• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

RADIUS not authenticating?!

M

MulLa

Golden Member
Hi all

Sorry it's me and my questions again 😕.

Recently had a little bit of time on me hands so I was playing around with setting up a RADIUS to authenticate dial-up users. Hey where else am I supposed to learn this sort of things if I don't play with it myself.

The setup is a W2K DC with IAS (internet authentication server) installed. Then another server running W2k3 Eval with a modem configured through RRAS to be the NAS (network access server).

What happens whenever I dial-in was a message saying that I have either a wrong user name or bad password.

I have configured only one remote access policy and that's set to allow based on group membership. I made sure that my test user account is a member of this group. Also tried setting this user account's dial in profile to 'allow' and 'determined through policy'.

On both the IAS and NAS I've enabled allowing remote PPP without authentication Method and still no go.

Authentication methods were set to MS-CHAP, MS-CHAP2 on the IAS, NAS and the connecting client which is running w2k pro.

According to the log files there seemed to be 2 requests for connection and through decrypting those code numbers in the IAS logs I managed to find out that the first request was accepted followed immediately by a deny. Posted part of the log file here as you can see the '0' at the end representing an accept. The '16' on the following line meaning a deny. Yes I know, it took me a long time reading the help file, trying to understand the log.

192.168.0.2,PFI\leungs,09/03/2003,19:09:35,IAS,DOMCON,44,5,4,192.168.0.2,6,2,7,1,5,12,61,0,77,CONNECT 21600/ARQ,26,0x00000137230C4D5352415356352E3030,26,0x00000137220F4D535241532D312D4A4F595043,4108,192.168.0.2,4116,0,4128,nassrv,4147,311,4148,MSRASV5.20,4129,PFI\leungs,4130,PFI\leungs,4127,4,25,311 1 192.168.0.1 09/03/2003 08:06:25 1,4136,1,4142,0
192.168.0.2,PFI\leungs,09/03/2003,19:09:35,IAS,DOMCON,25,311 1 192.168.0.1 09/03/2003 08:06:25 1,4121,0x00453D36393120523D3020563D33,4127,4,4130,PFI\leungs,4129,PFI\leungs,4128,nassrv,4116,0,4108,192.168.0.2,4136,3,4142,16


Not sure if I've missed any important info since I could write a book on what I've tried. I'm still reading through the white paper on IAS at the moment hoping to pick something up from there.

If anyone have any hints that'd be much appreciated.
 
The most common mistake is the Radius password. Make sure there are no leading/trailing/embedded spaces or control characters, and that it matches exactly.
Check to see that the AD User profile and RAS has the "Allow Dial-In Access" is enabled.
Check that the RADIUS port is correct on the NAS: I believe the current versions use 1812, older versions use 16-something (... maybe 1645?)
Make sure the firewall / proxy will permit 1812 (if there's one in the path)
Check to see if there's a software firewall on the client that may be blocking.

Try another RADIUS. You can download Cisco ACS from CCO (www.cisco.com) on a 30 day trial, and it's very easy to set up (and can use the AD / NT domain user base)

That's it for me this round....

Good Luck

Scott

 
Thanks Scott for the reply.

When you say RADIUS password you are saying the user's password for the W2K Domain? Since it 'should' authenticate against the DC. If that's the case then yes I'm sure it's a valid password.

I've tried both enabling dial-in access and determined through policy. Both no good.

Checking ports eh? I'll give that a shot.

There is not firewalls involved. Now I've taken an old machine and hooked that up with the NAS via the parallel port. Saves me dialing up and it's giving me the same error message. There is a firewall but that's between the net and the LAN. Since I'm not going via that connection I would assume that it should have no bearing in this project.

Last night I've tried playing around with authentication methods. Tried specifying a single method on the client but that didn't work out.

Will keep reading through the white paper and 'hopefully' work something out.

Although I have made some changes in GPO requesting digitally signed communication (when possible) at the DC OU. That shouldn't cause any problems right?
 
The password is the "secret" password that the RADIUS server uses to authenticate/authorize the NAS to use it's services.

I don't know the location off the top of my head, but it should be on the same page where you enter the RADIUS IP address.

I don't think the digital signature thing is going to matter one way or the other.

Good Luck

Scott
 
Oh... that 'secret' you're talking about! Yer I've made sure 3 times that they are the same. The 'shared secret' or something like that.

Didn't really try it today since it's Saturday over here. Will give it another shot on Monday if I find the time.

Thanks for the help. I wish myself luck as well!
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top