Solved

How to create or view logs for NPS RADIUS server

Posted on 2013-11-11
6
884 Views
Last Modified: 2013-11-13
Hi,

I've set-up a RADIUS server within my network for my Cisco 877 device to point to my RADIUS server for authentication.

The problem i'm having is that when I'm connecting via the Cisco device it fails to authenticate.  To clarify what I am doing, I try a log-in and receive a cget lost message.

When I connected from a client using Radius Test it connects fine.

I know the Cisco is hitting the RADIUS server, because when I don't allow the Cisco IP to connect, the event viewer says blocked connection from the IP in question.

The event viewer isn't very helpful though when IP is allowed, in fact I have nothing posted at all.

Does anyone know how I can debug the issue with authentication.

Ben
0
Comment
Question by:benowens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 2

Accepted Solution

by:
psychokraft earned 500 total points
ID: 39638881
Without seeing your config my best advice to start is to use the exec command: test aaa group radius <username> <password> {legacy | new-code}. This will generate one of three messages:
No authoritive response, which means your not hitting the NPS
User Rejected, which means you are hitting it but being rejected
User Authenticated, which means, well, authenticated...
Setting up NPS for Cisco devices can be tricky and soemtimes invloves removing policies, items and recreating to get them to work.
Please see the attached document for a guide my coworker and I set up.
You may also find the followign helpful:
http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
And remember, NPS uses ports 1645 and 1646 for RADIUS, not 1812 and 1813.
Configuring-RADIUS-For-AAA.docx
0
 
LVL 1

Author Comment

by:benowens
ID: 39638911
Okay i'll look at the exec commands and see what we get.  I am using a Windows 2013 server and set-up NPS according to this guide.

Seems to work fine on the Windows side.  As I said, used a few RADIUS testing tools and the report authentication working fine.  Note:  I have to change to the allowed IP to my client PC when I test it from my client.  

I was really looking for some sort of Windows log which shows the traffic or connection.

As said, when I allow the IP of the Cisco device to connect, it doesn't show anything on the event viewer.  However when I set the allowed IP to my client PC, then try to connect from the Cisco via telent login, it posts a message "A RADIUS message was received from the invalid RADIUS client IP address 192.168.0.239."
0
 
LVL 2

Expert Comment

by:psychokraft
ID: 39638932
What is the ip address of the client pc and the router?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 1

Author Comment

by:benowens
ID: 39638978
Just had of progression I think.  We reset the shared secret but my colleague who is looking after the Cisco side submitted the shared secret using the unencrypted option.  The login now works fine from telnet.  I would still like to find out how to troubleshoot that on the Windows side.

The IP of the Cisco is 192.168.0.239 and the IP of my client is 192.168.0.152.
0
 
LVL 2

Expert Comment

by:psychokraft
ID: 39639040
Yes, the only way I have found to pass the RADIUS request from a Cisco device to a Windows NPS is with the unencrypted option. The password itself is encrypted but that is all. If you do find a way to do it with encryption, please post it here, I'd love to see someone make that work:) We only use RADIUS as a backup for our Cisco devices after TACACS for just that reason. When you say you changed to unencrypted to you mean like on page 12 of the document, under configure authentication methods?
0
 
LVL 1

Author Comment

by:benowens
ID: 39639229
Ah, no sorry, not there.  I mean my colleague set the shared secret as unencrypted on the Cisco device.  I think by default it was encrypted and therefore there was a shared secret mismatch.  I haven't looked at TACACS.  I'll have to chekc that out.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 21 hours left to enroll

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question