Community discussions

MikroTik App
 
User avatar
bysard
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Problem with IAS and routerOS on different subnet

Sat Nov 27, 2010 8:54 pm

Hi,

Here is my situation:

I have an IAS server set up and running on a windows 2003 domain member server. The mikrotik that is in the same subnet as this server has no problem authenticating over it. The problem starts when i try to use the same radius server with a mikrotik that is in the different subnet. All devices can access and ping all of them.

Error:

<pptp-0>: waiting for call
----terminating....- user XX authentication failed - radius timeout

Any clues appreciated.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Problem with IAS and routerOS on different subnet

Sat Nov 27, 2010 9:54 pm

Run Wireshark on the RADIUS server and check that the IP addresses it sees requests as coming from match what you're expecting. NAT can change IP addresses.
Also verify all network and host firewalls to ensure you're not dropping traffic somewhere. Just because ICMP goes through doesn't mean UDP/1812 and 1813 are.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem with IAS and routerOS on different subnet

Sat Nov 27, 2010 11:26 pm

Just to add to fewi's reply, you will need to enter another client with that ip:
http://support.microsoft.com/kb/317588
Look for this in that doc:
Configure IAS Client Computers
 
User avatar
bysard
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 1:07 pm

The client is already inserted. The ports 1212,1213,1645,1646 (udp and tcp) are open!
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 1:14 pm

In the router, the radius ports are 1812 and 1813.
/radius print detail

To change the ports
/radius
set X authentication-port=1812 accounting-port=1813
Use the new ports, of course.

ADD: If that is a typo, which it probably is, then you should check "/ip firewall nat" for any masquerade rules that might affect either interface. That would be one without "out-interface=ether1" or some other interface.
 
User avatar
bysard
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 1:38 pm

Double checked everything. Ports opened are 1812,1813 udp and tcp and NO masquerading rules without and output interface are running. :(
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 1:44 pm

I am down to the small stuff now. You did change the radius server ip in "/radius" to the new localnet ip of the ISA server?
Nothing to block connections in "/ip firewall filter"?

ADD: If you have not enabled logging for radius,
/system logging
add topics=radius action=memory
Then try the login again and check the log.
 
User avatar
bysard
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 1:54 pm

I have changed the client IP on the windows 2003 ISA server to the ip from the new subnet and retyped the secret. I have also disabled all firewall filter rules and restarted both server and client. No luck.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 1:58 pm

If you are not getting a response from the IAS server, and you can ping it, it seems to me to be an issue with the IAS server settings. It is either blocking or ignoring your radius requests. Check these:
http://technet.microsoft.com/en-us/libr ... spx#BKMK_1
 
User avatar
bysard
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 2:00 pm

OK, will do. Tnank you for replies. Will post solution if i get to it.
 
duvi
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Jun 05, 2009 12:32 pm
Contact:

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 2:34 pm

I have an issue something like this. The IAS timeouts.

The problem is that logging on IAS can't handle the NAS Port values sent by Mikrotik, since they are too large (though they are as defined in the corresponding RFC). If logging is disabled, there is no more timeout, authentication is succesful. Unfortunately, disabled logging is not an option in production.

Maybe you should try this and post the results please.
 
User avatar
bysard
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Re: Problem with IAS and routerOS on different subnet

Sun Nov 28, 2010 2:45 pm

Same problem....radius timeout. I guess that shouldn't be a problem, since it works with the mikrotik that is on the same subnet.

Who is online

Users browsing this forum: almdandi, arkos, BergDev, Bing [Bot], bpwl, mkx and 178 guests