Hello.
We have a couple of different wireless networks in our company - the main one uses an Aruba Controller and thin Access Points but we also have a couple of Cisco thick APs.
Both of them use a pair of 2008 R2 NPS servers to do the authentication for wireless clients using PEAP and EAP-TLS.
There are separate Network Policies for the two types of AP, but most of the conditions and settings are the same.
I want to replace the NPS servers with 2012 R2 versions so I've exported the config from one of the servers and imported it into a new machine. It all looks correct - the RADIUS clients are all there and so are the policies - but not all of the wireless devices are able to authenticate against the new NPS server.
We get entries in the log for IAS_AUTH_FAILURE on the 2012 R2 machine but the same client devices work ok on the 2008 R2. It's a mixture of user and computer accounts that are failing, and in the windows event log we see
Log Name: System
Source: NPS
Date: 4/24/2015 11:41:24 AM
Event ID: 18
Description:
An Access-Request message was received from RADIUS client 10.2.4.50 with a Message-Authenticator attribute that is not valid.
The client devices are Dell laptops with Intel wireless cards. There are several different types and no obvious commonality between problem devices.
Any suggestions?
Thanks