Issues when use Radius Server for authentication

10/14/2021 422 People found this article helpful 490,134 Views

Description

Troubleshooting issues with Radius Server for authentication for users. This article aims to show you how to use the Radius testing tool to troubleshoot the Radius configuration issues.

Resolution

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

The RADIUS Server troubleshooting can be done by navigating to Manage | System Setup | Users | Settings | Configure Radius and from the Test tab. As can be seen, it offers one to test.

basic connectivity with the RADIUS server (e.g, UDP 1812).
authenticate a user by LDAP username and password.

This article discusses the troubleshooting for the common errors one receives in the Test .

Radius Server Timeout Error

SonicWall firewall communicates with the RADIUS server using UDP 1812, unless one has configured the RADIUS server with custom ports. Basic steps in troubleshooting Server timeout involve verifying the connection parameters as summarized below.

Verify IP address of RADIUS host and port numbers on the SonicWall firewall by navigating to Manage | System Setup | Users | Settings | Configure Radius.
Verify the IP address of the SonicWall firewall, the RADIUS Client, and port numbers for communication as configured on the RADIUS server.
Following are examples shown from a Microsoft Network Policy Server (NPS), which is a server role that has been set up on Windows server 2012R2 lab. The NPS control panel on a Windows server can be accessed in one of the three options as summarized below. Windows Key+R and nps.msc, Administrative Tools in Control Panel or server Tools on the Server Manager.
The most common cause of Server Time out or Communication errors may be related to improper port numbers and/or IP address of the SonicWall firewall. The port number information can be reviewed by right-click and selecting Properties. As summarized below, the authentication must match with the port number configured on the firewall, e.g., 1812 (UDP).
The IP address of the SonicWall firewall can be reviewed from the Properties of the RADIUS client. The IP address must match with that of the firewall ( EXAMPLE: 192.168.168.168). While you are in this window, it is a good idea also to check the Shared secret. This is used for encrypting communication between the RADIUS server and Client.

RADIUS communication error

Please review the Shared Secret as configured on the firewall and on the RADIUS server as explained above.

RADIUS Client Authentication Failed

The first step to troubleshoot the client authentication is to test the LDAP server for the credentials. The next step is to review the Network Policy used, e.,g., pluto-vpn in the following example. It is a good idea to use a Client Friendly Name in the Conditions tab. The name used here matches that configured for the RADIUS Client, e.g., SonicWall.
The following diagram compiles the outcomes of troubleshooting that was based on the above discussion.

How to test

When everything above configured correctly, you can do the test again. The result should be successful.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

NOTE: In this scenario, 192.168.136.168 as Radius Client has been added on the Radius server 192.168.136.66.

When doing troubleshooting, navigate to Users | Settings page. You can use Radius testing tool here.

Navigate to Configure Radius | Settings | Input the IP Address, Shared Secret and Port Number of your Radius server.
|
Click tab Test, Input User name , Password and Authentication type | Click Test.

Server Response: Server Timeout Error

On SonicWall, please double check the IP Address, Port number of your Radius server.
On Radius server (Windows 2008 NPS), please check the default Ports and Radius Client settings and also ensure the Radius server is available on the firewall.
You can click Right Click NPS | Select Properties | Click tab Ports to check the authentication port.
Click RADIUS Clients and Servers | RADIUS Clients to check the client setting. 192.168.136.168 ( X3 interface IP address of SonicWall) is correct.