Firewall blocking Radius Authentication

ZSam · Mon Jun 17, 2019 11:48 pm

Hello all

I have the following message in my log:

"user example@example authentication failed - radius timeout"

Only if client router disconnects and tries to reconnect and below is enabled:

add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes

Radius export:

/radius
add address=192.168.88.2 service=ppp,login
/radius incoming
set accept=yes port=1700

Accept rules:

add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=bridge
add action=accept chain=input comment="Accept WinBox Access from Local" \
    dst-port=81 protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input comment="Accept WebFig Access from Local" \
    dst-port=80 in-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward comment="Accept Radius" connection-nat-state=\
    srcnat,dstnat connection-state=related,new dst-address=192.168.88.2 \
    dst-port=1812,1813 log=yes protocol=udp src-address=192.168.88.0/24 \
    src-address-list=internal_nets
add chain=forward comment="Allow Radius Traffic" dst-address=192.168.88.2 \
    dst-port=1812,1813 in-interface=bridge protocol=udp

Either I am missing an accept rule or I am doing something wrong.

Your help would be appreciated.

Thanks!

Cvan · Tue Jun 18, 2019 12:31 am

Add ports 1812 and 1813?

Turn on radius logging?

Monitor log for firewall rule that is blocking radius coms?

Turn on verbose in win AD auth log?

ZSam · Tue Jun 18, 2019 1:42 am

Thanks for the response.

Add ports 1812 and 1813?

Already done.

Turn on radius logging?

I'm not sure which information I would use here?

Monitor log for firewall rule that is blocking radius coms?

As mentioned, it is the "drop all" rule.

Turn on verbose in win AD auth log?

Is this on ROS?

Cvan · Tue Jun 18, 2019 4:45 am

Turn on Radius debug on the MT Ros radius server to see more details about the radius 'client' timing out during authentication attempts to the radius server.
Perhaps you are using the wrong auth protocols between client and server...?

In PPP/Secrets/PPP Authentication&Accounting you have turned on 'Use Radius'?

Ignore the 'AD Turn on verbose in win AD auth log?' comment from previous post.

ZSam · Wed Jun 19, 2019 1:07 am

The PPPoE connections don’t have a problem authenticating when the “drop all” rule is disabled. However, if I don’t enable this, external connections are eating bandwidth and causing slow internet.

If “drop all” is enabled, external connections are dropped and current PPPoE connections remain active until a client router disconnects perhaps due to loss of power. The new authentication request then gets rejected.

Could this be due to incorrect protocols?

I believe perhaps I need an accept rule to allow the authentication and my current ones are incorrect?

Cvan · Wed Jun 19, 2019 3:33 am

If you are saying that when you disable the drop-all firewall rule then the radius server authentication is working against your radius clients, then do;

Add a firewall rule to accept input before your drop-all rule in the firewall chain for protocol UDP and ports 1812,1813; or whatever ports you have configured on your radius server.

It reads like your firewall rules are not setup correctly.

Cvan · Wed Jun 19, 2019 7:01 am

oh..
this rule you have... should be on the input not on the forward chain.

input chain = MT router
radius server = MT router
forward chain = everything else connected to the MT router

add chain=forward comment="Allow Radius Traffic" dst-address=192.168.88.2 \
dst-port=1812,1813 in-interface=bridge protocol=udp

ZSam · Wed Jun 19, 2019 11:13 am

I made this change and still the same

Cvan · Thu Jun 20, 2019 3:06 am

Add port 1700 and put these two rules before any input drop rules.. do not specify dst or src address.. or interface-in/out
chain=input action=accept protocol=udp dst-port=1700,1812,1813 log=yes log-prefix="Radius UDP"
chain=input action=accept protocol=tcp dst-port=1700,1812,1813 log=yes log-prefix="Radius TCP"

ZSam · Thu Jun 20, 2019 10:46 am

This has worked! Thank you!!

Firewall blocking Radius Authentication

Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication

Re: Firewall blocking Radius Authentication