Radius server test connectivity fails : Error: 1812/udp’ is not a valid Radius authentication port or Radius client is not configured properly in the Radius server.

We have seen certain cases where a PBR is configured for the management IP (NSIP) pointing to a next hop gateway.

In case the ADC does not have a SNIP in the same subnet as the next hop configured, then the packet might never leave the ADC and hence it would fail.

No SNIP causes the Radius packet from Freebsd to Virtual server to be not sent to the actual server.

Related:

  • No Related Posts

How To Configure RADIUS and TACACS servers for read-only and admin users in SD-WAN

For TACACS, the accounting file ( /etc/tac_plus.conf) should contain the following information:

1. key = testing123

2. accounting file = /var/log/tac.acct

3. acl = default {

permit =

###

}

4. Group Definition:

group = sdwan_admin {

default service = permit

}

group = sdwan_viewer {

default service = deny

service = viewer {

}

}

5. For admin users:

user = tac_sdwan1 {

global = cleartext tac_sdwan1_pwd

member = sdwan_admin

}

6. For viewer users:

user = tac_sdwan2 {

global = cleartext tac_sdwan2_pwd

member = sdwan_viewer

}

7. Restart TACACS process: /etc/init.d/tac_plus restart

For RADIUS

1. Configure Clients File: /etc/raddb/clients

Add the following entry for each subnet where you want to configure RADIUS clients

client {

secret = testing123

shortname = private-network

}

2. Configure Users file: /etc/raddb/users. Add following entry for each ADMIN user

rad_sdwan1 Cleartext-Password := “rad_sdwan1_pwd

Reply-Message=” ADMIN

3. Configure Users file: /etc/raddb/users. Add following entry for each VIEWER user

rad_sdwan2 Cleartext-Password := “rad_sdwan2_pwd

Reply-Message= “GUEST

4. Restart RADIUS: /etc/init.d/radiusd restar

5. Radius/TACACS is a IETF/RFC standard, products with RADIUS/TACACS capability/support should work.

  • In addition to ADMIN and GUEST we do have roles for Security and Network admin.
    • “SECURITY_ADMIN”
      • Admin privileges to all security related settings/configurations [all network related settings are greyed out]
    • “NETWORK_ADMIN”
      • Admin privileges to all network related settings/configurations [all security related settings are greyed out]
  • The radius attribute 18 (reply-message) to be used on server is as follows:
    • “SECURITY_ADMIN”
    • “NETWORK_ADMIN”

Related:

Can the management centre send a Radius “AVP” to the Radius server?

I need a solution

Hi;

Can the management centre send a Radius attribute “AVP” to the Radius server? I mean in the Radius Authentication Request?  ideally, I would like the Management Centre to send the IP address of the user device supplying the username and password on the Management Centres login page, which in turn will be sent to the Radius server.

So ideally, the MC should send the following to the Radius server:  “username+password+the IP address of the device of the user trying to authenticate”.

Kindly

Wasfi

0

Related:

Resolve Username Being Modified Before Sending to RADIUS Server Using NetScaler nFactor

The solution proposed here checks for the format of the username from the client. If it is UPN, then user is taken to next factor for actual authentication. We employ NO_AUTHN to take the users to next factor in this case. If user enters domainusername, authentication is performed in the first factor itself.

Configuration

Configuration is best understood by following a bottom-up manner. That is, we configure the most specific factor (or the last factor) first.

  1. Create the factor for authenticating users entering UPN
    1. Create loginschema for second factor

      > add loginschema second_factor_schema –authenticationSchema noschema –userexpression q{http.req.user.name.after_str(“@”) + “\” + http.req.user.name.before_str(“@”)}

      In the above loginschema, we are setting userExpression such that “user@domain” becomes “domainuser”. We also set authenticationSchema as noschema to signify that user intervention is not needed for this factor

    2. Create second authentication factor

      >add authentication policylabel second_factor -loginSchema second_factor_schema

      > add authentication radiusAction Radius_server -serverIP 10.217.22.20 –radKey <> -radNASid netscaler –radVendorID 311 -radAttributeType 11

      > add authentication Policy Radius_Pol -rule true -action Radius_server

      Please note that same radius policy/action are used in both factors.

      >bind authentication policylabel second_factor –policy Radius_Pol –priority 100

  2. ​Add first factor
    1. Create a policy to bypass first factor if username is UPN

      >add authentication Policy upn_no_auth -rule “HTTP.REQ.BODY(1000).TYPECAST_NVLIST_T(‘=’,’&’).VALUE(“login”).CONTAINS(“%40″)” -action NO_AUTHN
    2. Bind the bypass policy to authentication vserver to navigate to second factor

      >bind authentication vserver aaa_nfactor -policy upn_no_auth -priority 90 -nextFactor second_factor -gotoPriorityExpression END
    3. Bind the radius policy to authentication vserver for domainuser format

      We will reuse the Radius policy created above in the first factor as well.

      >bind authentication vserver aaa_nfactor –policy Radius_Pol –priority 100
  3. Creating nFactor flow (required only for Gateway logins)

    > add authentication vserver aaa_nfactor SSL

    > add authnProfile nfactor_prof –authnVsName aaa_nfactor

    > set vpn vserver <> -authnProfile nfactor_prof

The above nFactor configuration can also be done using the nFactor Visualizer which is a few feature that is available on the ADC firmware starting 13.0, the above config for step 1 and 2 can be achieved as below,

Complete Flow:


  1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
  2. Click on the + sign to add the nFactor Flow

    https://support.citrix.com/files/public/support/article/CTX231361/images/0EM0z0000005hcN.jpeg

  3. Add Factor, this will be the name of the nFactor Flow



Click on Create.

  1. Click on “Add Schema” for the initial login page to be presented,



Click on Create, then click on Add.

  1. Click on “Add Policy” to create the first factor authentication, if the policy is already added select the same from drop down list if not then create the below Auth policy.

Click on OK.

  1. Click on the green + icon to add the next factor in case the user has entered the UPN in the username field.



Click on Create

  1. Click on “Add Schema” to add the schema for second factor, the userExpression added is such that “user@domain” becomes “domainuser”

In case the schema is already added then select the same from the drop down list, if not then create the schema as below,



Click on Create and then click on Add

  1. Click on “Add Policy” to add the authentication for the second factor, In case the Radius server is added then select the same from drop down list if not then add the Radius server,

Click on Create and then click on Add.

  1. Click on the blue + icon of the first factor to add the authentication policy for users that are entering the username in domainuser format,

  1. In the Add Policy, we will be reusing the same Radius policy that we just added in step 8



Click on Add, then click on Done

  1. Now Select the Nfactor flow that we created to bind it to an authentication Vserver.


Related:

Citrix ADC : Radius authentication failures when Accounting and Authentication are configured on the same port

Workaround : Kill the AAAD process on the ADC

Fix :

– It is recommended to use different radius action for account and authentication purpose.

– Separate Authentication and Accounting connections to 2 different ports – 1812 and 1813 (RFC standard), so that Authentication action does not get blocked by Accounting action. Any two ports can be used as per server configuration and are not limited to 1812 and 1813.

Sample policies for Radius Server:

add authentication radiusAction Authserver -serverIP <x.x.x.x> -serverPort 1812 -authTimeout <x> -radKey XXX -authentication ON -accounting OFF -authServRetry <y>

add authentication radiusPolicy AuthPol ns_true Authserver



add authentication radiusAction AccountingServer -serverIP <x.x.x.x> –serverPort 1813 -authTimeout 1 -radKey XXX -authentication OFF -accounting ON-authServRetry 1

add authentication radiusPolicy AccountingPol ns_true AccountingServer



Notes:

– 1st policy is for Auth-only, 2nd is for Accounting-only;

– 1812 is standard port for Radius Auth, and 1813 for Radius Accounting

Accounting functionality [In NetScaler] works based on best effort principle where it is not guaranteed that operation is successful. If a lot of accounting requests are generating in the environment, it is recommended to tweak certain parameters to optimize accounting functionality :

authTimeout : This can be set to 1. Because for accounting anyway NetScaler does not do any operation based on response from server.

authServRetry : Since accounting functionality works on best effort principle, we do not need to retry many times. This can be changed to 1

Related:

  • No Related Posts

How to Configure EULA as an Authentication Factor in NetScaler nFactor

EULA Flow

End user logon flow with EULA is depicted in below picture. In this flow, existing ‘first factor’ is moved to after the EULA. EULA becomes a first/vserver profile with previous first-factor becoming a second factor.

User-added image


nFactor Flow Presentation

The setup can also be created through nFactor Visualizer present in ADC version 13.0 and above.

Configuration through CLI

Step1: Copy eula.xml to /nsconfig/loginschema on your NetScaler. Actual XML file is available in Addendum

Step 2: add a loginschema for EULA

add authentication loginSchema eulaschema -authenticationSchema eula.xmladd authentication loginSchemaPolicy eula_schema -rule true -action eulaschemabind authentication vserver auth -policy eula_schema -priority 5

Step 3: add authentication factor as a secondary factor

add authentication loginSchema single_auth -authenticationSchema "LoginSchema/SingleAuth.xml"add authentication policylabel single_factor -loginSchema single_authbind authentication policylabel single_factor -policyName ldap-adv -priority 5

Step 4: add no-auth policy at the vserver cascade

add authentication Policy noauth_pol -rule "http.req.url.contains("/nf/auth/doAuthentication.do")" -action NO_AUTHNbind authentication vserver auth -policy noauth_pol -priority 1 -nextFactor single_factor -gotoPriorityExpression NEXT

Screenshots

Below is the screenshot of the EULA that is configured at vserver as a factor.

User-added image

Below is the screenshot for the authentication factor (dual factor in this case).

Configuration through Visualizer:

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. ​​​​ Add Factor, this will be the name of the nFactor Flow

4. Add the schema for the First Factor by clicking on the Add Schema and then Add

5. Create a EULA_Schema by selecting the eula.xml login schema

6. Choose the Schema for First Factor, that is the EULA

7. Click on Add Policy and then add to Create Authentication Policy for NO_AUTHN.

8. By clicking on green + sign add the next Factor that is Dual Authentication (LDAP+RADIUS)

9. Again, add the schema for the Second Factor by clicking on the Add Schema and then Add

10. Create a Dual_Auth Schema by selecting the DualAuth.xml login schema and then clicking Create

11. Click on Add Policy and then add to Select Policy for LDAP Authentication

For more information on creating LDAP Authentication see, Configuring LDAP Authentication

12. Click on blue colored plus sign to add the Second Authentication

13. Click Add to select the policy for the RADIUS Authentication


For more information on creating RADIUS Authentication see, Configuring RADIUS Authentication

14. Click on Done this will automatically save the configuration.

15. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE : Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:
1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind

Addendum

Here is the loginSchema used for this example. Care should be taken when copying text from web browser as certain quotes are rendered differently. Readers are advised to copy below schema in text editor to normalize quotes.

NOTE: This login Schema is present in NetScaler version 13.0 and need not be created separately.

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"><Status>success</Status><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirements><PostBack>/nf/auth/doAuthentication.do</PostBack><CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><Type>none</Type></Credential><Label><Text>End User License Agreement</Text><Type>heading</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Protecting Gateway's information and information systems is the responsibility of every user of Gateway.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>This computer, including any devices attached to this computer and the information systems accessed from this point contain information which is confidential to Organization. Your activities and use of these facilities are monitored and recorded. They are not private and may be reviewed at any time. Unauthorised or inappropriate use of Organization's Information Technology facilities, including but not limited to Electronic Mail and Internet services, is against company policy and can lead to disciplinary outcomes, including termination and/or legal actions. Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Continue</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>
User-added image

Related:

What is “LDAP no such user xxx” and “RADIUS IP attribute missing, packet dropped”

I need a solution

Hi

I just wonder what is the meaning of these logs because it is generated almost everyday and too many. I cannot find any KB or article about these logs. Is there a way to stop these logs?

Note: This is ProxyASG S400-30 Version 6.7.3.14

2019-07-26 15:29:13+07:00ICT  "LDAP: no such user xxx"  5 250023:1  realm_ldap.cpp:3688
2019-07-26 15:29:08+07:00ICT  "Session Monitor: RADIUS IP attribute missing, packet dropped."  0 32000A:96  radius_session_notification_monitor.cpp:582

Any help would be appreciated.

0

Related:

  • No Related Posts