topic Re: Issue with WLC Radius request to NPS Server in General Topics

Issue with WLC Radius request to NPS Server

willem.degroot — Fri, 22 Feb 2019 12:44:18 GMT

Hi all,

I have an issue with the radius request through the firewall,

The radius request come from an cisco 1852-ME WLC and goes to an Windows 2016 NPS Server, both in different zones.

An simular setup with an firewall works fine.

The NPS Server does not react on the requests. With Wireshark I can see the request and Answer from the NPS.

I suspect that the Certificate (used for auth) have changed at the firewall.

AFAIK certificate inspection is disabled (where I can check this?)

Does somebody else has an simular setup? What do I have to check for?

As I'm new on Palo, I could have missed something here.

Thanks for your feedback

Willem

Re: Issue with WLC Radius request to NPS Server

Chacko42 — Fri, 22 Feb 2019 13:12:47 GMT

Hi @willem.degroot ,

you can see which TLS Interception Policy is defined by looking at Policy > Decryption Policy.

If there is a policy which does SSL Forward Proxy (MitM), then certificates are exchanged.

But: Radius runs with UDP, so there is no TLS support - I guess the problem is somewhere else.

Do you see the request in the NPS log?

Re: Issue with WLC Radius request to NPS Server

reaper — Fri, 22 Feb 2019 13:24:45 GMT

Hi Willem

Unless your implementation uses radius over ssl, the certificates should not be touched by the firewall

ssl decryption policies can be found under the policies tab

you can set up packetcapture on the firewall as well and set it so you capture ingres and egress, that way you can compare what goes into and what comes out

you can match your captures to global counters, to verify if anything additional of interest pops up:

https://paloaltonetworks.my.salesforce.com/kA10g000000ClTJ?srPos=0&srKp=ka1&lang=en_US

i'd probably look at NAT, routing and possibly timestamps on the radius/certificates

Re: Issue with WLC Radius request to NPS Server

willem.degroot — Fri, 22 Feb 2019 14:03:00 GMT

Hi Chacko42

Thanks for your reply. I agree on the UDP traffic.

In the Eventviewer there is no message BUT in the file found here C:\Windows\System32\LogFiles There are messages like:

"EEMDC10","IAS",02/22/2019,14:44:01,1,"host/CHW7X576.sscgr.contoso.com","sscgr.contoso.com/chgr/zgi/Group_IT/resources/CHW7X576","b0-8b-cf-dc-e8-c0:V2ZDEWBC","88-b1-11-80-a8-b8",,,"CHGR-PAF-Office","172.16.129.20",1,0,"172.16.129.20","Test-AP-CHGR",,,19,,,2,5,"WLAN Office",0,"311 1 172.29.24.10 02/22/2019 10:25:00 514",,,,,,,,,"5c6fee90/88:b1:11:80:a8:b8/30",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,


"EEMDC10","IAS",02/22/2019,14:44:01,11,,"sscgr.contoso.com/chgr/zgi/Group_IT/resources/CHW7X576",,,,,,,,0,"172.16.129.20","Test-AP-CHGR",,,,,,,5,"WLAN Office",0,"311 1 172.29.24.10 02/22/2019 10:25:00 514",30,,,,,,,,"5c6fee90/88:b1:11:80:a8:b8/30",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

I can also do a test from the WLC to the NPS with user credentials, this is working fine.

I'll keep on trying 🙂

Re: Issue with WLC Radius request to NPS Server

willem.degroot — Fri, 22 Feb 2019 14:07:45 GMT

Hi Reaper,

I will try the packet capture, to see what happens.

NAT and routing can be ignored.

Both ZONEs are internals without NAT

An test from the WLC to the NPS with user-credentials will be answered correct.

Re: Issue with WLC Radius request to NPS Server

willem.degroot — Fri, 22 Feb 2019 15:25:29 GMT

Hi Reaper,

I just could sniff and found an interesting difference between Firewall RX and TX.

Besides that I have duplicates in the trace, I see the following:

on the outgoing interface, there are packages missing, packages that are on the incomming interface with MTU of 1514, are not sendout the outgoing interface anymore.

Where do I have to check the Firewall settigns for this?

Incomming:

Outgoing, note that request/response ID 5 is missing.

Re: Issue with WLC Radius request to NPS Server

reaper — Fri, 22 Feb 2019 15:32:45 GMT

Interesting
Are all your interfaces set to "normal" MTU? It may be worth looking into enabling jumbo frames and increasing the mtu on internal interfaces

Re: Issue with WLC Radius request to NPS Server

Chacko42 — Fri, 22 Feb 2019 16:41:58 GMT

After changing the radius configuration to use certificate based authentication - do you see eventlogs with the mmc > event manager? I assume it's a config thing on the nps server - there should be event ids for the requests - if there aren't, it has to do something with the network/firewall

Re: Issue with WLC Radius request to NPS Server

willem.degroot — Mon, 25 Feb 2019 10:29:52 GMT

Hi Reaper,

I increased the MTU on the (sub) Interfaces but without an positiv result.

I don't think that this will solve the issue anyway because I see in the Capture that the packet is Fragmented ( I try to capture nearer to the source.
What I have found is an Issue ID PAN-93609 but I do not have the right (yet) to access the reports.
May this be the issue?

I'm running PAN-OS 8.0.4

Re: Issue with WLC Radius request to NPS Server

reaper — Mon, 25 Feb 2019 12:19:14 GMT

PAN-93609 is when an initial packet arrives that is fragmented it could be dropped, usually but not limited to udp (this was fixed in 8.0.11)

it might be worth looking into upgrading

the currently recommended release in your code train is 8.0.15