none
NPS not forwarding Radius Start/Stop notifications RRS feed

  • Question

  • Hi all,

    I am trying to get RADIUS working in our network. I have Server 2008R2 running NPS. My wireless access points are Aruba 105's and they are setup to use 802.1x. This part is working. When a user logs on to the 802.1x wifi they are prompted for their network username and password. Then they are assigned to the correct VLAN based on their group membership. The part that is not working is with the firewall. I have a Fortigate and all it needs in order to authenticate the user through Radius is a Start message from the RADIUS server that contains certain attributes.

    The problem is that the start messages are not reaching the Fortigate. I have verified this using packet sniffers and a RADIUS pinger.

    On the NPS server I have added the Fortigate to the remote server groups and I have configured the settings to forward the notifications to the Fortigate. I have tried with the NPS server firewall turned off. I ran wireshark on the NPS server no packets were sent to the Fortigate.

    It is almost as if the connection policies are being skipped entirely.

    Suggestions?

    Thursday, July 10, 2014 6:00 PM

Answers

  • Hi,

    Have you tried to check the Record accounting information on the servers in the following remote RADIUS server group check box in  Connection Request Policies?

    Besides, is there any error or warning in event viewer of NPS server?

    Here is a best practice of NPS,

    NPS Best Practices

    http://technet.microsoft.com/en-us/library/cc755120(WS.10).aspx

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Friday, July 11, 2014 1:01 PM
    Moderator
  • Hi,

    Could you post the logs of NPS and events in event viewer? It is helpful for further troubleshooting.

    Besides, the start and stop notification is forwarded by NPS, it is not generated by NPS. Have you found this start or stop notification from NAS in your network capture? If no, please verify your NAS configuration.

    For detailed information, please view the link below,

    RADIUS accounting

    http://tools.ietf.org/html/rfc2866#section-2

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Wednesday, July 16, 2014 6:45 AM
    Moderator

All replies

  • Hi,

    Have you tried to check the Record accounting information on the servers in the following remote RADIUS server group check box in  Connection Request Policies?

    Besides, is there any error or warning in event viewer of NPS server?

    Here is a best practice of NPS,

    NPS Best Practices

    http://technet.microsoft.com/en-us/library/cc755120(WS.10).aspx

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Friday, July 11, 2014 1:01 PM
    Moderator
  • Hi,

    Have you tried to check the Record accounting information on the servers in the following remote RADIUS server group check box in  Connection Request Policies?

    Besides, is there any error or warning in event viewer of NPS server?

    Here is a best practice of NPS,

    NPS Best Practices

    Hope this helps.



    Steven Lee

    TechNet Community Support


    Yes, I have done that but nothing is being sent. Logs are being generated on the NPS server but nothing is being forwarded the remote group.
    Tuesday, July 15, 2014 4:27 PM
  • Hi,

    Could you post the logs of NPS and events in event viewer? It is helpful for further troubleshooting.

    Besides, the start and stop notification is forwarded by NPS, it is not generated by NPS. Have you found this start or stop notification from NAS in your network capture? If no, please verify your NAS configuration.

    For detailed information, please view the link below,

    RADIUS accounting

    http://tools.ietf.org/html/rfc2866#section-2

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Wednesday, July 16, 2014 6:45 AM
    Moderator
  • There are no logs indicating Start/Stop notifications. I didn't realize that those would be generated from the Wireless Access Points acting as NAS. I will work on it with that vendor.

    Thanks!

    Thursday, July 24, 2014 3:59 PM
  • Hi,

    Have you got it working? I am implementing a similar scenario with Aruba 105 APs and Fortigate 600C firewall.

    Please help.

    Monday, September 15, 2014 1:44 AM
  • I do have it working... sort of. On the Aruba select the SSID that you are using 802.1x on and edit it. On the Security tab enable the option for Accounting. This will send the Accounting Start/Stop packets to the Radius server.

    On the 2008 R2 server add the FortiGate as a Remote Radius Group and check the box to forward NAS start stop notifications. This is how the FortiGate becomes aware of the sign on/off.

    I also had to create a connection request policy where Iused a day and time condition of 24/7 so it is always true. In the same policy, on the settings tab, select Accounting in the Left Pane menu and then select the FortiGate in the drop down on the right. Be sure to check the box to forward accounting.

    On the same screen select Standard from the left menu and create a Class Attribute and a Framed-IP Address. I used the IP of my RADIUS server for the Framed-IP. The Class attribute is what the RADIUS server will send to the FortiGate and what you will build your policies on there. So you are basically creating a new group here that is not related to any real Active Directory groups. (this is the ...sort of part).

    The problem I ran into is this. I want the accounting packet from the RADIUS to send the REAL Active Directory group to the FortiGate. What I have found is that when the Aruba sends the Start packet there is no Class attribute in it. So, by creating the Class attribute, as above, you will then send this attribute to the FortiGate. It isn't what I want but it ends up working because when the users authenticate via 802.1x they are separated into VLANs which are on  separate interfaces on my FortiGate. I then apply the policies I want per Interface rather than per group. I am using FotiOS 5.2 which allows this type of policy.

    One more piece of the puzzle was getting FortiGate to read the Class Attribute instead of the calling station ID which turned out to be a MAC address. There is a CLI command to set this:

    config user radius
    edit RSSO_Agent
    set rsso-endpoint-attribute User-Name   <--- You can type "?" instead to see all the attributes available.
    end

    Let me know if you have more questions. I have an open ticket with Aruba on the Class attribute problem.

    Tuesday, September 16, 2014 7:50 PM