Solved: Re: Windows Server RADIUS not authenticating users for cisco router

Robert28 · ‎02-02-2022

The background is the following: I'm running a Windows Server 2019 virtual machine on VMware Workstation with ADDS, DNS, DHCP, and NPS. Windows server resides in VLAN 10(192.168.10.0/24) and a laptop that is connected to VLAN 20(192.168.20.0/24) with having the respective sub-interfaces (fa0/0.10, fa0/0.20) configured on the router. On the Win Server, I configured two DHCP scopes for the two VLANs and all devices i.e. laptop managed to receive the correct address parameters and was able to ping the Win server, so no problems there. I want to authenticate two users inside a security group using the RADIUS service in NPS for accessing the router in privilege level 15. The two users should be able to log into the router using either the console or through SSH. Therefore, I promoted NPS to refer to Active Directory when authenticating users, configured the default gateway address 192.168.10.1 of VLAN 10 as the RADIUS client, in the router made the radius-server host address to be 192.168.10.2 which is the address of the Win server, etc, etc. Basically, I followed several youtube clips related to this topic and exactly configured every single step how it was presented in the videos.

The problem: When the specified users try to login through console or SSH, RADIUS fails to authenticate them with Active Directory responding with failed authentication login messages. Strangely enough, I'm able to SSH or login to the router using the configured local database despite having the RADIUS server online; almost as if RADIUS is being bypassed. What's even weirder is that the router constantly displays a message(s) regarding exactly the following: "%RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.10.2:1645,1646 is not responding." and the other one "%RADIUS-4-RADIUS_ALIVEL: RADIUS server 192.168.10.2:1645,1646 is being marked alive."

I've spent more than a week troubleshooting this issue trying every possible "solution" found on the Internet from changing to disabling VLANs, modifying DHCP scopes, reconfiguring the entire router, re-installing AD along with NPS, re-installing the entire Win Server, using different addresses for RADIUS client and for the radius-server host, enabling/disabling firewall rules, tried different ports (from 1645,1646 to 1812,1813), literally everything, but nothing...I'm still experiencing the issues mentioned earlier. I would highly appreciate it if someone could help me solve this problem or at least point me in the right direction after killing so much time and effort trying to solve this case.

Robert28 · ‎04-20-2022

Hello! @Jahan Pahlavani

It's ok, I've managed to fix the problem. There tends to be a bug that only occurs in Windows Server 2019. More precisely, the Windows Firewall refuses to pass authentication requests to the NPS server on UDP port 1812 even though everything is enabled and permitted in the NPS section of the firewall.

The solution was using a PowerShell command for altering all the NPS-related rules to "Any" instead of "ias", and that instantly allowed all authentication requests to pass.

The PowerShell command: "Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any"

For a more detailed explanation, read through this post which explains everything you need to know about this bug. https://blog.topqore.com/radius-authentication-using-nps-on-server-2019-bug/

View solution in original post

Amine ZAKARIA · ‎02-02-2022

Hello @Robert28 ,

Did you add the Router ip into NPS Radius Client with the same Pre-shared key? Can you share the show running-config of the router and the NPS Configuration you made?

Regards!

Haydn Andrews · ‎02-02-2022

NPS has some good logs it might also show what its showing.

Basically there are a few checks that are done before it will even talk to AD:

Is the device an approved NAD with the correct shared secret

Does it have a policy matching the NAD and the authentication method, to process the Auth

Then does it have a Authz policy to return (default normally access deny, which from memory the router wont mark the RADIUS server as dead if it receives anything back from the RADIUS server)

Can you share the running config of the router and the NPS config as well.

Did you have the command ip radius source-interface on the router to ensure the router is always using the NAD IP that you configured within NPS?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Robert28 · ‎02-03-2022

The router configuration:

nemesisR1#show running-config
Building configuration...

Current configuration : 1428 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nemesisR1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization console
aaa authorization exec login group radius local
!
aaa session-id common
memory-size iomem 15
ip cef
!
!
!
!
ip domain name nemesis.com
!
!
!
username admin password 0 admin123
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
description CONNECT TO SERVERS-LAN
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.10.2
!
interface FastEthernet0/0.20
description CONNECT TO ROOM1-LAN
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.10.2
!
interface FastEthernet0/0.99
description CONNECT TO MANAGEMENT
encapsulation dot1Q 99
ip address 192.168.99.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
radius-server host 192.168.10.2 auth-port 1645 acct-port 1646 key nemesis123
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
end

nemesisR1#

RADIUS client configuration in NPS:

NPS Policy:

Amine ZAKARIA · ‎02-03-2022

Hello @Robert28 ,

Add "ip radius source-interface FastEthernet0/0.10" and test again.

Regards!

Robert28 · ‎02-03-2022

I tried your suggestion, however, I'm still not able to login or SSH into the router, and still getting the error messages the "%RADIUS-4-RADIUS_DEAD" and "%RADIUS-4-RADIUS_ALIVE" ones. Although I did realize something. When I type in the command "login authentication default" under "line vty 0 4" it doesn't appear in the running-config for some reason, and maybe that's the issue because in Packet Tracer without that command the router is not contacting the RADIUS server.

Thanks for your reply though! Open to more suggestions.

Amine ZAKARIA · ‎02-03-2022

Hello @Robert28,
I am assuming NPS ports aren't blocked by Windows Firewall.

On the Cisco Router issue "test aaa group radius username password legacy" what does it return ?

And check on the NPS event viewer if do you receive any logs ?

@Robert28 wrote:
When I type in the command "login authentication default" under "line vty 0 4" it doesn't appear in the running-config for some reason, and maybe that's the issue because in Packet Tracer without that command the router is not contacting the RADIUS server.

The "default" method is by default in line vty that's why not shown in show run.
BTW on the NPS conditions i suggest you to instead of using service-type login use nas-ipv4-address or client friendly name.

Regards!

Robert28 · ‎02-04-2022

@Amine ZAKARIA "On the Cisco Router issue "test aaa group radius username password legacy" what does it return ?"

I typed the command using one of the authorized user's username and password and this showed:

"Attempting authentication test to server-group radius using radius
No authoritative response from any server."

Checked the event viewer as well, but only this message was there:

Finally, I set a friendly name to the router's name "nemesisR1" in Connection Request Policies, but still can't authenticate any user credentials, and the %RADIUS-4-RADIUS_DEAD", "%RADIUS-4-RADIUS_ALIVE messages with IP of Win server 192.168.10.2 are still popping up

My last guess would be that maybe RADIUS when running in a virtual machine is not compatible with receiving requests through sub-interfaces...but hopefully, I'm wrong.

Amine ZAKARIA · ‎02-04-2022

Hello @Robert28 ,

If there's only that one log means NPS did not receive any requests.
Is the router virtual too? seems tagging problem between the router and the vmnet.
Try to change the interface tagging to vlan 1 and check if the NPS working, if it does that means vlan tag problem in WS2019 side.

interface FastEthernet0/0.10
description CONNECT TO SERVERS-LAN
encapsulation dot1Q 1

----------------------------------
Don't forget to rate helpful posts!

Robert28 · ‎04-05-2022

Hello! @Amine ZAKARIA,

Apologies for my delayed reply...I was very busy.

"Is the router virtual too?" Well, for my initial implementation, I used a physical router, a Cisco 1841 then later tried it on a virtual router in GNS3 which I will get into later.

So, I tried your suggested method of configuring the mentioned sub-interface to VLAN 1, but then I wasn't able to ping any machines on that interface and vice-versa.

However, I added three aaa related debug commands which were: "debug aaa authentication", "debug aaa authorizations", and "debug radius" then received some pretty interesting feedback as indicated by the image below:

Important to know that this feedback was displayed by the physical router, however, the same exact feedback was presented when I replicated the configuration on a virtual router inside GNS3.

My current interpretation (which could be false) is that the problem either resides on the Win server or the physical PC running the Win server, and not the interfaces of the router. For instance, my windows 10 system hasn't been re-installed for 4 years on my hardware PC so, there could be some incompatibilites or some settings have been altered - due to its long operation - preventing the desired outcomes. If that's the case, I could install the Win server on my laptop's VMware. My other idea is that maybe the participating devices need to be assigned a certificate from a certificate authority service on the Win server in order to authenticate.

I always welcome and appreciate more suggestions, so feel free to add some more if you have any!

Jahan Pahlavani · ‎04-19-2022

which interface you ssh to? is it interface FastEthernet0/0.99?

Regards.

Robert28 · ‎04-20-2022

Hello! @Jahan Pahlavani

It's ok, I've managed to fix the problem. There tends to be a bug that only occurs in Windows Server 2019. More precisely, the Windows Firewall refuses to pass authentication requests to the NPS server on UDP port 1812 even though everything is enabled and permitted in the NPS section of the firewall.

The solution was using a PowerShell command for altering all the NPS-related rules to "Any" instead of "ias", and that instantly allowed all authentication requests to pass.

The PowerShell command: "Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any"

For a more detailed explanation, read through this post which explains everything you need to know about this bug. https://blog.topqore.com/radius-authentication-using-nps-on-server-2019-bug/