No replies from RADIUS Server

Marcus Büttemeyer 386 Reputation points
2021-06-15T12:52:12.163+00:00

I have a simple lab-environment with a Win10 client, a RRAS-Server and a RADIUS Server (both 2019) to demonstrate a PPTP-VPN. I setup the RRAS-Server as a RADIUS client on the server and set up a network policy (translated from german) to allow access for the "Domain-Users" group with MS-CHAP-v2. Now I can't connect from the Client (Code 629 in the event log) and the RRAS-Server logs event-IDs 20271 and 20255, along the lines of "Connection denied due to a policy configured on the RAS/VPN-Server".
The strange thing is that the RADIUS-Server does nothing: no event-log entries, no accounting file being created and using Wireshark I see access-request messages from the VPN-Server to the RADIUS-Server, but no replies. I triple-checked everything: RADIUS-Client configuration, Firewall and User settings, authentication protocols, the details of the access-request messages, everything seems fine.
The RADIUS server has some other roles: file server, DFS, FSRM, DeDup, DHCP, DNS, WSUS. Could this be an issue? Any other ideas?

Thanks in advance!

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,561 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,503 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
526 questions
0 comments
Accepted answer
  1. Sunny Qi 10,921 Reputation points Microsoft Vendor
    2021-06-17T03:08:51.06+00:00

    Hi,

    Thanks for your update.

    By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters.

    The port values of 1812 for authentication and 1813 for accounting are RADIUS standard ports. However, by default, many access servers use ports 1645 for authentication requests and 1646 for accounting requests. No matter which port numbers you decide to use, make sure that NPS and your access server are configured to use the same ones.

    Please kindly check if these necessary port are enabled in Windows Firewall of RADIUS server side.

    106383-image-1.png

    For more details, please refer to the following articles:

    Configure NPS UDP Port Information

    Configure Firewalls for RADIUS Traffic

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcus Büttemeyer 386 Reputation points
    2021-06-17T11:04:14.267+00:00

    Strange, I deactivated the 2 default rules for UDP 1812/1813, created 2 custom rules and it worked. Then I deactivated the custom rules and re-activated the default rules, no they work too. Wonders never cease :-)
    But thanks a lot for pointing me in the right direction!

    1 person found this answer helpful.
  2. Sunny Qi 10,921 Reputation points Microsoft Vendor
    2021-06-16T05:43:07.76+00:00

    Hi,

    Welcome to Q&A platform.

    Error 629 indicates that the port was disconnected by the remote machine. Please confirm the necessary ports are enabled from the remote machine. You could temporarily disable Windows Firewall from RRAS server side to see if the issue still persist.

    For Event 20271 and 20255, please refer to the following articles:

    Event ID 20271 — RRAS Authentication and Accounting

    Event ID 20255 — RAS Connection

    If the issue still existed, I would suggest you enable NPS logs to see if there is any clue.

    Open NPS > Right click NPS (Local) > Properties > General Tab, both Successful and Rejected authentication requests boxes are checked

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Marcus Büttemeyer 386 Reputation points
    2021-06-16T14:49:15.177+00:00

    Thanks for the fast reply. The problem actually was the firewall, but not on the RRAS server (then you wouldn't see correct RADIUS packets on the network). Now that I've disabled the firewall on the RADIUS server, it works.
    But I don't understand why: I've checked before, that the default NPS firewall rules were present and enabled. And though my RRAS server is in a different subnet, the firewall rules specify only program, protocol and port, the remote address is set to any. So why do the rules not seem to apply?

    0 comments