As part of my migration from my Server 2008 R2 environment, I ended up taking my NPS server offline. The trouble is, my wireless clients were unable to connect after it was brought back online.
Nothing had changed on the operating system, or the wireless access point. The only change is that the NPS server was migrated on to a Server 2012 Hyper-V environment.
I have not looked in to the root cause, but I suspect that it is to do with either the new Network Virtualization capabilities of Hyper-V 2012, or with the new virtual network card that it installs by default… Or both.
In any case, the clients would just continue to try and connect, and then fail. Normally, the Security event logs will give you a bit more information here, but in this case there was absolutely nothing logged. This originally led me to believe that the issue was with the wireless access point configuration, because the request did not even appear to be reaching the NPS server at all.
Checking the RADIUS accounting logs disproved this, as I could see that the connection attempts were indeed being logged. This means that NPS was receiving the connection, but for some reason wasn’t even trying to match it to a connection or network policy (as nothing was being logged in the Security event log).
Some example entries in the log were: –
<Event>
<Timestamp data_type=”4″>12/09/2012 20:36:23.148</Timestamp>
<Computer-Name data_type=”1″>SVR01NPS</Computer-Name>
<Event-Source data_type=”1″>IAS</Event-Source>
<Class data_type=”1″>311 1 10.14.0.35 12/09/2012 10:28:56 9</Class>
<Session-Timeout data_type=”0″>30</Session-Timeout>
<Fully-Qualifed-User-Name data_type=”1″>mydomain.com/Users/Mat Mirabito</Fully-Qualifed-User-Name>
<Quarantine-Update-Non-Compliant data_type=”0″>1</Quarantine-Update-Non-Compliant>
<Client-IP-Address data_type=”3″>10.14.0.4</Client-IP-Address>
<Client-Vendor data_type=”0″>0</Client-Vendor>
<Client-Friendly-Name data_type=”1″>SVR01AP</Client-Friendly-Name>
<Proxy-Policy-Name data_type=”1″>Wireless Access Policy</Proxy-Policy-Name>
<Provider-Type data_type=”0″>1</Provider-Type>
<SAM-Account-Name data_type=”1″>MYDOMAIN\mat</SAM-Account-Name>
<NP-Policy-Name data_type=”1″>Wireless Access Policy</NP-Policy-Name>
<Authentication-Type data_type=”0″>5</Authentication-Type>
<Packet-Type data_type=”0″>11</Packet-Type>
<Reason-Code data_type=”0″>0</Reason-Code>
</Event><Event>
<Timestamp data_type=”4″>12/09/2012 20:36:23.164</Timestamp>
<Computer-Name data_type=”1″>SVR01NPS</Computer-Name>
<Event-Source data_type=”1″>IAS</Event-Source>
<NAS-IP-Address data_type=”3″>10.14.0.4</NAS-IP-Address>
<NAS-Port data_type=”0″>0</NAS-Port>
<Called-Station-Id data_type=”1″>64-70-02-7F-99-64:MYSSID</Called-Station-Id>
<Calling-Station-Id data_type=”1″>24-77-03-94-F3-90</Calling-Station-Id>
<Framed-MTU data_type=”0″>1400</Framed-MTU>
<NAS-Port-Type data_type=”0″>19</NAS-Port-Type>
<Connect-Info data_type=”1″>CONNECT 0Mbps 802.11</Connect-Info>
<Client-IP-Address data_type=”3″>10.14.0.4</Client-IP-Address>
<Client-Vendor data_type=”0″>0</Client-Vendor>
<Client-Friendly-Name data_type=”1″>SVR01AP</Client-Friendly-Name>
<User-Name data_type=”1″>mat</User-Name>
<Proxy-Policy-Name data_type=”1″>Wireless Access Policy</Proxy-Policy-Name>
<Provider-Type data_type=”0″>1</Provider-Type>
<SAM-Account-Name data_type=”1″>MYDOMAIN\mat</SAM-Account-Name>
<Class data_type=”1″>311 1 10.14.0.35 12/09/2012 10:28:56 10</Class>
<Authentication-Type data_type=”0″>5</Authentication-Type>
<NP-Policy-Name data_type=”1″>Wireless Access Policy</NP-Policy-Name>
<Fully-Qualifed-User-Name data_type=”1″>mydomain.com/Users/Mat Mirabito</Fully-Qualifed-User-Name>
<Quarantine-Update-Non-Compliant data_type=”0″>1</Quarantine-Update-Non-Compliant>
<Packet-Type data_type=”0″>1</Packet-Type>
<Reason-Code data_type=”0″>0</Reason-Code>
</Event>
It was the second event that got my on the right track, particularly this line: –
<Framed-MTU data_type=”0″>1400</Framed-MTU>
In some cases, such as when network devices are either not correctly, or unable to fragment the RADIUS requests, NPS is unable to process the request.
In these cases, you can resolve the issue by modifying the Framed-MTU value in the network policy in question, to 1344. The following steps are taken directly from this TechNet article: –
- Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.
- Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.
- In the policy Properties dialog box, click the Settings tab.
- In Settings, in RADIUS Attributes, click Standard. In the details pane, click Add. The Add Standard RADIUS Attribute dialog box opens.
- In Attributes, scroll down to and click Framed-MTU, and then click Add. The Attribute Information dialog box opens.
- In Attribute Value, type a value equal to or less than 1344. Click OK, click Close, and then click OK.
After making this change, my wireless clients were immediately able to connect to my secure wireless network as they had before the NPS server moved on to Hyper-V 2012… Now to investigate the root cause further!