Solved

Troubleshooting local ports not open.

Posted on 2010-08-26
16
451 Views
Last Modified: 2012-06-21
So I'm setting up a RADIUS box (2k3) and having some issues.  Ran a port checker for 1812 and 1813 from my computer, and it showed those ports as blocked.  Reran that same port checker for 1812 and 1813 on the RADIUS server, and it even said those ports where blocked.  =[

The firewall is turned off, so how in the world can those ports be turned off, when checking locally!?!?  As far as I know, everything is configured right.  Vanilla set-up...

TIA!
0
Comment
Question by:Delszeki
  • 9
  • 6
16 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Any Anti-virus software installed ?

Are you sure your port checker is accurate ?

I hope this helps !
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Also RADIUS may only respond to specific machines that need RADIUS support - IP range - so check your configuration.

0
 

Author Comment

by:Delszeki
Comment Utility
No.  No antivirus or anything installed.  Literally, nothing installed in fact.  It is just going to be doing RADIUS.

I should not, however, that it IS a VM.  Would that matter?

As far as the configuration, I added my local machine as a "device" with no password.  So that I could at least query the ports, and that didn't help.  Still showing as closed.

I can give you the local routers debug information here in a minute....
0
 

Author Comment

by:Delszeki
Comment Utility
Here is the logging....
*Aug 26 19:18:26.575: Telnet194: 1 1 251 1
*Aug 26 19:18:26.575: TCP194: Telnet sent WILL ECHO (1)
*Aug 26 19:18:26.575: Telnet194: 2 2 251 3
*Aug 26 19:18:26.575: TCP194: Telnet sent WILL SUPPRESS-GA (3)
*Aug 26 19:18:26.575: Telnet194: 80000 80000 253 24
*Aug 26 19:18:26.575: TCP194: Telnet sent DO TTY-TYPE (24)
*Aug 26 19:18:26.575: Telnet194: 10000000 10000000 253 31
*Aug 26 19:18:26.575: TCP194: Telnet sent DO WINDOW-SIZE (31)
*Aug 26 19:18:26.575: AAA/BIND(00000003): Bind i/f
*Aug 26 19:18:26.579: AAA/AUTHEN/LOGIN (00000003): Pick method list 'default'
*Aug 26 19:18:26.579: TCP194: Telnet received DO ECHO (1)
*Aug 26 19:18:26.579: TCP194: Telnet received DO SUPPRESS-GA (3)
*Aug 26 19:18:26.579: TCP194: Telnet received WILL TTY-TYPE (24)
*Aug 26 19:18:26.579: Telnet194: Sent SB 24 1
*Aug 26 19:18:26.583: TCP194: Telnet received WILL WINDOW-SIZE (31)
*Aug 26 19:18:26.583: Telnet194: recv SB NAWS 80 49
*Aug 26 19:18:26.583: Telnet194: recv SB 24 0 ANSI
*Aug 26 19:18:35.187: AAA/AUTHEN/LOGIN (00000003): Pick method list 'default'
*Aug 26 19:18:50.155: AAA/AUTHEN/LOGIN (00000003): Pick method list 'default'

Open in new window

0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I just checked my working RADIUS server ( Linux ) with Advanced LAN Scanner, and the ports 1812, 13 are closed.

But the RADIUS works fine ...

0
 

Author Comment

by:Delszeki
Comment Utility
Just to clarify then....  When telnet to the device, and it asks for username and its using RADIUS....

<username>
<domain>\<username>
<username>@<domain>

?  All those work, or....  TIA again!
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I do not use telnet for testing since it is for external VPN access only via my router
The RADIUS server is pretty tightly locked down ( linux )

Only specific IPs can access the RADIUS server


0
 

Author Comment

by:Delszeki
Comment Utility
True.  We are using our RADIUS just for network equipment authentication and eventually, for WiFi access.  But, for the life of me, I can't get them talking!  GAR
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 63

Accepted Solution

by:
SysExpert earned 500 total points
Comment Utility
Check the RADIUS related logs ( and maybe event logs )  to see if requests are even reaching the server.

0
 

Author Comment

by:Delszeki
Comment Utility
Here is what I got.  At first, I thought it might be the server.  However, with each connection, and each fail.  I'm beginning to think that there might be something blocking those ports between here and there....

Snippet ...501 is the debugging output.

*Aug 26 20:45:21.123: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
*Aug 26 20:45:21.123: AAA SRV(00000000): process authen req
*Aug 26 20:45:21.123: AAA SRV(00000000): Authen method=SERVER_GROUP radius
*Aug 26 20:45:42.947: AAA/ID(00000000): Cannot set connection progress = 102
*Aug 26 20:45:42.947: AAA SRV(00000000): protocol reply FAIL for Authentication
*Aug 26 20:45:42.947: AAA SRV(00000000): Authen method=NOT_SET - No methods left
 to try
*Aug 26 20:45:42.947: AAA SRV(00000000): Return Authentication status=FAIL
*Aug 26 20:46:40.555: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
*Aug 26 20:46:40.555: AAA SRV(00000000): process authen req
*Aug 26 20:46:40.555: AAA SRV(00000000): Authen method=SERVER_GROUP radius
*Aug 26 20:47:02.187: AAA/ID(00000000): Cannot set connection progress = 102
*Aug 26 20:47:02.187: AAA SRV(00000000): protocol reply FAIL for Authentication
*Aug 26 20:47:02.187: AAA SRV(00000000): Authen method=NOT_SET - No methods left
 to try
*Aug 26 20:47:02.187: AAA SRV(00000000): Return Authentication status=FAIL

Open in new window

0
 

Author Comment

by:Delszeki
Comment Utility
Snippet is the debugging that is enabled....
General OS:

  AAA Authentication debugging is on

  AAA Authorization debugging is on

  AAA Accounting debugging is on

  AAA Administrative debugging is on

  AAA Subsystem debugs debugging is on

  AAA Unique Id debugs debugging is on

  AAA Radius debugs debugging is on

Open in new window

0
 

Author Comment

by:Delszeki
Comment Utility
And here is the configuration for AAA that I've done...
aaa new-model
!
!
aaa authentication login default group radius
aaa authorization exec default group radius
!
ip http server
ip http authentication aaa
!
radius-server host 10.31.2.69 auth-port 1812 acct-port 1813
radius-server key 7 105C0618011F170A08
!

Open in new window

0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Don't forget that you have a preshared key, so you need a proper method at both ends.

I can't tell from the logs if they are even reaching the PSK handshake.

please note

*Aug 26 20:45:42.947: AAA SRV(00000000): protocol reply FAIL for Authentication
*Aug 26 20:45:42.947: AAA SRV(00000000): Authen method=NOT_SET - No methods left
 to try

0
 

Author Comment

by:Delszeki
Comment Utility
Yea.  I don't see it either.  I cleared out all the M$ logs on the RADIUS server, tried it more than a few times, and nothing on that end.  I'm going to build a new RADIUS server, here in a VM, and see if I can't get it to communicate on the same segment, and rule out interconnected devices.  I'll keep ya posted.  =]
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I like to use portqry instead of telnet to troubleshoot application ports. Telent is sometimes blocked by IT sec admins.  On Cisco routers, telent is not active, unless you set a password on your Virtual Terminal (VTY) access ports.

Portqry is a built-in utility that can check UDP and TCP ports to see if they are listening, blocked or OFF..

The syntax is this:
portqry -n (IP address) -o port1, port2, port3 -p both

-n is name or IP
-o is the port numbers
-p is the path (could be UDP, TCP or both)

0
 

Author Closing Comment

by:Delszeki
Comment Utility
Took me some digging around, but essentially, it was the server.  Thank you so much!
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SNMP v3 Encryption of encoded messages 3 29
Screen Recorder Recommendations 10 52
Network Connection 5 30
RDP Sonicwall 8 19
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now