locked
NPS not forwarding Radius accounting messages RRS feed

  • Question

  • Greetings,

    Preamble: I'm a network engineer so my Windows server knowledge is limited.

    I'm trying to implement identity based rules on our firewall (Fortigate). For that I need our NPS/Radius forward accounting messages to the firewall.

    The following was set up:

    • NPS –> RADIUS Client and Servers –> Remote RADIUS Server Group – New group -> add Fortigate to this group
    • NPS –> Policies Use Windows authentication for all users(Enabled) –> Settings –> accounting -  Forward accounting request to this remote RADIUS server group and add the group with Fortigate

    However, there are no accounting messages forwarded to the Fortigate. Unfortunately I currently can't run Wireshark on the Windows server. I did a packet capture on the Firewall and when I do trigger some Radius action, like sign into a switch, I can see the Radius traffic between the switch and the NPS but nothing is forwarded to the firewall.

    Any ideas what is wrong?

    Thursday, July 16, 2020 9:22 AM

All replies

  • Hi,

    Please confirm below settings(about RADIUS proxy):

    Add RADIUS client on NPS console: 
    NPS – RADIUS Client and Servers – RADIUS Client – new RADISU client(name, IP and etc.). Make sure the client’s state is enabled. And on the RADIUS client’s side(AP/controller/etc.), configure it to send message to RADIUS proxy(proxy’s IP and port number).

    Add RADIUS group on NPS console:
    NPS – RADIUS Client and Servers – Remote RADIUS Server Group – New group and add fortigate 60D to this group.

    Connection request policy on NPS console: 
    Once NPS has been installed, it is a RADIUS server by default, so we need to add a policy and configure it to forward the message to other RADIUS server.
    NPS –Policies Use Windows authentication for all users(Enabled) – Settings – accounting -  Forward accounting request to this remote RADIUS server group and add the group.

    Besides, turn off firewalls/anti-virus/protection software(if any) temporarily and confirm the result.

    This "Network Access Protection" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.
    Best Regards,

    Cherry


    "Network Access Protection" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Access Protection"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Friday, July 17, 2020 2:23 AM
  • Yes, I followed those instructions.

    The Fortigate uses the Radius server for admin and VPN auth so I assume it's set up properly as a Radius client.

    I'm just trying to find out why the NPS/Radius is not forwarding accounting messages to the Fortigate.

    Friday, July 17, 2020 1:43 PM
  • Hi,

    Have you checked which port was accounting message? If the port is 1813, please ensure the Fortigate is configured to listen on port 1813. 

    This "Network Access Protection" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.
    Best Regards,

    Cherry


    "Network Access Protection" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Access Protection"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.



    Monday, July 20, 2020 6:14 AM
  • I did a packet capture and searched the syslog. There is no traffic at all on port 1812 or 1813 from the NPS/Radius to the Fortigate. The thing is silent as a grave.
    Monday, July 20, 2020 8:15 AM
  • Hi,

    It may caused by the shared secret was not the same on the Fortigate device and the NPS Server.

    1. Check the Fortigate device which was added as a radius client. If it was not enabled, enabled it. 
    2. Then check the CRP authentication was done on the CRP changed it as well so that only accounting was done. 
    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-crpolicies
    3. Check the below documentation and everything is configured accordingly. 
    https://docs.fortinet.com/document/fortianalyzer/6.0.3/administration-guide/178615/radius-accounting-sources
    4. Then check the shared secret and set the shared secret again.
    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-radius-clients-configure#add-the-network-access-server-as-a-radius-client-in-nps

    This "Network Access Protection" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.
    Best Regards,

    Cherry


    "Network Access Protection" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Access Protection"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Monday, July 20, 2020 9:37 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    This "Network Access Protection" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.
    Best Regards,

    Cherry


    "Network Access Protection" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Access Protection"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Wednesday, July 22, 2020 1:47 AM
  • Hi,

     

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

     

    This "Network Access Protection" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.
    Best Regards,

    Cherry


    "Network Access Protection" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Access Protection"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Friday, July 24, 2020 7:27 AM
  • Hi,

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    This "Network Access Protection" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.
    Best Regards,

    Cherry


    "Network Access Protection" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Access Protection"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Thursday, July 30, 2020 2:54 AM