RADIUS Testing

From Swivel Knowledgebase
Jump to: navigation, search


Overview

How to test RADIUS authentication. A successful RADIUS authentication should display a Swivel log message such as:

RADIUS: <87> Access-Accept(2) LEN=57 <IP address>:12004 Access-Request by <username> succeeded Successful RADIUS authentication

An incorrectly entered One Time Code for RADIUS authentication should display a Swivel log message such as:

RADIUS: <86> Access-Request(1) LEN=57 <IP address>:12004 Access-Request by <username> Failed: AccessRejectException:

For further information on RADIUS see RADIUS How To Guide


Prerequisites

RADIUS test tool such as NTRadPing

Tool built into authentication device.

nc command from the command line


Symptoms

Authentication device is not communicating with the Swivel RADIUS server.

RADIUS request is sent from Access Device, but does not reach the Swivel server.

RADIUS request is sent from Access Device, and reaches the network interface but does not reach the Swivel application.


Solution

1. Check RADIUS is running on the Swivel server. The Swivel log should show a message of RADIUS server manager started. If not look for other log messages.

2. Check Network communication, can the Swivel server receive a ping from the authentication device (Note it is possible that a firewall may be blocking ICMP, but not DNS traffic).

3. Check to see if communication is possible between the authentication device and the Swivel server on the RADIUS port. Note: RADIUS uses UDP which is a connectionless protocol and therefore cannot be tested with tools such as Telnet. Some authentication devices have RADIUS test tools built into them. Another tool is NTRadPing (Search for NTRadPing.exe) which allows testing from a Windows machine. The nc command may also be used, see below

4. If different ports are used check that any local firewall, such as that on the appliance is not blocking the new assigned ports. If a local firewall is blocking access, the RADIUS request will be received on the ethernet interface, but will not reach the Swivel Application.


RADIUS testing using nc

This command is available on many Linux based systems, but also available on the Swivel appliance command line, accessed through the CMI

nc -vnzu <ipaddress> <port>

Example: nc -vnzu 192.168.1.120 1812

For a successful connection to a Swivel RADIUS server 

 nc -vnzu 172.16.1.97 1812
 (UNKNOWN) [172.16.1.97] 1812 (?) open

The Swivel log will report the following: 

 RADIUS: <0> Access-BadPacket(0) LEN=1 172.16.1.97:56916 PACKET DROPPED - Packet too small - 1 bytes - (minimum size 20 bytes). from unknown NAS [172.16.1.97]

For a failed connection to a Swivel RADIUS server 

 nc -vnzu 172.16.1.97 1815
 (UNKNOWN) [172.16.1.97] 1815 (?) : Connection refused


Troubleshooting

NTRadPing 1.5 does not support Challenge and Response for Two Stage Authentication

Retrieved from "https://kb.swivelsecure.com/w/index.php?title=RADIUS_Testing&oldid=2749"