I have Cisco WLC 5508’s running code 8.0.100.0 (Just completed upgrade a couple of hours ago) and am testing, but seems fine thus far. Users came back online with no reported or observed issues thus far.
I use NPS on a Server 2008 R2 (2 servers, no other functions roles assigned) They are not DC’s. I’m running 802.1x, WPA2 (PEAP) NAC enforcement on wifi. Still using Cisco WCS (Grrr. Expect to be upgrading soon to Prime.) AP count- about 1000 With regard to the question you asked, I do receive quite a few Event ID 6274, but largely I get to ignore them. The reason code us usually “3” and the Reason is “The RADIUS message that Network Policy Server received from the network access server was malformed.” I don’t see the specific reason code you mention, howewer. Most of the errors I see are from clients improperly configured. Otherwise, I was running IAS on 2003 which I migrated to NPS a few years back and ever since we started they’ve been rock solid. I rarely have to look at them. So far this morning I’ve tested the following devices below and they all see fine so far. Also, all my clients have are back online and appear to have same level of connectivity they had prior from the system overview point of view. 13” Macbook Pro Retina (Mac OS Yosemite with latest update) 15” Older Macbook Pro running Lion Android 4.4 Various pcs including Microsoft Surface Pro (1st gen) Ipad (2nd generation) Chromebook (Acer c720p) Iphone 4S Motorola Moto X Galaxy Tab 3 I also noticed prior to the update that my pings were having a bit of latency and 1-4% packet loss to the controller and that’s gone since I updated. Prior to this I was running controller code 7.3.101.0 . Hope this helps. I know it’s more info than you were asking for, but figured it could be useful for others with questions about 8.0.100.0 code. I’ll be watching it closely in the coming days and before xmas break. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Klimek Sent: Friday, November 21, 2014 5:39 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC & Microsoft NPS for .1x We currently utilize Cisco for wireless and Microsoft NPS servers for wireless authentication and I am interested in comparing notes with anyone else doing the same. A few questions: - Size of environment (# of AP's)? - Number of NPS servers ? - OS version? - Are they domain controllers? - Controller Code? - Experienced similar issues as described below ? In our environment we have three Microsoft NPS servers running 2008 R2 that are not domain controllers and are VMs Cisco 5508 WLC running 7.6.120.12 Cisco APs (about 2500) The issue we are experiencing is as follows: User account is valid and the device\account are authenticated at other times When the error occurs for a specific device\account the WLC fails over to secondary and tertiary servers and the same errors continue for secondary and tertiary NPS servers. Access request arrives at NPS server and the server does not respond. This is the packet capture and the resulting NPS event log. Packets before and after this packet 3638 are processed and responded too. Has anyone see a scenario in which MS NPS generates this internal error Packet capture from the NPS server. *********************************************** 3638 2014-11-18 13:47:42.890 172.20.255.11 172.19.10.10 RADIUS 519 Access-Request(1) (id=236, l=477) Frame 3638: 519 bytes on wire (4152 bits), 519 bytes captured (4152 bits) on interface 0 Ethernet II, Src: Cisco_44:f1:c1 (6c:9c:ed:44:f1:c1), Dst: Vmware_a1:16:10 (00:50:56:a1:16:10) Internet Protocol Version 4, Src: 172.20.255.11 (172.20.255.11), Dst: 172.19.10.10 (172.19.10.10) User Datagram Protocol, Src Port: 32769 (32769), Dst Port: 1812 (1812) • Radius Protocol o Code: Access-Request (1) o Packet identifier: 0xec (236) o Length: 477 • Authenticator: 42bd7bf829bd863e730398109b3027e1 • Attribute Value Pairs o AVP: l=7 t=User-Name(1): testuser o AVP: l=3 t=Chargeable-User-Identity(89): \000 o AVP: l=6 t=Location-Capable(131): Civix-Location(1) o AVP: l=19 t=Calling-Station-Id(31): f4-09-d8-b4-bb-0c o AVP: l=29 t=Called-Station-Id(30): 08-17-35-63-92-50:ND-secure o AVP: l=6 t=NAS-Port(5): 13 o AVP: l=49 t=Vendor-Specific(26) v=ciscoSystems(9) o AVP: l=6 t=NAS-IP-Address(4): 172.20.255.11 o AVP: l=15 t=NAS-Identifier(32): res-wlc5508-b o AVP: l=12 t=Vendor-Specific(26) v=Airespace, Inc (formerly Black Storm Networks)(14179) o AVP: l=6 t=Service-Type(6): Framed(2) o AVP: l=6 t=Framed-MTU(12): 1300 o AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) o AVP: l=6 t=Tunnel-Type(64) Tag=0x00: VLAN(13) o AVP: l=6 t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6) o AVP: l=6 t=Tunnel-Private-Group-Id(81): 2065 o AVP: l=213 t=EAP-Message(79) Last Segment[1] o AVP: l=38 t=State(24): 2ce303fc00000137000117002002814a0a0a000000000000... o AVP: l=18 t=Message-Authenticator(80): 55368a5520b291f18687d5cf7d60eb1b Event log from NPS *********************************************** Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/18/2014 1:47:42 PM Event ID: 6274 Task Category: Network Policy Server Level: Information Keywords: Audit Failure User: N/A Computer: NPS1-prod.VM.ND.EDU<http://nps1-prod-v.cc.nd.edu/> Description: Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information. User: Security ID: ADND\testuser Account Name: testuser Account Domain: ADND Fully Qualified Account Name: ND.EDU/Accounts/testuser<http://nd.edu/Accounts/ndmd5mq3> Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 08-17-35-63-92-50:ND-secure Calling Station Identifier: f4-09-d8-b4-bb-0c NAS: NAS IPv4 Address: 172.20.255.11 NAS IPv6 Address: - NAS Identifier: res-wlc5508-b NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 13 RADIUS Client: Client Friendly Name: ND-Wireless-AP-Controller Client IP Address: 172.20.255.11 Authentication Details: Connection Request Policy Name: Use Windows authentication for all users Network Policy Name: Wireless Fac/Staff Policy Authentication Provider: Windows Authentication Server: NPS1-prod.VM.ND.EDU<http://nps1-prod-v.cc.nd.edu/> [https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif] Authentication Type: EAP EAP Type: - Account Session Identifier: - Reason Code: 1 Reason: An internal error occurred. Check the system event log for additional information. Sorry for the long message. Thanks for any responses/advice. Tom Klimek University of Notre Dame ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
