I have been in the process of setting up a BYOD solution at my school for the past few months (more on this to follow!) and have set-up a NPS / RADIUS Server as the core authentication server for this solution. All was going well and the launch was publicised to everyone for the start of the January term.
I returned after the Christmas break to perform some final tests and document the system ready to let our students start connecting their own devices; when I found that Apple and Android devices would connect fine but I could not get any Windows laptops to connect at all!
After a lot of hunting around on the web and searching through SQL access logs for the NPS server and Error Logs I finally found the solution to our problem. I thought I would post it up here in case anyone else runs into it and also in case I need it again!
Inspecting the NPS SQL Logs revealed that when a Windows device tried to connect it was sent a reject packet. We then cross referenced this with the Windows Security Log for the NPS server and found an Event with ID “6273 – Reason: The message received was unexpected or badly formatted.”
The server’s System event log I also found lots of Schannel errors with ID 36887 and warnings with ID 36885.
This lead me to these two pages from Microsoft: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/9171b4aa-ba71-430b-935f-b27513debda4/ and http://support.microsoft.com/kb/2464556
It appears as if Microsoft’s December Root Certificates Update has increased the list of trusted certificate authorities to a length which is greater than a Windows client can accept… This is what causes the unexpected format return message to the NPS server, which then issues the reject packet.
Microsoft present three solutions on their page: http://support.microsoft.com/kb/2464556 we followed the regedit solution and are happy to say that Windows clients are now authenticating with our NPS / RADIUS server again.
Now on with the BYOD roll-out!