Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
Hi Everyone,
I firstly want to thank to whomever takes their time to read this post, and provide me with some further insight.
To get into it.
I am attempting to configure RADIUS for Admins on my VM running 10.0.7, in which is pointing towards a Windows 2016 AD in a DMZ.
I have configured a service route to point RADIUS down this route.
I also have LDAP which works fine with User-ID.
I have followed these two videos, and the KB for RADIUS (going down the respective routes for config):
https://www.youtube.com/watch?v=1J9ZfwckUbE
https://www.youtube.com/watch?v=qloRn0ObQ0I
However, for some strange reason every time I try to access with my RADIUS account. I am receiving the following error in the system logs
What I can confirm is that the shared secret password is the same both sides, I have input this about three times. this also includes the tested admin user.
I have conducted a PCAP which appears to shows my PA sending the Radius request on port 1812 to the Server (telling me the config for PA is fine). However, it comes back with the 'Radius-Reject' response. Which would tell me there is something occurring in my AD.
I am hoping someone can point me in the right direction to look at what potential config I have missed on the AD. I really really hope it is not something soo obvious.
To add, I am only testing with PAP until I can this up and running, in which I will then increase the security of the exchange.
Please see images below with my configuration:
Service route
RADIUS Server Details
RADIUS Auth Profile
RADIUS Admin Test Prof
Auth Settings Under MGT Settings
Windows 2016 AD Details (I have registered the NPS to my see my AD users - which I see RAS - IAS Servers in the AD domain group for users)
RADIUS Client Settings
RADIUS Policy Part 1
RADIUS Policy Part 2
Vendor Attributes (Using VSA 1)
User 'Radius'
Dial In Properties for user 'Radius'
Also I have run the less mp-log authd.log:
Troubleshooting:
- I've tried to remove the User from all other domain groups and use one domain group for that user.
- Tried reinstalling server details in PA.
- For my authentication profile, I have tried to associate to the specific domains the user is a member of, rather than 'all'. Including adding the domain name for my AD to the profile details.
- Tried to use MGT interface rather than a Service route, in which I also amended on the NPS RADIUS settings for the IP.
- I have tried adding VSA (1 and 2) for the vendor attributes.
- I attempted to add the user in the RAS-IAS sec group.
- I finally created a brand new user (just to make sure that I did not input the generic password which I use incorrectly).
Is there any further logs, that I can investigate on the AD.
Thank you once again.
Callum
Hi Tom,
That's great, I am just testing this right now. The security logs have provided something interesting:
What it looks like to me (I am going to double check the NPS Polices) is that it appears to be hitting the wrong Network Policy. As I do know both sides for the configured policy should be using PAP.
If I can hopefully drill this down, I will update here.
Thanks for the message again.
Callum
