Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
7
Replies

Radius Authentication not working - Remote access VPN

abccisco2011
Level 1
Level 1

‎12-17-2015 06:12 AM - edited ‎02-21-2020 08:35 PM

We changed ISP and also our IP address range got changed. Remote Access VPN is working with local authentication but not with Radius authentication. I really do not have experience in remote access VPN, but I did rebug radius all and here is it what I got

alloc_rip 0x71dba610
new request 0xe43 --> 75 (0x71dba610)
got user 'sgupta'
got password
add_req 0x71dba610 session 0xe43 id 75
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=166.170.30.20

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 142).....
01 4b 00 8e 52 23 20 d9 9e 7f 4c 95 aa 9b 38 11 | .K..R# .L...8.
76 77 e4 4d 01 08 73 67 75 70 74 61 02 12 fa b8 | vw.M..sgupta....
51 1a 43 65 9f 41 f0 27 a1 3c 39 96 45 0d 05 06 | Q.Ce.A.'.<9.E...
00 61 70 00 1e 0e 37 30 2e 31 39 31 2e 35 38 2e | .ap...70.191.58.
36 38 1f 0f 31 36 36 2e 31 37 30 2e 33 30 2e 32 | 68..166.170.30.2
30 3d 06 00 00 00 05 42 0f 31 36 36 2e 31 37 30 | 0=.....B.166.170
2e 33 30 2e 32 30 04 06 0a 01 08 05 1a 22 00 00 | .30.20......."..
00 09 01 1c 69 70 3a 73 6f 75 72 63 65 2d 69 70 | ....ip:source-ip
3d 31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | =166.170.30.20

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 75 (0x4B)
Radius: Length = 142 (0x008E)
Radius: Vector: 522320D99E7F4C95AA9B38117677E44D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
73 67 75 70 74 61 | sgupta
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
fa b8 51 1a 43 65 9f 41 f0 27 a1 3c 39 96 45 0d | ..Q.Ce.A.'.<9.E.
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x617000
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
37 30 2e 31 39 31 2e 35 38 2e 36 38 | 70.191.58.68
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) =
31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | 166.170.30.20
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 15 (0x0F)
Radius: Value (String) =
31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | 166.170.30.20
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.1.8.5 (0x0A010805)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 36 36 | ip:source-ip=166
2e 31 37 30 2e 33 30 2e 32 30 | .170.30.20
send pkt 10.54.1.78/1645
rip 0x71dba610 state 7 id 75
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
radius mkreq: 0xe44
alloc_rip 0x71db9b10
new request 0xe44 --> 76 (0x71db9b10)
got user 'sgupta'
got password
add_req 0x71db9b10 session 0xe44 id 76
RADIUS_DELETE
remove_req 0x71dba610 session 0xe43 id 75
free_rip 0x71dba610
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=166.170.30.20

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 142).....
01 4c 00 8e c2 d3 10 09 0e 2f 3c c5 1a 4b 28 41 | .L......./<..K(A
e6 27 d4 7d 01 08 73 67 75 70 74 61 02 12 c9 99 | .'.}..sgupta....
1d 2d df f5 82 19 f0 f6 e3 7c 12 d4 0c f0 05 06 | .-.......|......
00 61 70 00 1e 0e 37 30 2e 31 39 31 2e 35 38 2e | .ap...70.191.58.
36 38 1f 0f 31 36 36 2e 31 37 30 2e 33 30 2e 32 | 68..166.170.30.2
30 3d 06 00 00 00 05 42 0f 31 36 36 2e 31 37 30 | 0=.....B.166.170
2e 33 30 2e 32 30 04 06 0a 01 08 05 1a 22 00 00 | .30.20......."..
00 09 01 1c 69 70 3a 73 6f 75 72 63 65 2d 69 70 | ....ip:source-ip
3d 31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | =166.170.30.20

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 76 (0x4C)
Radius: Length = 142 (0x008E)
Radius: Vector: C2D310090E2F3CC51A4B2841E627D47D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
73 67 75 70 74 61 | sgupta
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
c9 99 1d 2d df f5 82 19 f0 f6 e3 7c 12 d4 0c f0 | ...-.......|....
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x617000
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
37 30 2e 31 39 31 2e 35 38 2e 36 38 | 70.191.58.68
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) =
31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | 166.170.30.20
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 15 (0x0F)
Radius: Value (String) =
31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | 166.170.30.20
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.1.8.5 (0x0A010805)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 36 36 | ip:source-ip=166
2e 31 37 30 2e 33 30 2e 32 30 | .170.30.20
send pkt 10.54.1.78/1645
rip 0x71db9b10 state 7 id 76
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
radius mkreq: 0xe45
alloc_rip 0x71dba610
new request 0xe45 --> 77 (0x71dba610)
got user 'sgupta'
got password
add_req 0x71dba610 session 0xe45 id 77
RADIUS_DELETE
remove_req 0x71db9b10 session 0xe44 id 76
free_rip 0x71db9b10
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=166.170.30.20

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 142).....
01 4d 00 8e 64 cd 82 93 d0 c9 ce ef fc 85 da 0b | .M..d...........
e8 01 a6 e7 01 08 73 67 75 70 74 61 02 12 14 ca | ......sgupta....
00 2b 4c 64 f1 f7 ab ea ba 76 a0 95 62 da 05 06 | .+Ld.....v..b...
00 61 70 00 1e 0e 37 30 2e 31 39 31 2e 35 38 2e | .ap...70.191.58.
36 38 1f 0f 31 36 36 2e 31 37 30 2e 33 30 2e 32 | 68..166.170.30.2
30 3d 06 00 00 00 05 42 0f 31 36 36 2e 31 37 30 | 0=.....B.166.170
2e 33 30 2e 32 30 04 06 0a 01 08 05 1a 22 00 00 | .30.20......."..
00 09 01 1c 69 70 3a 73 6f 75 72 63 65 2d 69 70 | ....ip:source-ip
3d 31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | =166.170.30.20

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 77 (0x4D)
Radius: Length = 142 (0x008E)
Radius: Vector: 64CD8293D0C9CEEFFC85DA0BE801A6E7
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
73 67 75 70 74 61 | sgupta
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
14 ca 00 2b 4c 64 f1 f7 ab ea ba 76 a0 95 62 da | ...+Ld.....v..b.
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x617000
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
37 30 2e 31 39 31 2e 35 38 2e 36 38 | 70.191.58.68
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) =
31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | 166.170.30.20
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 15 (0x0F)
Radius: Value (String) =
31 36 36 2e 31 37 30 2e 33 30 2e 32 30 | 166.170.30.20
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.1.8.5 (0x0A010805)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 36 36 | ip:source-ip=166
2e 31 37 30 2e 33 30 2e 32 30 | .170.30.20
send pkt 10.54.1.78/1645
rip 0x71dba610 state 7 id 77
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0x71dba610 session 0xe45 id 77
free_rip 0x71dba610
radius: send queue empty

Any suggestions on what is wrong here?

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎12-17-2015 06:37 AM

Look at your RADIUS-server if your rules include your public IP as a condition. As they changed when you went to a different ISP, it is likely that your authentication-rules don't match any more.

0 Helpful

abccisco2011
Level 1
Level 1
In response to Karsten Iwen

‎12-17-2015 07:08 AM

I checked inside my radius server settings, all I see is my internal IP address 

Preview file
17 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to abccisco2011

‎12-17-2015 07:22 AM

This is the config of the RADIUS-client which most likely didn't change. You have to look at your authentication-rules which you find under:

  • Policies -> Network-Policies
  • Policies -> Connection Request Policies
0 Helpful

abccisco2011
Level 1
Level 1
In response to Karsten Iwen

‎12-17-2015 07:41 AM

Karsten,

I looked at these policies but did not find any entry for public IP address.

Thanks,

0 Helpful

Karsten Iwen
VIP
VIP
In response to abccisco2011

‎12-17-2015 07:47 AM

do you see the requests in the log of your RADIUS-server? Perhaps you find there an indication of the problem.

0 Helpful

abccisco2011
Level 1
Level 1
In response to Karsten Iwen

‎12-17-2015 08:05 AM

Karsten,

I just checked security logs of the Radius server and I got Audit failure.Here is the detail for that error

- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 6273
Version 1
Level 0
Task 12552
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2015-12-17T14:00:30.010198100Z
EventRecordID 725076
Correlation
- Execution
[ ProcessID] 560
[ ThreadID] 8160
Channel Security
Computer SVM-MGT1RAD1.ABCIMAGING.NET
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName sgupta
SubjectDomainName ABC
FullyQualifiedSubjectUserName ABC\sgupta
SubjectMachineSID S-1-0-0
SubjectMachineName -
FullyQualifiedSubjectMachineName -
MachineInventory -
CalledStationID 70.191.58.68
CallingStationID 166.170.30.20
NASIPv4Address 10.1.8.5
NASIPv6Address -
NASIdentifier -
NASPortType Virtual
NASPort 6385664
ClientName ABCHQFW10
ClientIPAddress 10.1.8.5
ProxyPolicyName ABCVPNAccess
NetworkPolicyName -
AuthenticationProvider Windows
AuthenticationServer SVM-MGT1RAD1.ABCIMAGING.NET
AuthenticationType PAP
EAPType -
AccountSessionIdentifier -
ReasonCode 16
Reason Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
LoggingResult Accounting information was not written to any data store.

0 Helpful

abccisco2011
Level 1
Level 1
In response to abccisco2011

‎12-17-2015 11:35 AM

Any suggestions based on this?

0 Helpful
Customers Also Viewed These Support Documents