Wireless access point not connecting to NPS server

As part of my migration from my Server 2008 R2 environment, I ended up taking my NPS server offline. The trouble is, my wireless clients were unable to connect after it was brought back online.

Nothing had changed on the operating system, or the wireless access point. The only change is that the NPS server was migrated on to a Server 2012 Hyper-V environment.

I have not looked in to the root cause, but I suspect that it is to do with either the new Network Virtualization capabilities of Hyper-V 2012, or with the new virtual network card that it installs by default… Or both.

In any case, the clients would just continue to try and connect, and then fail. Normally, the Security event logs will give you a bit more information here, but in this case there was absolutely nothing logged. This originally led me to believe that the issue was with the wireless access point configuration, because the request did not even appear to be reaching the NPS server at all.

Checking the RADIUS accounting logs disproved this, as I could see that the connection attempts were indeed being logged. This means that NPS was receiving the connection, but for some reason wasn’t even trying to match it to a connection or network policy (as nothing was being logged in the Security event log).

Some example entries in the log were: –

<Event>
<Timestamp data_type=”4″>12/09/2012 20:36:23.148</Timestamp>
<Computer-Name data_type=”1″>SVR01NPS</Computer-Name>
<Event-Source data_type=”1″>IAS</Event-Source>
<Class data_type=”1″>311 1 10.14.0.35 12/09/2012 10:28:56 9</Class>
<Session-Timeout data_type=”0″>30</Session-Timeout>
<Fully-Qualifed-User-Name data_type=”1″>mydomain.com/Users/Mat Mirabito</Fully-Qualifed-User-Name>
<Quarantine-Update-Non-Compliant data_type=”0″>1</Quarantine-Update-Non-Compliant>
<Client-IP-Address data_type=”3″>10.14.0.4</Client-IP-Address>
<Client-Vendor data_type=”0″>0</Client-Vendor>
<Client-Friendly-Name data_type=”1″>SVR01AP</Client-Friendly-Name>
<Proxy-Policy-Name data_type=”1″>Wireless Access Policy</Proxy-Policy-Name>
<Provider-Type data_type=”0″>1</Provider-Type>
<SAM-Account-Name data_type=”1″>MYDOMAIN\mat</SAM-Account-Name>
<NP-Policy-Name data_type=”1″>Wireless Access Policy</NP-Policy-Name>
<Authentication-Type data_type=”0″>5</Authentication-Type>
<Packet-Type data_type=”0″>11</Packet-Type>
<Reason-Code data_type=”0″>0</Reason-Code>
</Event>

<Event>
<Timestamp data_type=”4″>12/09/2012 20:36:23.164</Timestamp>
<Computer-Name data_type=”1″>SVR01NPS</Computer-Name>
<Event-Source data_type=”1″>IAS</Event-Source>
<NAS-IP-Address data_type=”3″>10.14.0.4</NAS-IP-Address>
<NAS-Port data_type=”0″>0</NAS-Port>
<Called-Station-Id data_type=”1″>64-70-02-7F-99-64:MYSSID</Called-Station-Id>
<Calling-Station-Id data_type=”1″>24-77-03-94-F3-90</Calling-Station-Id>
<Framed-MTU data_type=”0″>1400</Framed-MTU>
<NAS-Port-Type data_type=”0″>19</NAS-Port-Type>
<Connect-Info data_type=”1″>CONNECT 0Mbps 802.11</Connect-Info>
<Client-IP-Address data_type=”3″>10.14.0.4</Client-IP-Address>
<Client-Vendor data_type=”0″>0</Client-Vendor>
<Client-Friendly-Name data_type=”1″>SVR01AP</Client-Friendly-Name>
<User-Name data_type=”1″>mat</User-Name>
<Proxy-Policy-Name data_type=”1″>Wireless Access Policy</Proxy-Policy-Name>
<Provider-Type data_type=”0″>1</Provider-Type>
<SAM-Account-Name data_type=”1″>MYDOMAIN\mat</SAM-Account-Name>
<Class data_type=”1″>311 1 10.14.0.35 12/09/2012 10:28:56 10</Class>
<Authentication-Type data_type=”0″>5</Authentication-Type>
<NP-Policy-Name data_type=”1″>Wireless Access Policy</NP-Policy-Name>
<Fully-Qualifed-User-Name data_type=”1″>mydomain.com/Users/Mat Mirabito</Fully-Qualifed-User-Name>
<Quarantine-Update-Non-Compliant data_type=”0″>1</Quarantine-Update-Non-Compliant>
<Packet-Type data_type=”0″>1</Packet-Type>
<Reason-Code data_type=”0″>0</Reason-Code>
</Event>

It was the second event that got my on the right track, particularly this line: –

<Framed-MTU data_type=”0″>1400</Framed-MTU>

In some cases, such as when network devices are either not correctly, or unable to fragment the RADIUS requests, NPS is unable to process the request.

In these cases, you can resolve the issue by modifying the Framed-MTU value in the network policy in question, to 1344. The following steps are taken directly from this TechNet article: –

  1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.
  2. Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.
  3. In the policy Properties dialog box, click the Settings tab.
  4. In Settings, in RADIUS Attributes, click Standard. In the details pane, click Add. The Add Standard RADIUS Attribute dialog box opens.
  5. In Attributes, scroll down to and click Framed-MTU, and then click Add. The Attribute Information dialog box opens.
  6. In Attribute Value, type a value equal to or less than 1344. Click OK, click Close, and then click OK.

After making this change, my wireless clients were immediately able to connect to my secure wireless network as they had before the NPS server moved on to Hyper-V 2012… Now to investigate the root cause further!

Windows Server 2012 freezes when starting a Hyper-V guest

I’m going through a process at the moment of upgrading my Server 2008 R2 lab environment to Server 2012. This week I decided I would do a fresh install of Server 2012 on one of my Hyper-V hosts. I backed up all of my VM’s to an eSATA drive, and then performed a clean install of Server 2012.

When the operating system was installed, I added the Hyper-V role and re-created one of my machines in System Center Virtual Machine Manager, then attached the original VHD’s.

Unfortunately, when I tried to power up the first “imported” machine, the Hyper-V host completely froze. No caps or num lock response. I had to hard reset it to bring it back online, after which my first step was to try to start the VM again. Same deal.

I then created a fresh machine, with no OS installed and tried to boot that. Yet again, the Hyper-V host locked up. Even a blank VM with no drives at all caused the Hyper-V host to freeze or lock up as soon as it was powered up.

Given the nature of the problem (no BSOD), there was no crash dump to analyse, and no Windows Event Logs to look through.

At this stage, I was almost certain I had a hardware issue, but this was working fine on Server 2008 R2. Although this server is a white box server build, I have previously found that the Dell diagnostics software that came with Dell equipment that I have previously bought, tends to work pretty well in diagnosing generic hardware issues. I created a bootable USB stick using the Dell diagnostic software, and then ran through all the tests. Everything passed. A burn-in test with BurnInTest from Passmark also succeeded with everything set to maximum load.

I then started doing some research in to the particular hardware combination I had, with interest to Hyper-V and Server 2012. The system is a Gigabyte GA-970A-D3 Motherboard, AMD Phenom II X2 555 and 32GB DDR3 G.Skill RAM.

My initial research seemed to indicate that USB 3.0 on Gigabyte motherboards has been causing issues for people when running Windows 8 and Server 2012. I checked my settings, and it was enabled. I disabled it, again certain this would resolve the issue.

No dice!

The solution is the end for me, was actually pretty simple (as it normally is when you spend hours troubleshooting an issue like this). I just needed to disable C1E support in the BIOS. For good measure, I also performed a BIOS update and disable the Cool & Quiet power options in the BIOS as well.

My VM’s now start perfectly, and I can continue migrating the rest of them on to my new Server 2012 environment.