Home

NTRadPing gets rejected by Win2016 NPS

%3CLINGO-SUB%20id%3D%22lingo-sub-988111%22%20slang%3D%22en-US%22%3ENTRadPing%20gets%20rejected%20by%20Win2016%20NPS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-988111%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20fathom%20NPS%20(RADIUS)%20in%20Windows%20Server%202016%2C%20but%20all%20efforts%20are%20failing.%20I%20have%20peeled%20back%20to%20just%20a%20basic%20client%20(Win10)%20to%20server%20connection%20on%20the%20same%20LAN%20and%20using%20NTRadPing%20to%20test%20an%20authentication%20request%20...%20but%20all%20efforts%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20latest%20is%20%22%3CSTRONG%3Eresponse%3A%20Access-Reject%3C%2FSTRONG%3E%22.%20There%20is%20nothing%20logged%20in%20the%20event%20viewer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20intention%20is%20to%20use%20RADIUS%20authentication%20for%20some%20appliance%20VPN%20connections%20(not%20RRAS).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20test%20NPS%20configuration%20is%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26gt%3B%20NPS%20%3CSTRONG%3Eenabled%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Eregistered%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20RADIUS%20client%20is%20created%20and%20defined%20as%20IP%20address%20of%20'my_laptop'%3C%2FP%3E%3CP%3E%26gt%3B%20Shared%20Secret%20is%20%3CSTRONG%3Esame%3C%2FSTRONG%3E%20as%20defined%20%3CSTRONG%3Eon%20client%20and%20server%20side%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20Vendor%20name%20is%20%22%3CSTRONG%3ERADIUS%20Standard%3C%2FSTRONG%3E%22%3C%2FP%3E%3CP%3E%26gt%3B%20Connection%20Request%20Policy%3A%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%3B%20Type%20of%20network%20access%20server%20is%20%3CSTRONG%3EUnspecified%3C%2FSTRONG%3E%2C%20Condition%20defined%20is%20Access%20Client%20IPv4%20Address%20is%20%3CSTRONG%3E'my_laptop'%20IP%3C%2FSTRONG%3E%2C%20Settings%20is%20set%20to%20%3CSTRONG%3EAuthentication%20requests%20on%20this%20server%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20Network%20Policy%3A%26nbsp%3B%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%3B%26nbsp%3B%3CSTRONG%3EGrant%20access%3C%2FSTRONG%3E%20if%20connection%20request%20matches%20this%20policy%3B%20Ignore%20user%20accounts%20dial-in%20properties%3B%26nbsp%3BType%20of%20network%20access%20server%20is%20%3CSTRONG%3EUnspecified%3C%2FSTRONG%3E%3B%20%3CSTRONG%3EWindows%20Groups%3C%2FSTRONG%3E%20defined%20where%20%3CSTRONG%3Euser%20authenticating%20is%20a%20member%3C%2FSTRONG%3E%20of%20the%20security%20group%3B%20%3CSTRONG%3EMachine%20Groups%3C%2FSTRONG%3E%26nbsp%3Bdefined%20where%20client%20machine%20%3CSTRONG%3E'my_laptop'%20connecting%20is%20a%20member%3C%2FSTRONG%3E%20of%20the%20security%20group%3B%20%3CSTRONG%3EAuthentication%20Methods%3C%2FSTRONG%3E%20has%20%3CSTRONG%3Eall%20%22less%20secure%22%20methods%20selected%3C%2FSTRONG%3E%2C%20except%20the%20last%20one%3B%20%3CSTRONG%3ERADIUS%20Attributes%3C%2FSTRONG%3E%20has%20%3CSTRONG%3EStandard%3C%2FSTRONG%3E%20defines%20as%20%3CSTRONG%3EFramed-Protocol%20%3C%2FSTRONG%3Eas%3CSTRONG%3E%20PPP%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EService-Type%20%3C%2FSTRONG%3Eas%3CSTRONG%3E%20Framed%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26gt%3B%20everything%20else%20is%20default%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20change%20the%20NTRadPing%20request%20type%20to%20%3CSTRONG%3EStatus%20Server%3C%2FSTRONG%3E%2C%20then%20I%20get%20an%20event%20logged%20on%20the%20NPS%20server%20...%26nbsp%3B%3CSTRONG%3EA%20RADIUS%20message%20with%20the%20Code%20field%20set%20to%2012%2C%20which%20is%20not%20valid%2C%20was%20received%20on%20port%201812%20from%20RADIUS%20client%20%3CMY_LAPTOP%3E.%20Valid%20values%20of%20the%20RADIUS%20Code%20field%20are%20documented%20in%20RFC%202865.%3C%2FMY_LAPTOP%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIs%20this%20because%20NTRadPing%20is%20old%20and%20no%20longer%20complies%3F%20If%20so%2C%20how%20else%20can%20I%20do%20basic%20RADIUS%20testing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20to%20find%20some%20very%20basic%20setup%20for%20RADIUS%20(NPS)%20in%20Windows%20but%20all%20attempts%20to%20get%20this%20working%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20necessary%20ports%20open%20on%20the%20firewall%20too%20...%201812%2C%201813%2C%201645%20%26amp%3B%201646.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJason%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-988111%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
jay26cee
Occasional Visitor

Hi all,

 

I am trying to fathom NPS (RADIUS) in Windows Server 2016, but all efforts are failing. I have peeled back to just a basic client (Win10) to server connection on the same LAN and using NTRadPing to test an authentication request ... but all efforts fail.

 

The latest is "response: Access-Reject". There is nothing logged in the event viewer.

 

The intention is to use RADIUS authentication for some appliance VPN connections (not RRAS).

 

My test NPS configuration is as follows:

 

> NPS enabled and registered

> RADIUS client is created and defined as IP address of 'my_laptop'

> Shared Secret is same as defined on client and server side

> Vendor name is "RADIUS Standard"

> Connection Request Policy: Enabled; Type of network access server is Unspecified, Condition defined is Access Client IPv4 Address is 'my_laptop' IP, Settings is set to Authentication requests on this server

> Network Policy:  EnabledGrant access if connection request matches this policy; Ignore user accounts dial-in properties; Type of network access server is Unspecified; Windows Groups defined where user authenticating is a member of the security group; Machine Groups defined where client machine 'my_laptop' connecting is a member of the security group; Authentication Methods has all "less secure" methods selected, except the last one; RADIUS Attributes has Standard defines as Framed-Protocol as PPP and Service-Type as Framed

> everything else is default

 

If I change the NTRadPing request type to Status Server, then I get an event logged on the NPS server ... A RADIUS message with the Code field set to 12, which is not valid, was received on port 1812 from RADIUS client <my_laptop>. Valid values of the RADIUS Code field are documented in RFC 2865.

Is this because NTRadPing is old and no longer complies? If so, how else can I do basic RADIUS testing?

 

I have tried to find some very basic setup for RADIUS (NPS) in Windows but all attempts to get this working fail.

 

I have the necessary ports open on the firewall too ... 1812, 1813, 1645 & 1646.

 

Thanks.

 

Jason

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies