Hello.Recently I discovered and annoying problem which is not critical problem at this moment but very frustrating.Radius (IAS, MS Windows Server 2003 R2 SP2) authentication does not work anymore from Procurve switches. These switches are the only devices using radius and I can log in to them by stopping IAS form Windows 2003 server and using switch local accounts. The only major difference between now and then (when it worked) is that one domain controller (w2k3) was removed from domain. This server did not had anything to do with radius is it's lifetime. No configuration changes were made to the switches. Switches have their latest firmware installed and IAS server is in Active Directory group "RAS and IAS Servers". IAS server is also Domain Controller, DNS and DHCP. Users Remote Access Permission is set to "Control through Remote Access Policy". In IAS, Radius Clients vendor is defined as "RADIUS Standard".Here's what happens when I try to log on to a switch using radius (usernames and other identification info changed)1. System Log: IAS Event ID 2User <username> was denied access.Fully-Qualified-User-Name = DOMAIN\<username>NAS-IP-Address = 172.17.198.4NAS-Identifier = nw367Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Client-Friendly-Name = <removed>Client-IP-Address = <removed>NAS-Port-Type = VirtualNAS-Port = <not present> Proxy-Policy-Name = Use Windows authentication for all usersAuthentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = <undetermined> Authentication-Type = PAPEAP-Type = <undetermined> Reason-Code = 16Reason = Authentication was not successful because an unknown user name or incorrect password was used.2. Server Security Log 10:36:58 Logon/Logoff Event ID 529Logon Failure:Reason:Unknown user name or bad passwordUser Name:<username>Domain:<DOMAIN>Logon Type:3Logon Process:IASAuthentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Workstation Name:Caller User Name:<IASSERVER$>Caller Domain:<DOMAIN>Caller Logon ID:(0x0,0x3E7)Caller Process ID:956Transited Services:-Source Network Address:-Source Port:-3. Server Security LogLogon attempt by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon account:<username>Source Workstation:Error Code:0xC000006AHere a IAS log entries. First one from today when radius authentication is not working.Called Station Id:Calling Station Id:Client Friendly Name: <switch friendly name>Client IP Address: <ipaddress>Connect Request: IAS_AUTH_FAILUREConnect Result: RejectedDuration: 00:00:00FQ User Name: DOMAIN\<username>Input OctectsOutput Octects:NP Policy name:Output PacketsRecord Count: 2Server IP: <switch ip>Server Name: IASSERVERServer NasPort:Session Time:Terminate Cause: AUTH_FAILUREUser IP:User Name: <username>Transmit Speed:Receive Speed:Transmit/Receive Speed:Class: 311 1 <ias ipaddress> 05/20/2009 06:23:57 7NAS Port Type: Virtual (VPN)Filter Id:Tunne Type:Tunnel Medim Type:Tunnel Private Group ID:SAM Account Name: DOMAIN\<username>Proxy Policy Name: User Windows authentication for all usersSQ User Name: DOMAIN\<username>MS RAS ClientName:NS Identifier: nw367Debug Info: AutoClose=False; CalcDuration=0Here is a log entry when it was still workingCalled Station Id:Calling Station Id:Client Friendly Name: <switch friendly name>Client IP Address: <ipaddress>Connect Request: IAS_SUCCESSConnect Result: UnknownDuration: 00:00:00FQ User Name: Domain.local/CN/Doe,JohnInput OctectsOutput Octects:NP Policy name: Switch ControlOutput PacketsRecord Count: 2Server IP: <switch ip>Server Name: IASSERVERServer NasPort:Session Time:Terminate Cause: User IP:User Name: <username>Transmit Speed:Receive Speed:Transmit/Receive Speed:Class: 311 1 <ias ipaddress> 03/14/2009 06:04:47 17NAS Port Type: Virtual (VPN)Filter Id:Tunne Type:Tunnel Medim Type:Tunnel Private Group ID:SAM Account Name: DOMAIN\<username>Proxy Policy Name: User Windows authentication for all usersSQ User Name: Doe, JohnMS RAS ClientName:NS Identifier: nw367Debug Info: AutoClose=False; CalcDuration=0The only difference I can see is in the usernames and NP Policy name attributes. For some reason FQDN is not the same in these entries. I tried to google for this and found some threads about this but was unable to find a solution. One more thing that I noticed from the dc/ias log is that when radius authentication worked there were informational messages from IAS in the system log:IAS Event 5050 A LDAP connection with domain controller dc.domain.local for domain DOMAINNAME is established.Now there a no more messages like this. IAS remote access policies have not been changed between these events.Any help would be appreciated.

Did you ever get any response on this? Hello Microsoft Moderators. I also am having this exact same issue.

I started experiencing this problem within the last month, also. Turning off all authentication methods other than PAP for this IAS security policy resolved the issue. The only thing that changed on my end were Microsoft Updates I installed the last time I successfully used this security policy.

Nope still no luck on this even after turning off all of the other methods

Is this still an issue?If so, try to configure switch to use a local (IAS server) username/password for authentication.If it works, then the issue is IAS not being able to reach a DC for your domain.Normally an IAS Event ID 5050 should be logged to indicate which DC is being used for authentication and the absence of this event might be indicative of issues with DC lookup/access.

Sorry for the late reply but I have discovered a solution for this problem. Sometimes my logons were successful and sometimes they failed. Turns out the reason is in one of the domain controllers. I moved IAS to another dedicated server and noticed that if IAS authenticated agains DC Alpha it allways failed. When authenticating against DC Beta everythings rocked. So I installed a new DC and removed DC Alpha and since then everything has worked like a charm. I still don't know what caused the promblem in the first place but installing a new DC is not such big deal if it cures thing like this.

That is great you got it to work with a new DC I am sure mine would be a similar case. I would however like Microsoft to shed some light on what is wrong so I can fix the server in question. I do not want to turn up a new DC and move roles and applications. I am sure the solution is simple I have a feeeling it was due to a security patch that was released.

I agree with looneyM. cdenter's solution is not an answer it is, at best, a work around and not one that everybody can easily do. I see the 5050 events showing connectivity, but still have a slew of these issues.