I am having issues with NPS when computers are trying to re-authenticate. Before diving into my issue I'll post my setup.
Workstations are connected to two different switches that have 802.1x enabled by port.
I have two Server 2012 domain controllers with NPS role installed. One switch is an Extreme Networks x450a-48T and the other is a x150-48T. Both are running ExtremeXOS version 12.6.3.2.
The issue I am having is that according to the switch, it is having issues talking to my NPS servers. If this happens when a computer is trying to re-authenticate, the authentication fails disconnecting them from the network for either a few seconds or a couple of minutes. Looking at the time stamp in the logs between the NPS servers and the switch, the errors are within seconds of each other so I cannot tell which one was actually first.
On the server, I get this in the event viewer (identifiable information changed):
Time: 4/22/2014 10:50:37 AM
Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information. User: Security ID: domain\computername$ Account Name: host/computername.domain.local Account Domain: domain Fully Qualified Account Name: domain\computername$ Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: - Calling Station Identifier: <mac address> NAS: NAS IPv4 Address: <switch ip> NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Ethernet NAS Port: 1015 RADIUS Client: Client Friendly Name: <switch name> Client IP Address: <switch ip> Authentication Details: Connection Request Policy Name: wired Network Policy Name: user-office port-based Authentication Provider: Windows Authentication Server: NPS1.domain.local Authentication Type: EAP EAP Type: - Account Session Identifier: - Reason Code: 1 Reason: An internal error occurred. Check the system event log for additional information.
And then when I look at the switch, it has:
04/22/2014 11:52:02.72 <Info:nl.ClientAuthenticated> Network Login 802.1x user host/computername.domain.local logged in MAC <mac address> port 15 VLAN(s) "user-office", authentication Radius 04/22/2014 11:50:46.58 <Info:nl.ClientReAuth> Network Login user host/computername.domain.local unauthenticated as reauthentication failed, Mac <mac address> port 15 VLAN(s) "user-office" 04/22/2014 11:50:46.57 <Warn:AAA.RADIUS.noRespForDot1xReq> No response from RADIUS server (NPS1 address) for 802.1x request sent from switch. 04/22/2014 11:50:46.57 <Warn:AAA.RADIUS.serverSwitch> Switch to server (NPS2 address) 04/22/2014 11:50:43.56 <Warn:AAA.RADIUS.resendPkt> Resend packet to Authentication Server address (NPS1 address) current packet count is 2 04/22/2014 11:50:40.56 <Warn:AAA.RADIUS.resendPkt> Resend packet to Authentication Server address (NPS1 address) current packet count is 1
I see that the NPS server says the reason code is 1 which means it was an internal error which leads me to believe that the switch cannot contact the NPS server during the time when the server is having an error. I have found the logging failures can lead to not allowing a client to authenticate but I have logging enabled locally only and within the logging settings, I have "If logging fails, discard connection requests." so even if it was a logging failure, that should not prevent the client from authenticating.
Any guidance as to what is causing this problem for me and how to fix it?