RADIUS Testing
Contents
Overview
How to test RADIUS authentication. A successful RADIUS authentication should display a Swivel log message such as:
RADIUS: <87> Access-Accept(2) LEN=57 <IP address>:12004 Access-Request by <username> succeeded Successful RADIUS authentication
An incorrectly entered One Time Code for RADIUS authentication should display a Swivel log message such as:
RADIUS: <86> Access-Request(1) LEN=57 <IP address>:12004 Access-Request by <username> Failed: AccessRejectException:
For further information on RADIUS see RADIUS How To Guide
Prerequisites
RADIUS test tool such as NTRadPing
Tool built into authentication device.
nc command from the command line
Symptoms
Authentication device is not communicating with the Swivel RADIUS server.
RADIUS request is sent from Access Device, but does not reach the Swivel server.
RADIUS request is sent from Access Device, and reaches the network interface but does not reach the Swivel application.
Solution
1. Check RADIUS is running on the Swivel server. The Swivel log should show a message of RADIUS server manager started. If not look for other log messages.
2. Check Network communication, can the Swivel server receive a ping from the authentication device (Note it is possible that a firewall may be blocking ICMP, but not DNS traffic).
3. Check to see if communication is possible between the authentication device and the Swivel server on the RADIUS port. Note: RADIUS uses UDP which is a connectionless protocol and therefore cannot be tested with tools such as Telnet. Some authentication devices have RADIUS test tools built into them. Another tool is NTRadPing (Search for NTRadPing.exe) which allows testing from a Windows machine. The nc command may also be used, see below
4. If different ports are used check that any local firewall, such as that on the appliance is not blocking the new assigned ports. If a local firewall is blocking access, the RADIUS request will be received on the ethernet interface, but will not reach the Swivel Application.
RADIUS testing using nc
This command is available on many Linux based systems, but also available on the Swivel appliance command line, accessed through the CMI
nc -vnzu <ipaddress> <port>
Example: nc -vnzu 192.168.1.120 1812
For a successful connection to a Swivel RADIUS server
nc -vnzu 172.16.1.97 1812 (UNKNOWN) [172.16.1.97] 1812 (?) open
The Swivel log will report the following:
RADIUS: <0> Access-BadPacket(0) LEN=1 172.16.1.97:56916 PACKET DROPPED - Packet too small - 1 bytes - (minimum size 20 bytes). from unknown NAS [172.16.1.97]
For a failed connection to a Swivel RADIUS server
nc -vnzu 172.16.1.97 1815 (UNKNOWN) [172.16.1.97] 1815 (?) : Connection refused
Troubleshooting
NTRadPing 1.5 does not support Challenge and Response for Two Stage Authentication