobbyAmbassador group and the NPS server:
Wireless-WCS:role0=LobbyAmbassador
Wireless-WCS:task0=Configure Guest Users
Wireless-WCS:task1=Lobby Ambassador User Preferences
Am i missing something? What do I need to configure (attribute wise) to prevent the RADIUS users being able to modify the WCS lobbyambassador profile configured?please check the link :
https://supportforums.cisco.com/discussion/11137666/wcs-lobby-ambassador-aaa-authentication -
Server 2012 NPS Server not authenticating IKEv2 requests
Hello Experts,I am having a weird problem regarding NPS Server when I upgraded my vpn servers from server 2008 R2 to Server 2012 R2. Actually in my infrasturcture I have a Windows 2008 R2 based AD and in its domain I have an NPS server joined as member server. This NPS server is based on server 2012 R2, when I upgraded my VPN servers from server 2008 R2 to server 2012 R2 the IKEv2 stops working every other protocols works on windows 7 when I try to connect using IKEv2 it hangs at verifying username and password nad when I tested IKEv2 in Win 8 it says IKE authentication credentials are unacceptable, inspite that my server certificate is valid EKU compatible. When I connected IKEv2 via my other server whose server 2008 R2 based VPN Server The IKEv2 works like a charm without any issues successfully authenticating. The problem seems to...
This topic first appeared in the Spiceworks CommunityIndeed the 255.255.255.255 subnet mask is expected for non-compliant clients.
But my issue is that non-compliant clients get an IP address from the entire subnet and i want to assign only a specific
range in my entire subnet/scope to be assigned to non-compliant clients.
It's funny you can specify an IP Address Range in the DHCP policy but then it doesnt work.
On the other hand you have a valid point there Greg about DNS/DHCP flooding.
Still hope to hear why this setup will not work and if it is supported or can work tough :-) -
hi, i am trying to open and view a report that comes from another server with different odbc connection
i created a crystal report for a mysql database on my machine and everything works great
but we have other reports that come from other machines with different odbc connection
and this its not working when opens the report asks for credentials
and i cannot use the remote ip for these reports that come from other machine
question
if i cannot connect to remote ip to open the report
for each report i have to create a database the report database on my machine and then open the report ?
or there is some other way to open the report ?
i am using visual studio 2013 and mysql and
<add key="MYSQLODBCDRIVER" value="{MySQL ODBC 5.3 UNICODE Driver}"/>
thanksshort
i have a report that it was created on another server with a specific dsn
now i am trying to open the report on my machine
the database from the other server does not exist on my machine
the server machine where the report was created the ip its not accessible
question ?
can i open the report on my machine or its impossible ?
thanks -
regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections. any suggestions would be greatly appreciated - thank you
Hi Jason
I was getting the same behavior after Apple support had me delete some plist files to get Airplay going. I was also getting the following error:
the error occurred while processing a command of type 'writesettings' in the plug-in 'server vpn'
I went into ~/Library/Preferences/ and /Library/Preferences/ and deleted every plist contating the word server. I had to re-set up my server (meaning walk through some intial steps) but all of my settings were still there after that and everything started working again.
Just a thought, obviously try at your own risk but it worked for me.
Kellen -
I was using Firefox earlier in the day with no problem. About half an hour ago I tried to get on the Internet using Firefox (as always). When I did, I was greeted with a little dialog box showing that something was downloading. That's happened before.
This time, though, I was greeted by an error page that said Firefox was configured to use a proxy server that's refusing connections.
I'm not on a network. I have a desktop computer that connedts to a wireless modem that I share only with my wife. I didn't change my settings on either. Neither did my wife.
My "Connection Settings" box still says "use system proxy settings." There are no entries in the manual settings boxes.
I want to emphasize that I changed *nothing.*
I need to know, please, how I can set my computer to get back onto the Internet or, failing that, how I can go back to the previous version of Firefox.
Thank you very much.
Bob MurdichYou can find the connection settings in Tools > Options > Advanced : Network : Connection
If you do not need to use a proxy to connect to internet then select "No Proxy"
See "Firefox connection settings":
* [[Firefox cannot load websites but other programs can]] -
I ran across this error starting on 6/4/2011 and have been unable to find the root of the problem. In our environment, we have a DPM 2010 server dedicated to backing up all our SQL envrionment (about 45 SQL Servers total). All of the SQL
environment is backing up fine except for a SQL Cluster Application. This particular SQL Instances is part of a 6 node failover cluster with 6 SQL Instances distributed amongst them. The other 5 SQL instances in the cluster are backing
up fine; only one instance is failing. The DPM Alerts section shows this error when attempting to do a SQL backup of one of the databases on this SQL instance:
Affected area: KEN-PROD-VDB001\POSREPL1\master
Occurred since: 6/11/2011 11:00:56 PM
Description: Recovery point creation jobs for SQL Server 2008 database KEN-PROD-VDB001\POSREPL1\master on SQL Server (POSREPL1) - Store Settings.ken-prod-cl004.aarons.aaronrents.com have been failing. The number of failed recovery point creation jobs =
4.
If the datasource protected is SharePoint, then click on the Error Details to view the list of databases for which recovery point creation failed. (ID 3114)
The DPM job failed for SQL Server 2008 database KEN-PROD-VDB001\POSREPL1\master on SQL Server (POSREPL1) - Store Settings.ken-prod-cl004.aarons.aaronrents.com because the SQL Server instance refused a connection to the protection agent. (ID 30172 Details:
Internal error code: 0x80990F85)
More information
Recommended action: This can happen if the SQL Server process is overloaded, or running short of memory. Please ensure that you are able to successfully run transactions against the SQL database in question and then retry the failed job.
Create a recovery point...
Resolution: To dismiss the alert, click below
Inactivate alert
I have checked the cluster node this particular SQL instance is running on using Perfmon and the machine is nowhere near capacity on CPU, memory, network, or Disk I/O. I have failed this SQL Application to another node in the cluster and
receive the same error (this other node has another clustered SQL application on it that is actively running as well as backing up fine). The only thing that I am aware of that has changed is that we installed SP2 for SQL 2008 about 2 weeks prior
to when the failures started to occur. However, we updated all six clustered SQL Instances at the same time and only this one is having this issue so I don't believe that caused the problem. We are running SQL 2008 SP2 (version 10.0.4000.0)
on all clustered instances along with DPM 2010 (version 3.0.7696.0) on this particular DPM server that has the issue.
One last thing, I have also noticed errors in the event log pertaining to the same SQL backups that are failing (but the time stamps are not concurrent with each backup attempt):
Log Name: Application
Source: MSDPM
Date: 6/13/2011 1:09:12 AM
Event ID: 4223
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: KEN-PROD-BS002.aarons.aaronrents.com
Description:
The description for Event ID 4223 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
DPM writer was unable to snapshot the replica of KEN-PROD-VDB001\POSREPL1\model. This may be due to:
1) No valid recovery points present on the replica.
2) Failure of the last express full backup job for the datasource.
3) Failure while deleting the invalid incremental recovery points on the replica.
Problem Details:
<DpmWriterEvent><__System><ID>30</ID><Seq>1833</Seq><TimeCreated>6/13/2011 5:09:12 AM</TimeCreated><Source>f:\dpmv3_rtm\private\product\tapebackup\dpswriter\vssfunctionality.cpp</Source><Line>815</Line><HasError>True</HasError></__System><DetailedCode>-2147212300</DetailedCode></DpmWriterEvent>
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSDPM" />
<EventID Qualifiers="0">4223</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-06-13T05:09:12.000000000Z" />
<EventRecordID>68785</EventRecordID>
<Channel>Application</Channel>
<Computer>KEN-PROD-BS002.aarons.aaronrents.com</Computer>
<Security />
</System>
<EventData>
<Data>DPM writer was unable to snapshot the replica of KEN-PROD-VDB001\POSREPL1\model. This may be due to:
1) No valid recovery points present on the replica.
2) Failure of the last express full backup job for the datasource.
3) Failure while deleting the invalid incremental recovery points on the replica.
Problem Details:
<DpmWriterEvent><__System><ID>30</ID><Seq>1833</Seq><TimeCreated>6/13/2011 5:09:12 AM</TimeCreated><Source>f:\dpmv3_rtm\private\product\tapebackup\dpswriter\vssfunctionality.cpp</Source><Line>815</Line><HasError>True</HasError></__System><DetailedCode>-2147212300</DetailedCode></DpmWriterEvent>
</Data>
<Binary>3C00440070006D005700720069007400650072004500760065006E0074003E003C005F005F00530079007300740065006D003E003C00490044003E00330030003C002F00490044003E003C005300650071003E0031003800330033003C002F005300650071003E003C00540069006D00650043007200650061007400650064003E0036002F00310033002F003200300031003100200035003A00300039003A0031003200200041004D003C002F00540069006D00650043007200650061007400650064003E003C0053006F0075007200630065003E0066003A005C00640070006D00760033005F00720074006D005C0070007200690076006100740065005C00700072006F0064007500630074005C0074006100700065006200610063006B00750070005C006400700073007700720069007400650072005C00760073007300660075006E006300740069006F006E0061006C006900740079002E006300700070003C002F0053006F0075007200630065003E003C004C0069006E0065003E003800310035003C002F004C0069006E0065003E003C004800610073004500720072006F0072003E0054007200750065003C002F004800610073004500720072006F0072003E003C002F005F005F00530079007300740065006D003E003C00440065007400610069006C006500640043006F00640065003E002D0032003100340037003200310032003300300030003C002F00440065007400610069006C006500640043006F00640065003E003C002F00440070006D005700720069007400650072004500760065006E0074003E00</Binary>
</EventData>
</Event>
Any help would be greatly appreciated!Don't know if this helps or not, but I also noticed another peculiar issue that is derived from this problem. If I go to "Modify protection group", then expand the cluster, then expand all six nodes in the cluster, five of them show "All SQL Servers"
and allow me to expand the SQL Instance and show all databases; the one that is having a problem backing up, when I expand the node, doesn't even show that SQL exists on the node, when in fact, it does.
I would also like to add that the databases on this node that will not backup are running fine. They run hundreds of transactions daily so we know SQL itself is OK. Even though it is a busy SQL Server, there is plenty of available resources as
the SQL buffer and memory counters show the node is not under durress.
Maybe you are looking for
-
Reloading ipod and itunes on a new computer
I am trying to reload ipod and itunes on a new computer I recently bought. Because of disc management issues, I had these on an external drive (assigned the letter "F") on my old system. The letter "F" is assigned to a disc drive on my new computer.
-
Zen Vision: M and .AVI Fi
So, the official site says it cannot support it but it is odd that the Zen Vision can support it whereas the Zen Vision:M can't. So I would like to know if DivX .AVI files are supported by Zen Vision: M and if I am going to use my Zen for a mix of Mu
-
OSD reference image starts perfect, then begins to degrade resulting in BSOD during OSD
SCCM 2012 R2 on Server 2008R2. We create our thick reference images in MDT after Patch Tuesday with a build and capture. We don't change our SCCM Deploy Windows TS so the package ID stays the same and we simply overwrite the old .Wim file each time.
-
Solid alpha shape to vector solid shape
Please can someone help me this is driving me totally nuts, ive tried all sorts of tracing and everything but cant seem to get just the outline of the shape i want. I have an animated logo ( white), on a background(black) ..( and tried inverting & tr
-
My daughter has purchased a Iphone can we sync both phones on the same PC
Can i add my Daughters I Tunes to my Mac and we both use the one PC to sync 2 I-phones