locked
RADIUS Ports blocked suddenly RRS feed

  • Question

  • We have been using RADIUS on Windows Server 2008R2 for a few years to authenticate wireless access to our network. All of a sudden yesterday, it stopped working. From the NPS perspective, the connection just doesn't happen. What is happening is that in spite of an incoming rule to the contrary, port 1812 is being blocked by "Window Filtering Platform". I have all the standard rules enables for NPS set to allow connections on any network type. In addition, I tried adding a manual rule to allow UDP port 1812 from anywhere even allowing edge traversal, though that shouldn't be required. Still the packets are blocked. I get two audit failures in the security log, which I've pasted below. Since I already allow udp port 1812 inbound and block nothing outbound, I'm not sure what to even look for...

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/27/2012 10:16:34 AM
    Event ID:      5152
    Task Category: Filtering Platform Packet Drop
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      GCI-DC.hq.gci.org
    Description:
    The Windows Filtering Platform has blocked a packet.

    Application Information:
    Process ID: 0
    Application Name: -

    Network Information:
    Direction: Inbound
    Source Address: 10.1.1.190
    Source Port: 62281
    Destination Address: 10.1.0.20
    Destination Port: 1812
    Protocol: 17

    Filter Information:
    Filter Run-Time ID: 77684
    Layer Name: Transport
    Layer Run-Time ID: 13
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5152</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12809</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-09-27T17:16:34.606935000Z" />
        <EventRecordID>422166466</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="68" />
        <Channel>Security</Channel>
        <Computer>GCI-DC.hq.gci.org</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="ProcessId">0</Data>
        <Data Name="Application">-</Data>
        <Data Name="Direction">%%14592</Data>
        <Data Name="SourceAddress">10.1.1.190</Data>
        <Data Name="SourcePort">62281</Data>
        <Data Name="DestAddress">10.1.0.20</Data>
        <Data Name="DestPort">1812</Data>
        <Data Name="Protocol">17</Data>
        <Data Name="FilterRTID">77684</Data>
        <Data Name="LayerName">%%14597</Data>
        <Data Name="LayerRTID">13</Data>
      </EventData>
    </Event>

    ---------------------------------

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/27/2012 10:16:34 AM
    Event ID:      5152
    Task Category: Filtering Platform Packet Drop
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      GCI-DC.hq.gci.org
    Description:
    The Windows Filtering Platform has blocked a packet.

    Application Information:
    Process ID: 0
    Application Name: -

    Network Information:
    Direction: Outbound
    Source Address: 10.1.0.20
    Source Port: 0
    Destination Address: 10.1.1.190
    Destination Port: 0
    Protocol: 1

    Filter Information:
    Filter Run-Time ID: 77686
    Layer Name: ICMP Error
    Layer Run-Time ID: 32
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5152</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12809</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-09-27T17:16:34.606935000Z" />
        <EventRecordID>422166467</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="68" />
        <Channel>Security</Channel>
        <Computer>GCI-DC.hq.gci.org</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="ProcessId">0</Data>
        <Data Name="Application">-</Data>
        <Data Name="Direction">%%14593</Data>
        <Data Name="SourceAddress">10.1.0.20</Data>
        <Data Name="SourcePort">0</Data>
        <Data Name="DestAddress">10.1.1.190</Data>
        <Data Name="DestPort">0</Data>
        <Data Name="Protocol">1</Data>
        <Data Name="FilterRTID">77686</Data>
        <Data Name="LayerName">%%14601</Data>
        <Data Name="LayerRTID">32</Data>
      </EventData>
    </Event>


    Thursday, September 27, 2012 5:19 PM

All replies

  • Hi,

    Thank you for the post.

    1. NPS service requires port UDP 1812/1813/1645/1646. Please first check the NPS UDP port configuration correctly.
    http://technet.microsoft.com/en-us/library/cc731277.aspx
    2. Check Windows firewall rule Network Policy server group allow these UDP port and enabled.
    3. Use command to verify if the port used by Network Policy server service during the service from stop to running.
    Netstat -ano | find "1812"
    4. Try clean boot your server and disable your Antivirus software
    http://support.microsoft.com/kb/929135

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Rick Tan

    TechNet Community Support

    Monday, October 1, 2012 6:18 AM
  • Hi,

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,
    Rick Tan
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.

    Rick Tan

    TechNet Community Support

    Friday, October 5, 2012 1:25 AM
  • Sorry about not getting back sooner.

    1. Yes, they are configured for those ports.

    2. Yes, the firewall NPS group allow these same ports and the rules are enabled.

    I have not had time to do 3 or 4. I did configure another virtual server to work around the issue. I would do so now but I'm in the middle of updating the physical server's firmware and the virtual server environment, which is taking longer than I'd like so I likely won't get to it tonight.

    Friday, October 5, 2012 2:37 AM
  • And 3. Yes, it's listening on port 1812. It's all very strange. I will try disabling the antivirus when I have a chance, but it's running Avast, and it wouldn't report a blocked connection in the Windows Event Log if it was blocking it.
    Friday, October 5, 2012 6:24 AM
  • And with the antivirus disabled (it has no firewall anyway) still the same. Server restarts automatically every Tuesday morning, so it's never very stale.
    Thursday, October 18, 2012 9:29 PM