Solved

How to create or view logs for NPS RADIUS server

Posted on 2013-11-11
6
734 Views
Last Modified: 2013-11-13
Hi,

I've set-up a RADIUS server within my network for my Cisco 877 device to point to my RADIUS server for authentication.

The problem i'm having is that when I'm connecting via the Cisco device it fails to authenticate.  To clarify what I am doing, I try a log-in and receive a cget lost message.

When I connected from a client using Radius Test it connects fine.

I know the Cisco is hitting the RADIUS server, because when I don't allow the Cisco IP to connect, the event viewer says blocked connection from the IP in question.

The event viewer isn't very helpful though when IP is allowed, in fact I have nothing posted at all.

Does anyone know how I can debug the issue with authentication.

Ben
0
Comment
Question by:benowens
  • 3
  • 3
6 Comments
 
LVL 2

Accepted Solution

by:
psychokraft earned 500 total points
Comment Utility
Without seeing your config my best advice to start is to use the exec command: test aaa group radius <username> <password> {legacy | new-code}. This will generate one of three messages:
No authoritive response, which means your not hitting the NPS
User Rejected, which means you are hitting it but being rejected
User Authenticated, which means, well, authenticated...
Setting up NPS for Cisco devices can be tricky and soemtimes invloves removing policies, items and recreating to get them to work.
Please see the attached document for a guide my coworker and I set up.
You may also find the followign helpful:
http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
And remember, NPS uses ports 1645 and 1646 for RADIUS, not 1812 and 1813.
Configuring-RADIUS-For-AAA.docx
0
 
LVL 1

Author Comment

by:benowens
Comment Utility
Okay i'll look at the exec commands and see what we get.  I am using a Windows 2013 server and set-up NPS according to this guide.

Seems to work fine on the Windows side.  As I said, used a few RADIUS testing tools and the report authentication working fine.  Note:  I have to change to the allowed IP to my client PC when I test it from my client.  

I was really looking for some sort of Windows log which shows the traffic or connection.

As said, when I allow the IP of the Cisco device to connect, it doesn't show anything on the event viewer.  However when I set the allowed IP to my client PC, then try to connect from the Cisco via telent login, it posts a message "A RADIUS message was received from the invalid RADIUS client IP address 192.168.0.239."
0
 
LVL 2

Expert Comment

by:psychokraft
Comment Utility
What is the ip address of the client pc and the router?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:benowens
Comment Utility
Just had of progression I think.  We reset the shared secret but my colleague who is looking after the Cisco side submitted the shared secret using the unencrypted option.  The login now works fine from telnet.  I would still like to find out how to troubleshoot that on the Windows side.

The IP of the Cisco is 192.168.0.239 and the IP of my client is 192.168.0.152.
0
 
LVL 2

Expert Comment

by:psychokraft
Comment Utility
Yes, the only way I have found to pass the RADIUS request from a Cisco device to a Windows NPS is with the unencrypted option. The password itself is encrypted but that is all. If you do find a way to do it with encryption, please post it here, I'd love to see someone make that work:) We only use RADIUS as a backup for our Cisco devices after TACACS for just that reason. When you say you changed to unencrypted to you mean like on page 12 of the document, under configure authentication methods?
0
 
LVL 1

Author Comment

by:benowens
Comment Utility
Ah, no sorry, not there.  I mean my colleague set the shared secret as unencrypted on the Cisco device.  I think by default it was encrypted and therefore there was a shared secret mismatch.  I haven't looked at TACACS.  I'll have to chekc that out.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now