Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
******************************************************************************
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:real_domain
Fully Qualified Account Name:real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
-
Fully Qualified Account Name:-
OS-Version:
-
Called Station Identifier:-
Calling Station Identifier:-
NAS:
NAS IPv4 Address:10.0.0.10
NAS IPv6 Address:-
NAS Identifier:radius1.real_domain
NAS Port-Type:-
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:sbc1mgmt
Client IP Address:10.0.0.10
Authentication Details:
Connection Request Policy Name:SBC Authentication
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:RADIUS1.real_domain
Authentication Type:MS-CHAPv2
EAP Type:
-
Account Session Identifier:-
Logging Results:Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
******************************************************************************
Event ID: 4625
******************************************************************************
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:REAL_DOMAIN
Logon ID:
0x3E7
Logon Type:3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:REAL_DOMAIN
Failure Information:
Failure Reason:Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:0x2cc
Caller Process Name:C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:-
Source Port:
-
Detailed Authentication Information:
Logon Process:IAS
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
******************************************************************************
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
- Windows Server 2012 R2
- SQL Server 2012 Back End Database for accounting.
- The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
- The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
- RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
- Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
- Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any time, any day.
- The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override the authentication method of the Network Policy.
- We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
- All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.