I have found something

it-geneity · ‎11-21-2016

I had to move NPS server to new network ( just IP change ) and after move NPS server stopped responding.

There is nothing blocked on firewall, Cisco switches can see NPS server as UP but there is no traffic leaving the switch:

RADIUS: id 2, priority 1, host 10.33.38.54, auth-port 1645, acct-port 1646
     State: current UP, duration 2442s, previous duration 0s
     Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Author: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
             Request: start 0, interim 0, stop 0
             Response: start 0, interim 0, stop 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Elapsed time since counters last cleared: 40m
     Estimated Outstanding Access Transactions: 0
     Estimated Outstanding Accounting Transactions: 0
     Estimated Throttled Access Transactions: 0
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Transactions: access 0, accounting 0
     Requests per minute past 24 hours:
             high - 0 hours, 41 minutes ago: 0
             low  - 0 hours, 41 minutes ago: 0
             average: 0

on the NPS server ports are listening but in the even viewer I don't see any new entries after IP change.

I have started wireshark and I don't see any packets. I have reconfigured switch from the scratch but it's still not working.

I would appreciate if someone can push me to right direction where I should look for the problem.

Simon Brooks · ‎11-21-2016

Can you actually ping the nps from switch?

it-geneity · ‎11-22-2016

Yes I can ping, and if I do

test aaa group radius server gnl-nps001 auth-port 1645 acct-port 1646 username password

then I can see logs in the even viewer.

This config was working fine for years and all I did is changed the IP of radius server

My config looks like

aaa new-model
aaa group server radius GNL-NPS
server name gnl-nps001
aaa authentication login default local
aaa authentication dot1x default group GNL-NPS
aaa authorization network default group GNL-NPS
aaa session-id common

radius-server attribute 32 include-in-access-req format cisco_device
radius-server retry method reorder
radius-server transaction max-tries 3
radius-server timeout 10
radius-server load-balance method least-outstanding
radius server gnl-nps001
address ipv4 10.33.38.54 auth-port 1645 acct-port 1646
timeout 10
key 7 ********

and port configuration:

description test 802.1x
switchport mode access
switchport voice vlan 104
authentication event fail action authorize vlan 101
authentication event server dead action authorize vlan 101
authentication event no-response action authorize vlan 101
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
authentication violation protect
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
dot1x pae authenticator
storm-control broadcast level pps 200
storm-control action shutdown
no vtp
spanning-tree portfast

it-geneity · ‎11-22-2016

I have found something interesting and confusing at the same time.

I have built two new machines ( two different domain - same forest )

Both running perfectly if I use wifi 802.1x which means NPS server is fine

If I connect both of them to earlier working switch ports.

One works:

Second one doesn't work:

gnl-acswt05#show authentication sessions int gi0/36
Interface: GigabitEthernet0/36
MAC Address: 7446.a039.d5c2
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A2126D70000005139FE088D
Acct Session ID: 0x00000066
Handle: 0x7C000052

Runnable methods list:
Method State
dot1x Running

jov · ‎07-15-2019

If that's a NPS server the ports should be

auth-port 1812, acct-port 1813

instead of

auth-port 1645, acct-port 1646

Cisco switch and Windows NPS