Event ID 6274 is recorded. The error message is as follows How do I know what is wrong with the RADIUS message? Network Policy Server discarded the request for a user Reason Code : 3 Reason : The RADIUS Request message that Network Policy Server received from the network access server was malformed. This phenomenon was observed on Windows Server 2012R2 Standard and 2022 Standard. I have performed a packet capture. I used Wireshark to compare discarded and non-discarded packets and could not identify the problem. Both packets appeared to be RFC compliant. Can I see a stack trace of the process in Windows Server? How do I know which part of the packet was determined to be malform? Below is the RADIUS portion of the packet captured by Wireshark. RADIUS Protocol Code: Access-Request (1) Packet identifier: 0x71 (113) Length: 154 Authenticator: 222e69f1d7d3e449b6fb4abd3cbf0337 [The response to this request is in frame 3176] Attribute Value Pairs AVP: t=User-Name(1) l=19 val=********** AVP: t=Chargeable-User-Identity(89) l=3 val=\000 AVP: t=Calling-Station-Id(31) l=19 val=**:**:**:**:**:** AVP: t=NAS-IP-Address(4) l=6 val=172.**.***.*** AVP: t=NAS-Identifier(32) l=15 val=******** AVP: t=NAS-Port-Type(61) l=6 val=Wireless-802.11(19) AVP: t=EAP-Message(79) l=24 Last Segment[1] AVP: t=Message-Authenticator(80) l=18 val=83c704b2b01573050e92f5ad8365ccb5 AVP: t=Proxy-State(33) l=4 val=3831 AVP: t=Operator-Name(126) l=16 val=********** AVP: t=Proxy-State(33) l=4 val=3131

Event ID 6274 NPS received from the network access server was malformed. Is there any way to know which part of the message is incorrect?

Accepted answer

Gary Nebbett 5,721

Hello techagent,

A limited amount of tracing is possible, but the trace data is difficult to interpret; judging by the limited amount of discussion of this topic that I could find on the Web, almost no-one tries this.

The command "netsh ras show tracing" (or, possibly, "netsh nps show tracing") shows trace sources that can be enabled for textual logging to \Windows\tracing (with the command "netsh ras set tracing"), but often no trace data is written unless WPP tracing is also enabled (the trace mask and level set on the WPP tracing also affects the textual tracing).

The textual log data looks like this:

User's image

If you are prepared to share the trace data, then I would be happy to help with its analysis.

Gary

techagent 25

Hello Gary

I am glad to know that tracing is possible with the command "netsh".

However, we have not been able to start tracing yet.

Specifically, I am trying to figure out what parameters to put on "netsh trace start".

Some characters are unreadable due to the Japanese environment. Sorry.

c:\>netsh nps show tracing

トレースの構成:
---------------------------------------------------------
napbase = warning
napnetsh = warning
npssvc = warning
npsacct = warning
npsds = warning
npsnetsh = warning
npssetup = warning
npspolicy = warning
npsrad = warning
npsras = warning
npssdo = warning
最大トレース ファイル サイズ = 100 (MB)

OK

c:\>netsh trace start ?

start
  トレースを開始します。

  使用法: trace start [sessionname=<セッション名>]
        [[scenario=]<シナリオ 1,シナリオ 2>]
        [[globalKeywords=]keywords] [[globalLevel=]level]
        [[capture=]yes|no] [[capturetype=]physical|vmswitch|both]
        [[report=]yes|no|disabled] [[persistent=]yes|no]
        [[traceFile=]path\filename] [[maxSize=]filemaxsize]
        [[fileMode=]single|circular|append] [[overwrite=]yes|no]
        [[correlation=]yes|no|disabled] [capturefilters]
        [[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet]
        [[level=]level] [bufferSize=<バッファー サイズ>]
        [[[provider=]provider2IdOrName] [[providerFilter=]yes|no]]
        [[keywords=]keyword2MaskOrSet] [[perfMerge=]yes|no]
        [[level=]level2] ...

I have found the following documents on WPP tracing and how to use it.

[https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing

We will add the information again if the trace is successful.

If you have further information, please let us know.

Gary Nebbett 5,721 Reputation points

2023-01-19T14:48:53.7966667+00:00

Hello techagent,

Sorry for the delayed reply - the new design of the Microsoft Q&A website concealed your response and I just noticed that there was something that could be revealed by clicking on a small icon.

You used "netsh nps show tracing" to show the traceable modules and you should use "netsh nps set tracing ?" to start tracing. "netsh trace start" is a related but different functionality - explore "netsh nps set tracing ?" first.

Gary

techagent 25

Hello Gary,

Thank you for your guidance.

I started trace and were able to see some log files.

IASSAM.LOG contained the following description. All messages are listed at the end.

[2212] 01-21 14:09:47:432: Assembled EAP-Message has invalid length.
[2212] 01-21 14:09:47:432: Caught unknown exception

Using the eapol_test command, an authentication testing tool, we sent an invalid EAP-Message, which was logged above with Event ID 6274 reason code 3.

I will focus on analyzing this EAP-Message in the future.

I have newly discovered that there is an event that is recorded in IASSAM.LOG but not in the event viewer.

I would like to post another question about it.

Thank you very much.

[2320] 01-21 14:09:44:432: Entering NTSamNames stage
[2320] 01-21 14:09:44:432: loading IASAttribute with ID 8114. (ATTRIBUTEID definition is in sdoias.h)
[2320] 01-21 14:09:44:432: loading IASAttribute with ID 8171. (ATTRIBUTEID definition is in sdoias.h)
[2320] 01-21 14:09:44:432: NT-SAM Names handler received request with user identity **username**@**realm**.
[2320] 01-21 14:09:44:432: not looking for MS_ATTRIBUTE_IDENTITY_TYPE (health check only) attribute any more. user authentication will always be performed
[2212] 01-21 14:09:47:416: Sending request to handler of current stage
[2212] 01-21 14:09:47:416: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:09:47:416: Entering NTSamNames stage
[2212] 01-21 14:09:47:416: loading IASAttribute with ID 8114. (ATTRIBUTEID definition is in sdoias.h)
[2212] 01-21 14:09:47:416: loading IASAttribute with ID 8171. (ATTRIBUTEID definition is in sdoias.h)
[2212] 01-21 14:09:47:416: NT-SAM Names handler received request with user identity **username**@**realm**.
[2212] 01-21 14:09:47:416: not looking for MS_ATTRIBUTE_IDENTITY_TYPE (health check only) attribute any more. user authentication will always be performed
[2212] 01-21 14:09:47:432: Successfully cracked username.
[2212] 01-21 14:09:47:432: SAM-Account-Name is "**domainname**\**username**".
[2212] 01-21 14:09:47:432: Sending request to handler of current stage
[2212] 01-21 14:09:47:432: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:09:47:432: Entering CRPBasedEAP stage
[2212] 01-21 14:09:47:432: Assembled EAP-Message has invalid length.
[2212] 01-21 14:09:47:432: Caught unknown exception
[2212] 01-21 14:09:47:432: Sending request to handler of current stage
[2212] 01-21 14:09:47:432: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:09:47:432: Entering BaseCampHost stage
[2212] 01-21 14:09:47:432: No AUTHENTICATION extensions, continuing
[2212] 01-21 14:09:47:432: Sending request to handler of current stage
[2212] 01-21 14:09:47:432: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:09:47:432: Entering AuthorizationHost stage
[2212] 01-21 14:09:47:432: No AUTHORIZATION extensions, continuing
[2212] 01-21 14:09:47:432: Sending request to handler of current stage
[2212] 01-21 14:09:47:432: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:09:47:432: Entering EAPTerminator stage
[2212] 01-21 14:09:47:432: loading IASAttribute with ID 8105. (ATTRIBUTEID definition is in sdoias.h)
[5248] 01-21 14:09:53:416: Sending request to handler of current stage
[5248] 01-21 14:09:53:416: Current stage is sync, so forwarding to onSyncRequest
[5248] 01-21 14:09:53:416: Entering NTSamNames stage
[5248] 01-21 14:09:53:416: loading IASAttribute with ID 8114. (ATTRIBUTEID definition is in sdoias.h)
[5248] 01-21 14:09:53:416: loading IASAttribute with ID 8171. (ATTRIBUTEID definition is in sdoias.h)
[5248] 01-21 14:09:53:416: NT-SAM Names handler received request with user identity **username**@**realm**.
[5248] 01-21 14:09:53:416: not looking for MS_ATTRIBUTE_IDENTITY_TYPE (health check only) attribute any more. user authentication will always be performed
[5248] 01-21 14:09:53:416: Successfully cracked username.
[5248] 01-21 14:09:53:416: SAM-Account-Name is "**domainname**\**username**".
[5248] 01-21 14:09:53:416: Sending request to handler of current stage
[5248] 01-21 14:09:53:416: Current stage is sync, so forwarding to onSyncRequest
[5248] 01-21 14:09:53:416: Entering CRPBasedEAP stage
[5248] 01-21 14:09:53:416: Assembled EAP-Message has invalid length.
[5248] 01-21 14:09:53:416: Caught unknown exception
[5248] 01-21 14:09:53:416: Sending request to handler of current stage
[5248] 01-21 14:09:53:416: Current stage is sync, so forwarding to onSyncRequest
[5248] 01-21 14:09:53:416: Entering BaseCampHost stage
[5248] 01-21 14:09:53:416: No AUTHENTICATION extensions, continuing
[5248] 01-21 14:09:53:428: Sending request to handler of current stage
[5248] 01-21 14:09:53:428: Current stage is sync, so forwarding to onSyncRequest
[5248] 01-21 14:09:53:428: Entering AuthorizationHost stage
[5248] 01-21 14:09:53:428: No AUTHORIZATION extensions, continuing
[5248] 01-21 14:09:53:428: Sending request to handler of current stage
[5248] 01-21 14:09:53:428: Current stage is sync, so forwarding to onSyncRequest
[5248] 01-21 14:09:53:428: Entering EAPTerminator stage
[5248] 01-21 14:09:53:428: loading IASAttribute with ID 8105. (ATTRIBUTEID definition is in sdoias.h)
[2320] 01-21 14:10:03:515: Successfully cracked username.
[2320] 01-21 14:10:03:515: SAM-Account-Name is "**domainname**\**username**".
[2320] 01-21 14:10:03:515: Sending request to handler of current stage
[2320] 01-21 14:10:03:515: Current stage is sync, so forwarding to onSyncRequest
[2320] 01-21 14:10:03:515: Entering CRPBasedEAP stage
[2320] 01-21 14:10:03:515: Assembled EAP-Message has invalid length.
[2320] 01-21 14:10:03:515: Caught unknown exception
[2320] 01-21 14:10:03:515: Sending request to handler of current stage
[2320] 01-21 14:10:03:515: Current stage is sync, so forwarding to onSyncRequest
[2320] 01-21 14:10:03:515: Entering BaseCampHost stage
[2320] 01-21 14:10:03:515: No AUTHENTICATION extensions, continuing
[2320] 01-21 14:10:03:515: Sending request to handler of current stage
[2320] 01-21 14:10:03:515: Current stage is sync, so forwarding to onSyncRequest
[2320] 01-21 14:10:03:515: Entering AuthorizationHost stage
[2320] 01-21 14:10:03:515: No AUTHORIZATION extensions, continuing
[2320] 01-21 14:10:03:515: Sending request to handler of current stage
[2320] 01-21 14:10:03:515: Current stage is sync, so forwarding to onSyncRequest
[2320] 01-21 14:10:03:515: Entering EAPTerminator stage
[2320] 01-21 14:10:03:515: loading IASAttribute with ID 8105. (ATTRIBUTEID definition is in sdoias.h)
[2212] 01-21 14:10:05:425: Sending request to handler of current stage
[2212] 01-21 14:10:05:425: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:10:05:425: Entering NTSamNames stage
[2212] 01-21 14:10:05:425: loading IASAttribute with ID 8114. (ATTRIBUTEID definition is in sdoias.h)
[2212] 01-21 14:10:05:425: loading IASAttribute with ID 8171. (ATTRIBUTEID definition is in sdoias.h)
[2212] 01-21 14:10:05:425: NT-SAM Names handler received request with user identity **username**@**realm**.
[2212] 01-21 14:10:05:426: not looking for MS_ATTRIBUTE_IDENTITY_TYPE (health check only) attribute any more. user authentication will always be performed
[2212] 01-21 14:10:05:427: Successfully cracked username.
[2212] 01-21 14:10:05:427: SAM-Account-Name is "**domainname**\**username**".
[2212] 01-21 14:10:05:427: Sending request to handler of current stage
[2212] 01-21 14:10:05:427: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:10:05:427: Entering CRPBasedEAP stage
[2212] 01-21 14:10:05:427: Assembled EAP-Message has invalid length.
[2212] 01-21 14:10:05:427: Caught unknown exception
[2212] 01-21 14:10:05:427: Sending request to handler of current stage
[2212] 01-21 14:10:05:427: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:10:05:427: Entering BaseCampHost stage
[2212] 01-21 14:10:05:427: No AUTHENTICATION extensions, continuing
[2212] 01-21 14:10:05:428: Sending request to handler of current stage
[2212] 01-21 14:10:05:428: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:10:05:428: Entering AuthorizationHost stage
[2212] 01-21 14:10:05:428: No AUTHORIZATION extensions, continuing
[2212] 01-21 14:10:05:428: Sending request to handler of current stage
[2212] 01-21 14:10:05:428: Current stage is sync, so forwarding to onSyncRequest
[2212] 01-21 14:10:05:428: Entering EAPTerminator stage
[2212] 01-21 14:10:05:428: loading IASAttribute with ID 8105. (ATTRIBUTEID definition is in sdoias.h)

Event ID 6274 NPS received from the network access server was malformed. Is there any way to know which part of the message is incorrect?

0 additional answers