Event ID 17 — NPS Server Communication

Applies To: Windows Server 2008 R2

Network Policy Server (NPS) must be able to communicate with configured RADIUS clients in order to receive and process connection requests.

Event Details

Product: Windows Operating System
ID: 17
Source: NPS
Version: 6.1
Message: An Access-Request message was received from RADIUS client %1 without a message authenticator attribute when a message authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.


Fix the cause of the malformed RADIUS message

This condition can occur if the server running NPS receives one of the following from a RADIUS client:

  • A response that is a malformed message.
  • A response that contains an incorrect value in the Code field.
  • An Access-Request message that does not contain a Message-Authenticator attribute.
  • A response that contains a message authenticator that is not valid.
  • An Access-Request message that contains an Extensible Authentication Protocol (EAP) message, but no Message-Authenticator attribute.
  • A response with an attribute that exceeds the maximum RADIUS attribute length.

To perform this procedure, you must be a member of Domain Admins.

To fix the cause of the malformed RADIUS message:

  1. Network corruption, latency, or other network problems unrelated to NPS might produce this condition. Wait a short while to confirm that the condition still exists. The problem might resolve itself.
  2. Make sure that the remote RADIUS server configuration, including the IP address of the RADIUS client/proxy server and the shared secret configured on the server running NPS and on the RADIUS client, is accurate. To configure a RADIUS client:
    1. Click Start, Administrative Tools, Network Policy Server. The NPS Microsoft Management Console (MMC) opens.
    2. Double-click RADIUS Clients and Servers.
    3. Click RADIUS Clients, and in the details pane, right-click the RADIUS client you want to configure.
    4. Click Properties, and then change the configuration according to your requirements.
  3. Make sure that the network access server is configured with the IP address of the server running NPS.
  4. If these actions do not resolve the problem, contact the RADIUS server vendor to see if the remote RADIUS server complies with the RADIUS protocol specification.


To verify that RADIUS messages are not malformed:

  1. On the server running NPS, start an application that is used to capture network traffic and begin a capture.
  2. On a computer that is configured according to network access policy to connect to the network, log on to the network with a valid user account and valid credentials through the RADIUS client that previously sent the malformed message.
  3. On the server running NPS, stop the network traffic capture, and then confirm that the structure of the messages presented to the RADIUS server by the RADIUS client is correct.

NPS Server Communication

Network Policy Server Infrastructure