Questions

Internet Authentication Service -- RADIUS

Tags:
+
0 Votes
Locked

Internet Authentication Service -- RADIUS

bbledsoe
I currently have several Cisco switches and routers that are using RADIUS for administrative login. I also us e this same RADIUS server for VPN authentication for my firewall. This works great most of the time. However, and apparently for no reason, the RADIUS server stops allowing authentication of clients. Upon checking the server, everything appears to be in order. When I examine the event logs, however, I am getting the following error: A RADIUS message was received from the invalid RADIUS client IP address {ip address}. This has happened several times and seems to be a randomly occuring thing. I have found that if I open any IAS client record and reapply the settings, the problem goes away. Any thoughts?
  • +
    0 Votes
    Fregeus

    ..but have you tracked down what has that IP address in the message? Is it really one of your clients? If yes, it may be malfunctioning or be in need of an upgrade. If not, well, then there might be something afoot!


    TCB

    +
    0 Votes
    bbledsoe

    The ip address that appears in the event log is a valid client. When this anomally occurs, I can attempt to log into anyone of the clients that I have listed in the RADIUS server and the same event occurs for that client. When this happens I have to fake the thing out by editing the shared key for one of the clients. I don't have to change the key, I just retype it, hit apply, and RADIUS goes back to working.

    +
    0 Votes
    robo_dev

    IAS can get confused on a server restart if the clients are getting DNS from the IAS server. IAS tries to query the client before DNS is operational, and the auth fails with the "Invalid address" error. This should not stop authentication working for everybody, however.

    Also, this can happen if the shared secret is wrong in the client, so maybe somebody is trying to hack into your VPN?

    Client date/time correct?

    Local CA root cert properly installed on the client? Some XP boxes get messed up so they no longer trust the radius cert.

    Check for IAS updates.

    Juniper Steel Belted Radius? (I've had much better luck with SBR than IAS)

    The fact that it works when you reapply settings sounds more like a server service or registry issue. If you stop/restart the IAS service, does that also fix the problem?

    Enable Windows Performance Monitor...it can provide more detail on the authentication workings...

  • +
    0 Votes
    Fregeus

    ..but have you tracked down what has that IP address in the message? Is it really one of your clients? If yes, it may be malfunctioning or be in need of an upgrade. If not, well, then there might be something afoot!


    TCB

    +
    0 Votes
    bbledsoe

    The ip address that appears in the event log is a valid client. When this anomally occurs, I can attempt to log into anyone of the clients that I have listed in the RADIUS server and the same event occurs for that client. When this happens I have to fake the thing out by editing the shared key for one of the clients. I don't have to change the key, I just retype it, hit apply, and RADIUS goes back to working.

    +
    0 Votes
    robo_dev

    IAS can get confused on a server restart if the clients are getting DNS from the IAS server. IAS tries to query the client before DNS is operational, and the auth fails with the "Invalid address" error. This should not stop authentication working for everybody, however.

    Also, this can happen if the shared secret is wrong in the client, so maybe somebody is trying to hack into your VPN?

    Client date/time correct?

    Local CA root cert properly installed on the client? Some XP boxes get messed up so they no longer trust the radius cert.

    Check for IAS updates.

    Juniper Steel Belted Radius? (I've had much better luck with SBR than IAS)

    The fact that it works when you reapply settings sounds more like a server service or registry issue. If you stop/restart the IAS service, does that also fix the problem?

    Enable Windows Performance Monitor...it can provide more detail on the authentication workings...