Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to create or view logs for NPS RADIUS server

Posted on 2013-11-11
6
Medium Priority
?
1,014 Views
Last Modified: 2013-11-13
Hi,

I've set-up a RADIUS server within my network for my Cisco 877 device to point to my RADIUS server for authentication.

The problem i'm having is that when I'm connecting via the Cisco device it fails to authenticate.  To clarify what I am doing, I try a log-in and receive a cget lost message.

When I connected from a client using Radius Test it connects fine.

I know the Cisco is hitting the RADIUS server, because when I don't allow the Cisco IP to connect, the event viewer says blocked connection from the IP in question.

The event viewer isn't very helpful though when IP is allowed, in fact I have nothing posted at all.

Does anyone know how I can debug the issue with authentication.

Ben
0
Comment
Question by:benowens
  • 3
  • 3
6 Comments
 
LVL 2

Accepted Solution

by:
psychokraft earned 1500 total points
ID: 39638881
Without seeing your config my best advice to start is to use the exec command: test aaa group radius <username> <password> {legacy | new-code}. This will generate one of three messages:
No authoritive response, which means your not hitting the NPS
User Rejected, which means you are hitting it but being rejected
User Authenticated, which means, well, authenticated...
Setting up NPS for Cisco devices can be tricky and soemtimes invloves removing policies, items and recreating to get them to work.
Please see the attached document for a guide my coworker and I set up.
You may also find the followign helpful:
http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
And remember, NPS uses ports 1645 and 1646 for RADIUS, not 1812 and 1813.
Configuring-RADIUS-For-AAA.docx
0
 
LVL 1

Author Comment

by:benowens
ID: 39638911
Okay i'll look at the exec commands and see what we get.  I am using a Windows 2013 server and set-up NPS according to this guide.

Seems to work fine on the Windows side.  As I said, used a few RADIUS testing tools and the report authentication working fine.  Note:  I have to change to the allowed IP to my client PC when I test it from my client.  

I was really looking for some sort of Windows log which shows the traffic or connection.

As said, when I allow the IP of the Cisco device to connect, it doesn't show anything on the event viewer.  However when I set the allowed IP to my client PC, then try to connect from the Cisco via telent login, it posts a message "A RADIUS message was received from the invalid RADIUS client IP address 192.168.0.239."
0
 
LVL 2

Expert Comment

by:psychokraft
ID: 39638932
What is the ip address of the client pc and the router?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:benowens
ID: 39638978
Just had of progression I think.  We reset the shared secret but my colleague who is looking after the Cisco side submitted the shared secret using the unencrypted option.  The login now works fine from telnet.  I would still like to find out how to troubleshoot that on the Windows side.

The IP of the Cisco is 192.168.0.239 and the IP of my client is 192.168.0.152.
0
 
LVL 2

Expert Comment

by:psychokraft
ID: 39639040
Yes, the only way I have found to pass the RADIUS request from a Cisco device to a Windows NPS is with the unencrypted option. The password itself is encrypted but that is all. If you do find a way to do it with encryption, please post it here, I'd love to see someone make that work:) We only use RADIUS as a backup for our Cisco devices after TACACS for just that reason. When you say you changed to unencrypted to you mean like on page 12 of the document, under configure authentication methods?
0
 
LVL 1

Author Comment

by:benowens
ID: 39639229
Ah, no sorry, not there.  I mean my colleague set the shared secret as unencrypted on the Cisco device.  I think by default it was encrypted and therefore there was a shared secret mismatch.  I haven't looked at TACACS.  I'll have to chekc that out.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question