cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Radius - Issue Invalid Username/Password

L1 Bithead

Hi Everyone,

 

I firstly want to thank to whomever takes their time to read this post, and provide me with some further insight.

 

To get into it.

 

I am attempting to configure RADIUS for Admins on my VM running 10.0.7, in which is pointing towards a Windows 2016 AD in a DMZ.

 

I have configured a service route to point RADIUS down this route.

 

I also have LDAP which works fine with User-ID.

 

I have followed these two videos, and the KB for RADIUS (going down the respective routes for config):

https://www.youtube.com/watch?v=1J9ZfwckUbE
https://www.youtube.com/watch?v=qloRn0ObQ0I

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/configure-radius-authentic...

 

However, for some strange reason every time I try to access with my RADIUS account. I am receiving the following error in the system logs

ErrorError

 

What I can confirm is that the shared secret password is the same both sides, I have input this about three times. this also includes the tested admin user. 

 

I have conducted a PCAP which appears to shows my PA sending the Radius request on port 1812 to the Server (telling me the config for PA is fine). However, it comes back with the 'Radius-Reject' response. Which would tell me there is something occurring in my AD.

 

I am hoping someone can point me in the right direction to look at what potential config I have missed on the AD. I really really hope it is not something soo obvious. 

 

To add, I am only testing with PAP until I can this up and running, in which I will then increase the security of the exchange.

 

Please see images below with my configuration:

Service route

Service Route to my ADService Route to my AD

RADIUS Server Details

InkedRADIUS PA_LI.jpg

RADIUS Auth Profile

Auth Prof.PNG

RADIUS Admin Test Prof

Test Admin Prof.PNG

Auth Settings Under MGT Settings

Admin Settings.PNG

 

Windows 2016 AD Details (I have registered the NPS to my see my AD users - which I see RAS - IAS Servers in the AD domain group for users)

RADIUS Client Settings

InkedRADIUS Client_LI.jpg

 

RADIUS Policy Part 1

InkedNPS Policy Part 1_LI.jpg

 

RADIUS Policy Part 2

InkedNPS Policy Part 2_LI.jpg

 

Vendor Attributes  (Using VSA 1)

Attribute Info.PNG

 

User 'Radius'

InkedDomain User Info_LI.jpg

 

Dial In Properties for user 'Radius' 

Dial-In Info.PNG

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Also I have run the less mp-log authd.log:

InkedAuth Logs_LI.jpg

 

 

 

 

 

 

 

 

 

 

Troubleshooting:

- I've tried to remove the User from all other domain groups and use one domain group for that user.

- Tried reinstalling server details in PA.

- For my authentication profile, I have tried to associate to the specific domains the user is a member of, rather than 'all'. Including adding the domain name for my AD to the profile details.

- Tried to use MGT interface rather than a Service route, in which I also amended on the NPS RADIUS settings for the IP.

- I have tried adding VSA (1 and 2) for the vendor attributes.

- I attempted to add the user in the RAS-IAS sec group.

- I finally created a brand new user (just to make sure that I did not input the generic password which I use incorrectly).

 

Is there any further logs, that I can investigate on the AD. 

 

Thank you once again.

 

Callum

Who Me Too'd this topic