I’ve recently worked with a client to troubleshoot RADIUS authentication issues between their Cisco Nexus as a RADIUS client and their Microsoft windows 2012 R2 NPS (Network Policy Server) server as the RADIUS server and after determining the issue, the client asked me why I never wrote a blog post on the steps that I took to troubleshoot issues like these so this post serves as a way to demonstrate the process.

The first place I look when a RADIUS client is not able to successfully authenticate against Active Directory through a Windows 2012 R2 NPS server is the directory:

C:\Windows\System32\LogFiles

Where the following IN####.log (YYMM) logs are found:


Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...

Each of the IN logs contain connects from RADIUS clients over a month so if I am troubleshooting RADIUS issues that are occurring at that point in time then I would:

Open the latest log file Move the cursor to the last entry of the log file Use the Find feature (CTRL + F) and search for the RADIUS client’s IP address

The following is an example of an entry from a client with an IP address 10.92.9.11 that I am troubleshooting:


Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...

Being able to locate the IP address of the problematic client in the log above allows me to:

Verify that the client is indeed reaching out to NPS server with the RADIUS request Determine the exactly time of the request

Item #2 is important to have because the next step is to open the event logs of the NPS server and navigate into the Security events:


Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...

Those who have ventured into these logs would know that a lot of entries are written into this log especially if it was a domain controller. The timestamp obtained in the log file above will allow us to navigate to the section of the logs where we’ll find the relevant entries. Since the error message on the Nexus login was an “invalid password or user name”, I went ahead and filtered the Security events with the Keywords: Audit Failure :


Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...

Navigating to the entries with the same timestamp displays event IDs 6273 and 4625 entries that provide information about why the login failed:


Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User:
Security ID:
domain\argotest
Account Name:
argotest
Account Domain:
domain
Fully Qualified Account Name:
domain.internal/domain/Users/Test Accounts/argotest Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:
-
OS-Version:
-
Called Station Identifier:
-
Calling Station Identifier:
- NAS:
NAS IPv4 Address:
10.92.9.11
NAS IPv6 Address:
-
NAS Identifier:
-
NAS Port-Type:
Virtual
NAS Port:
0 RADIUS Client:
Client Friendly Name:
NX-1
Client IP Address:
10.92.9.11 Authentication Details:
Connection Request Policy Name:
Use Windows authentication for all users
Network Policy Name:
Connections to other access servers
Authentication Provider:
Windows
Authentication Server:
SVRARDC01.domain.internal
Authentication Type:
PAP
EAP Type:
-
Account Session Identifier:
-
Logging Results:
Accounting information was written to the local log file.
Reason Code:
65
Reason:
The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User:
Security ID:
NULL SID
Account Name:
argotest
Account Domain:
domain
Fully Qualified Account Name:
domain\argotest Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:
-
OS-Version:
-
Called Station Identifier:
-
Calling Station Identifier:
- NAS:
NAS IPv4 Address:
10.92.9.11
NAS IPv6 Address:
-
NAS Identifier:
-
NAS Port-Type:
Virtual
NAS Port:
0 RADIUS Client:
Client Friendly Name:
NX-1
Client IP Address:
10.92.9.11 Authentication Details:
Connection Request Policy Name:
Use Windows authentication for all users
Network Policy Name:
-
Authentication Provider:
Windows
Authentication Server:
SVRARDC01.domain.internal
Authentication Type:
PAP
EAP Type:
-
Account Session Identifier:
-
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...
An account failed to log on. Subject:
Security ID:
SYSTEM
Account Name:
SVRARDC01$
Account Domain:
domain
Logon ID:
0x3E7 Logon Type: 3 Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
argotest
Account Domain:
domain Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A Process Information:
Caller Process ID:
0x384
Caller Process Name:
C:\Windows\System32\svchost.exe Network Information:
Workstation Name:
Source Network Address:
-
Source Port:
- Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
-
Package Name (NTLM only):
-
Key Length:
0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: WindowsNPSTIAUAUTUTIPv6IPv4
分页:12
转载请注明
本文标题:Troubleshooting RADIUS authentication issues between RADIUS client and Microsoft ...
本站链接:http://www.codesec.net/view/522468.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(126)