question

MarcusBuettemeyer avatar image
0 Votes"
MarcusBuettemeyer asked MarcusBuettemeyer answered

No replies from RADIUS Server

I have a simple lab-environment with a Win10 client, a RRAS-Server and a RADIUS Server (both 2019) to demonstrate a PPTP-VPN. I setup the RRAS-Server as a RADIUS client on the server and set up a network policy (translated from german) to allow access for the "Domain-Users" group with MS-CHAP-v2. Now I can't connect from the Client (Code 629 in the event log) and the RRAS-Server logs event-IDs 20271 and 20255, along the lines of "Connection denied due to a policy configured on the RAS/VPN-Server".
The strange thing is that the RADIUS-Server does nothing: no event-log entries, no accounting file being created and using Wireshark I see access-request messages from the VPN-Server to the RADIUS-Server, but no replies. I triple-checked everything: RADIUS-Client configuration, Firewall and User settings, authentication protocols, the details of the access-request messages, everything seems fine.
The RADIUS server has some other roles: file server, DFS, FSRM, DeDup, DHCP, DNS, WSUS. Could this be an issue? Any other ideas?

Thanks in advance!

windows-serverwindows-server-2019windows-server-infrastructure
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for your update.

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters.

The port values of 1812 for authentication and 1813 for accounting are RADIUS standard ports. However, by default, many access servers use ports 1645 for authentication requests and 1646 for accounting requests. No matter which port numbers you decide to use, make sure that NPS and your access server are configured to use the same ones.

Please kindly check if these necessary port are enabled in Windows Firewall of RADIUS server side.

106383-image-1.png

For more details, please refer to the following articles:

Configure NPS UDP Port Information

Configure Firewalls for RADIUS Traffic

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-1.png (55.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered SunnyQi-MSFT edited

Hi,

Welcome to Q&A platform.

Error 629 indicates that the port was disconnected by the remote machine. Please confirm the necessary ports are enabled from the remote machine. You could temporarily disable Windows Firewall from RRAS server side to see if the issue still persist.

For Event 20271 and 20255, please refer to the following articles:

Event ID 20271 — RRAS Authentication and Accounting

Event ID 20255 — RAS Connection

If the issue still existed, I would suggest you enable NPS logs to see if there is any clue.

Open NPS > Right click NPS (Local) > Properties > General Tab, both Successful and Rejected authentication requests boxes are checked

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarcusBuettemeyer avatar image
0 Votes"
MarcusBuettemeyer answered

Thanks for the fast reply. The problem actually was the firewall, but not on the RRAS server (then you wouldn't see correct RADIUS packets on the network). Now that I've disabled the firewall on the RADIUS server, it works.
But I don't understand why: I've checked before, that the default NPS firewall rules were present and enabled. And though my RRAS server is in a different subnet, the firewall rules specify only program, protocol and port, the remote address is set to any. So why do the rules not seem to apply?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarcusBuettemeyer avatar image
0 Votes"
MarcusBuettemeyer answered

Strange, I deactivated the 2 default rules for UDP 1812/1813, created 2 custom rules and it worked. Then I deactivated the custom rules and re-activated the default rules, no they work too. Wonders never cease :-)
But thanks a lot for pointing me in the right direction!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.