You are here

check_radius_ih - always gets access denied from 2008 Network Policy Server

6 posts / 0 new
Last post
sdbrehm
sdbrehm's picture
check_radius_ih - always gets access denied from 2008 Network Policy Server

I've created a test account called radiustest in my 2003 based Active Directory and created a 2008 based Network Policy Server. Here is the service test I'm trying:

check_radius_ih -r $HOSTADDRESS$ -c 1812 -s secret -u radiustest -p ABCd123!

All attempts return:

RETURN CODE: 2 (CRITICAL) OUTPUT: CRITICAL: Access DENIED. (code = 3) | rtt=0.0046 rttms=4.6429

I've logged in as that user to a workstation to confirm it is active.

For each attempt two errors are logged in the Security Event log on the NPS/RADIUS server. First a 4625 (0x6000006a and 6d), then a 6273 (reason code 16). Both are associated with an incorrect password

We have used several RADIUS test clients with this server and verified that it will authenticate correctly.

matthew.kelley
matthew.kelley's picture
Re: check_radius_ih - always gets access denied from 2008 ...

Your password contains special characters so it is not being read correctly.  You need to escape the exclamation point.

check_radius_ih -r $HOSTADDRESS$ -c 1812 -s secret -u radiustest -p ABCd123\!

You may attempt to enclose your password in quotes as well to correcct this.

 

sdbrehm
sdbrehm's picture
Re: check_radius_ih - always gets access denied from 2008 ...

Still getting a bad username or password error. I reset the password to remove the ! and still get the same error.  I am seeing one potential issue - the Network Policy Name is not being reported in the event log, This RADIUS server is providing authentication for my wireless network. I am able to successfully log in to the wireless network using this test account.

Opsview cannot log in using the Connection Request Policy and Network Policy that are used for the wireless network because there are conditions Opsview cannot meet, so I've created a set of policies where the only conditions are that the request come from the Opsview server (by IP address).

Here is the event log from the NPS security log:

Log Name:      Security Source:        Microsoft-Windows-Security-Auditing Date:          1/10/2014 1:39:19 PM Event ID:      6273 Task Category: Network Policy Server Level:         Information Keywords:      Audit Failure User:          N/A Computer:      radius3.mydomain.com Description: Network Policy Server denied access to a user.   Contact the Network Policy Server administrator for more information.   User: Security ID: NULL SID Account Name: radiustest Account Domain: mydomain Fully Qualified Account Name: mydomain\radiustest   Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: - Calling Station Identifier: -   NAS: NAS IPv4 Address: - NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: - NAS Port: -   RADIUS Client: Client Friendly Name: Opsview Client IP Address: 172.20.8.62   Authentication Details: Connection Request Policy Name: Opsview Network Policy Name: - Authentication Provider: Windows Authentication Server: radius3.intra.kyocera-wireless.com Authentication Type: PAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.    
matthew.kelley
matthew.kelley's picture
Re: check_radius_ih - always gets access denied from 2008 ...

Can you include what your new command line argument looks like?  I am looking at the plugin help and the example includes single quotes around the password and shared secret.  I still think that this might have something to do with how these strings are being passed to the plugin.  You also may want to include a timeout value for authentication, perhaps this is just taking too long.

sdbrehm
sdbrehm's picture
Re: check_radius_ih - always gets access denied from 2008 ...

I've tried these from Test Service Check with same denied results:

-r $HOSTADDRESS$ -c 1812 -s 'secret' -u radiustest -p 'Abcd1231'

-r $HOSTADDRESS$ -c 1812 -s secret -u radiustest -p Abcd1231

I've tried adding -t 5 and -t 15 to the quoted command with no success. I also tried adding the example Attributes list.

I've also opened an SSH session and run the command directly with the quoted parameters. I also tried it with no parameters and it prompted for entry of the username, password, secret, and RADIUS server. Again nothing.

 

md_1
md_1's picture
 Re: check_radius_ih - always gets access denied from 2008 ...

Old thread, hoping someone has a solution by now. I'm attempting to test this from the commandline, here is what I've been using: 

./check_radius_ih -r X.X.X.X -c 1812 -s 'secret' -u 'radiustest' -p 'OpsviewPass222'

I'm also experiencing this issue. Every attempt has a password mismatch on the radius server (2008 R2 NPS). When using wireshark to view the radius access-request, the password does not match. The password appears as:

AVP: l=18 t=User-Password(2): Decrypted: \317>>2\017%\316\032eM\254\377F\337\254\207

I've tested using another type of radius client with the same attributes (same username, password, radius secret) and the password is decryped correctly. 

AVP: l=18 t=User-Password(2): Decrypted: OpsviewPass222

 

If anyone has any suggestions that would be great. From what I can tell this plugin is not functional on Opsview Core 3.20131016.0