NPS - RADIUS authentication works locally, but access-request identified as "malformed" when proxied over the WAN

Hi all,

We are using a pair of Microsoft 2012 NPS servers as RADIUS proxy servers, behind which are another pair of NPS servers as RADIUS authentication servers. Users on our local wireless network can authenticate via this infrastructure, using Active Directory accounts, without problems. Authentication is PEAP/EAP-MSCHAP v2.

However, the NPS infrastructure is also used when our users are at other organisations that offer the academiceduroam service, with their authentication requests being proxied back to our authentication servers. These roaming users are failing to authenticate nearly all the time, though occasionally a successful authentication is observed in the event viewer on the authentication servers. The failed authentication attempts typically generate an event viewer message:

Network Policy Server discarded the request for a user.

The reason in this event viewer message is given as:

The RADIUS Request message that Network Policy Server received from the network access server was malformed.

Because the authentication server discards the request and so does not respond to the proxy server, the proxy server also discards the request.

The problem is evident on RADIUS authentication servers running on both Windows 2008r2 and Windows 2012.

I'd be grateful for any advice on how to discover what it is that makes the authentication servers consider the access-requests as "malformed", or indeed what might be causing this for so many users when authenticating remotely over the WAN, even though local authentication is fine.

One possible problem is described in

https://technet.microsoft.com/en-us/library/cc755205(v=ws.10).aspx

We have applied the relevant configuration described in

https://technet.microsoft.com/en-us/library/cc771164(v=ws.10).aspx

but the problem remains.

There are also postings that suggest malformed requests can be related to server certificate issues, but I understand that if there were such an issue it would affect local authentication as well.

Thanks in advance for any help anyone can offer.

Stuart