Event ID 26 — Remote RADIUS Server Configuration

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

yellow

When you configure Network Policy Server (NPS) as a RADIUS proxy, you must configure remote RADIUS server groups on the NPS proxy. In addition, you must configure the remote RADIUS servers to communicate with the NPS proxy by adding it as a RADIUS client on the remote RADIUS server. If these configurations are not correct, connection request forwarding and processing cannot occur, and authentication will fail..

Event Details

Product: Windows Operating System
ID: 26
Source: NPS
Version: 6.1
Symbolic Name: PROXY_E_INVALID_ADDRESS
Message: The RADIUS Proxy received a response from the invalid IP address %1:%2 (IP address:port).

Diagnose

This condition can occur under the following circumstances:

  • On the NPS proxy, the configuration of a remote RADIUS server is incorrect, or the NPS proxy is not configured as a RADIUS client on the remote RADIUS server
  • A remote RADIUS server is not configured to return the Message-Authenticator attribute

NPS proxy or remote RADIUS server configuration is incorrect

  1. On the NPS proxy, check the IP address configurations of all remote RADIUS servers to make sure that they are correct. Also check the remote RADIUS servers to make sure that the NPS proxy is configured as a RADIUS client, and that the correct IP address is used in the configuration.
  2. If the configuration is incorrect, see the section titled "Correct the RADIUS proxy and RADIUS server configuration."

Remote RADIUS server is not configured to return the Message-Authenticator attribute

  1. Check the remote RADIUS server to make sure that it is configured to return the Message-Authenticator attribute.
  2. If a remote RADIUS server is not configured to return the Message-Authenticator attribute, see the section titled "Configure a RADIUS server to return the Message-Authenticator attribute."

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

The remote RADIUS server or RADIUS proxy configuration is incorrect

Correct the RADIUS proxy and RADIUS server configuration

A remote RADIUS server is not configured to return the Message-Authenticator attribute

Configure a RADIUS server to return the Message-Authenticator attribute

Correct the RADIUS proxy and RADIUS server configuration

To perform this procedure, you must be a member of Domain Admins.

To correct the RADIUS proxy and RADIUS server IP address configuration:

  1. On the RADIUS proxy, open the NPS Microsoft Management Console (MMC).
  2. In the console tree, double-click RADIUS Clients and Servers, and then double-click Remote RADIUS Server Groups.
  3. Open each remote RADIUS server group and examine the IP address configuration of each group member. Type the correct IP address for each remote RADIUS server.
  4. If you have more than one NPS proxy on your network, make sure that the remote RADIUS servers are configured with the correct RADIUS clients and their IP addresses.

To configure the NPS proxy as a RADIUS client on the remote RADIUS server:

  • If the remote RADIUS server is a non-Microsoft RADIUS server, use your product documentation to add the NPS proxy as a RADIUS client on the RADIUS server.

To configure the NPS proxy as a RADIUS client on the remote RADIUS server if the RADIUS server is a server running NPS:

  1. Click Start, Administrative Tools, Network Policy Server. The NPS MMC opens.
  2. Double-click RADIUS Clients and Servers.
  3. Right-click RADIUS Clients, and then click New RADIUS Client.
  4. Follow the steps in the New RADIUS Client Wizard.

Configure a RADIUS server to return the Message-Authenticator attribute

By default, NPS RADIUS servers return the Message-Authenticator attribute when Extensible Authentication Protocol (EAP) is configured as the authentication method.

To configure the Message-Authenticator attribute if you are using a RADIUS server from a vendor other than Microsoft:

  1. Log on to the remote RADIUS server.
  2. Follow the RADIUS server documentation to ensure that the RADIUS server is configured to return a Message-Authenticator attribute.

Verify

To perform this procedure, you must be a member of Domain Admins.

To verify the configuration of the remote RADIUS server:

  1. Click Start, Administrative Tools, Network Policy Server. The Network Policy Server MMC opens.
  2. In the console tree, double-click RADIUS Clients and Servers, and then double-click Remote RADIUS Server Groups.
  3. Open the appropriate remote RADIUS server group and confirm that the IP address of the remote RADIUS server is correct.
  4. On the remote RADIUS server, verify that the IP addresses of the NPS proxy and the RADIUS server are correct, and that the RADIUS server is configured to return a Message-Authenticator attribute.

Related Management Information

Remote RADIUS Server Configuration

Network Policy Server Infrastructure

Community Additions

ADD
Show: