During a Network Access Control (NAC) implementation project we identified a strange issue with the RADIUS Message Authenticator attribute.  In our scenario, we had a Windows 2008 DC with the Network Policy Server (NPS) role installed. This server was virtualized on Citrix XenServer. In a previous configuration WPA2-Enterprise authentication had already been configured for secure wireless use, leading us to believe that the RADIUS configuration itself was solid.

What we kept finding was that wired clients would report "Authentication Failed" even though all settings appeared to be functional. In NPS we had configured the switch to not require the Message Authenticator attribute, even though the switch was sending this information (this was not configurable). NPS was reporting the following in the System event log on the NPS server:

An Access-Request message was received from RADIUS client XXX.XXX.XXX.XXX with a message authenticator attribute that is not valid.

Firing up Wireshark, it seemed as though everything was working fine, except for one thing - Wireshark was reporting the packet checksums as incorrect. After a few minutes of research, we found that standard behavior of RADIUS clients is to reject authentication requests if the Message Authenticator attribute doesn't check out - even if you haven't required this data to be sent.

There are a few known issues with the XenServer virtual interfaces. We found the solution to this problem was to modify the XenServer VIF configuration and set "Correct TCP/UDP Checksum Value" to True. After doing this (and restarting NPS), we were able to successfully authenticate without errors.