locked
NPS not sending RADIUS accounting messages RRS feed

  • Question

  • I've been going back and forth on this off and on for a few weeks. I have a SonicWALL that can do SSO based on RADIUS accounting messages. I set it up in as a member in the "Remote RADIUS server groups" and set the connection request policies to enable forwarding of accounting messages to said group. No matter what I try, there is no traffic at all on UDP/1813  as set in as confirmed with wireshark. I've looked at many guides for setting this up and they all seem to be telling me to set things up in the exact way I have (I think.) I have tried on Server 2008, 2012R2 and 2016.

    Any suggestions?

    Friday, October 28, 2016 7:07 PM

All replies

  • Hi Jason,

    >> there is no traffic at all on UDP/1813  as set in as confirmed with wireshark.

    Have you tried to catch traffic on UDP/1646?

    Did you catch traffic on NPS server?

    Please ensure NPS client could be matched with request policy.

    Have you check error event about connection request on client or NPS server?

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Monday, November 7, 2016 2:52 AM
    • Marked as answer by Leo Han Wednesday, November 9, 2016 9:30 AM
    • Unmarked as answer by Jason Van Wynsberg Friday, November 11, 2016 4:49 PM
    Monday, October 31, 2016 2:54 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 7, 2016 2:52 AM
  • Hello John,

    I have failed to mention that I do indeed have RADIUS authentication working perfectly fine. Just the accounting portion is failing.

    I have the port set in the RADIUS proxying to 1813, would it still try to send on the legacy port?

    >>Did you catch traffic on NPS server?

    No, wireshark is running on another box. Given some of the other roles of the server I do not want to attempt to do a packet capture on it locally. However, I was able to confirm that a packet manually sent with a UDP packet generator from that server does correctly reach our wireshark host.

    >>Have you tried to catch traffic on UDP/1646?

    I was listening for all UDP traffic from the NPS server. I tried manually setting the port to 1646 with no luck.

    Tuesday, November 8, 2016 6:54 PM
  • For what it's worth:

    Network Policy Server granted full access to a user because the host met the defined health policy.

    User:
        Security ID:            DOMAIN\jason.v
        Account Name:            jason.v
        Account Domain:            DOMAIN
        Fully Qualified Account Name:    DOMAIN\jason.v

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        C0-EA-E4-D0-83-C3:CDSI-Internal-N
        Calling Station Identifier:        90-2E-1C-E2-3F-92

    NAS:
        NAS IPv4 Address:        10.3.0.232
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            0

    RADIUS Client:
        Client Friendly Name:        SonicWall
        Client IP Address:            10.3.0.1

    Authentication Details:
        Connection Request Policy Name:    RADIUS Wireless Connections
        Network Policy Name:        Internal Wi-Fi
        Authentication Provider:        Windows
        Authentication Server:        server.domain.local
        Authentication Type:        EAP
        EAP Type:            Microsoft: Smart Card or other certificate
        Account Session Identifier:        -

    Quarantine Information:
        Result:                Full Access
        Extended-Result:            -
        Session Identifier:            -
        Help URL:            -
        System Health Validator Result(s):    -

    Tuesday, November 8, 2016 6:58 PM
  • Sorry to be a bother but I was wondering if anyone else had any suggestions on this. Is this the correct forum for this post?
    Tuesday, November 29, 2016 6:37 PM
  • Hi Jason,

    Sorry for my mistake.

    >>I have the port set in the RADIUS proxying to 1813, would it still try to send on the legacy port?

    Yes, it will.

    UDP 1813 port is used for RADIUS Accounting message.

    According to health policy that you provided, Authentication Provider is windows, and it granted full access to a user, please ensure the local policy configuration is the same with NPS policy.

    Please change RADIUS client to be NAS address and try again.

    Please catch the packet on client to check if server has send Accounting-request to RADIUS server.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 30, 2016 3:07 AM
  • >>UDP 1813 port is used for RADIUS Accounting message.

    What I meant is will the server ignore the setting on the server and send messages to 1646 instead? I guess it does not matter as I am capturing any sort of RADIUS traffic.

    >>According to health policy that you provided, Authentication Provider is windows, and it granted full access to a user, please ensure the local policy configuration is the same with NPS policy.

    I'm not sure what you mean by this.

    >>Please change RADIUS client to be NAS address and try again.

    The way the Sonicwall and Sonicpoints (WAPs) work is a bit odd. The WAPs are centrally managed from the Sonicwall and are not exactly configured individually nor are they actually doing authentication themselves. I cannot change this behavior.

    >>Please catch the packet on client to check if server has send Accounting-request to RADIUS server.

    Below is all the RADIUS traffic I see during an authentication transaction on the NPS server.

    Thursday, December 1, 2016 1:54 PM
  • Hi Jason,

    >>What I meant is will the server ignore the setting on the server and send messages to 1646 instead?

    According default ports is 1813 and 1646, you could manually configure it on RADIUS client, proxy and RADIUS server.

    >>I set it up in as a member in the "Remote RADIUS server groups" and set the connection request policies to enable forwarding of accounting messages to said group.

    Please try to disable Forward accounting requests to remote RADIUS server, and then configure Accounting to log data on local computer, please check if data are saved to test file.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 2, 2016 6:13 AM
  • It does appear it is logging to a file as expected.


    <Event><Timestamp data_type="4">12/05/2016 07:57:53.912</Timestamp><Computer-Name data_type="1">DC1</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">10.3.0.232</NAS-IP-Address><NAS-Port data_type="0">0</NAS-Port><Called-Station-Id data_type="1">C0-EA-E4-D0-83-CB:CDSI-Internal</Called-Station-Id><Calling-Station-Id data_type="1">D0-25-98-B3-B2-FD</Calling-Station-Id><Framed-MTU data_type="0">1400</Framed-MTU><NAS-Port-Type data_type="0">19</NAS-Port-Type><Connect-Info data_type="1">CONNECT 0Mbps 802.11b</Connect-Info><Client-IP-Address data_type="3">10.3.0.1</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">SonicWall</Client-Friendly-Name><User-Name data_type="1">david.xx</User-Name><Proxy-Policy-Name data_type="1">RADIUS Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Class data_type="1">311 1 10.2.2.249 11/27/2016 15:03:29 4124</Class><SAM-Account-Name data_type="1">DOMAIN\david.xx</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\david.xx</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">Internal Wi-Fi</NP-Policy-Name><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><Authentication-Type data_type="0">11</Authentication-Type><MS-CHAP-Domain data_type="2">014355535444415441</MS-CHAP-Domain><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">12/05/2016 07:57:53.912</Timestamp><Computer-Name data_type="1">DC1</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.2.2.249 11/27/2016 15:03:29 4124</Class><Session-Timeout data_type="0">30</Session-Timeout><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><Authentication-Type data_type="0">11</Authentication-Type><Client-IP-Address data_type="3">10.3.0.1</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">SonicWall</Client-Friendly-Name><Proxy-Policy-Name data_type="1">RADIUS Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><SAM-Account-Name data_type="1">DOMAIN\david.xx</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\david.xx</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">Internal Wi-Fi</NP-Policy-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">12/05/2016 07:57:54.037</Timestamp><Computer-Name data_type="1">DC1</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">10.3.0.232</NAS-IP-Address><NAS-Port data_type="0">0</NAS-Port><Called-Station-Id data_type="1">C0-EA-E4-D0-83-CB:CDSI-Internal</Called-Station-Id><Calling-Station-Id data_type="1">D0-25-98-B3-B2-FD</Calling-Station-Id><Framed-MTU data_type="0">1400</Framed-MTU><NAS-Port-Type data_type="0">19</NAS-Port-Type><Connect-Info data_type="1">CONNECT 0Mbps 802.11b</Connect-Info><Client-IP-Address data_type="3">10.3.0.1</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">SonicWall</Client-Friendly-Name><User-Name data_type="1">david.xx</User-Name><Proxy-Policy-Name data_type="1">RADIUS Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Class data_type="1">311 1 10.2.2.249 11/27/2016 15:03:29 4125</Class><SAM-Account-Name data_type="1">DOMAIN\david.xx</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\david.xx</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">Internal Wi-Fi</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name><Authentication-Type data_type="0">11</Authentication-Type><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">12/05/2016 07:57:54.037</Timestamp><Computer-Name data_type="1">DC1</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.2.2.249 11/27/2016 15:03:29 4125</Class><EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name><Authentication-Type data_type="0">11</Authentication-Type><PEAP-Fast-Roamed-Session data_type="0">0</PEAP-Fast-Roamed-Session><Client-IP-Address data_type="3">10.3.0.1</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">SonicWall</Client-Friendly-Name><MS-CHAP-Domain data_type="2">014355535444415441</MS-CHAP-Domain><Proxy-Policy-Name data_type="1">RADIUS Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Login-Service data_type="0">2</Login-Service><SAM-Account-Name data_type="1">DOMAIN\david.xx</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\david.xx</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">Internal Wi-Fi</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Framed-Protocol data_type="0">1</Framed-Protocol><Service-Type data_type="0">2</Service-Type><MS-Link-Utilization-Threshold data_type="0">50</MS-Link-Utilization-Threshold><MS-Link-Drop-Time-Limit data_type="0">120</MS-Link-Drop-Time-Limit><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><Packet-Type data_type="0">2</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    


    Monday, December 5, 2016 1:04 PM