In our latest server tutorial we'll discuss some items and settings you can review when troubleshooting RADIUS (Remote Authentication Dial-In User Service) issues on your network.
Whether you're running the server for 802.1X, VPN or other network authentication purposes, you'll discover general troubleshooting tips that apply among all Network Access Servers (NAS) and clients.
Check the Security Certificate(s)
If you're having system-wide issues you should first verify that the security certificate loaded on the RADIUS server is okay. Ensure that it is within the validity period, properly installed, and that the server is set to the correct time and date.
If you're having connectivity issues with a single client, ensure the security certificate for the certificate authority (CA) is within the validity period, properly installed on the client, and that the client is set to the correct time and date.
If you're using an authentication protocol that requires a user certificate, ensure it is within the validity period, properly installed, and that it hasn't been revoked.
Check Authentication Protocol Support
If you're having system-wide issues or running into issues with adding a new type of NAS or client you should verify that the server, NAS and client all support the authentication protocol you're trying to use and that they are configured accordingly.
Verify the NAS Configuration
If you're having issues with multiple clients connecting through a particular NAS, ensure that it's configured correctly. Double-check the IP address, port, and shared secret. If you don't use static IP addresses verify that the NAS's IP hasn't changed and that it still matches the IP listed with the RADIUS server.
Verify the Client Configuration
For single-client issues, verify the client is correctly configured with the right authentication settings and is using valid login credentials, including the username/password, security certificate, and/or assigned domain. For clients that support user and machine authentication, ensure the correct one is chosen. For clients that support server validation, ensure the correct settings are chosen, such as the RADIUS server address and CA certificate.
Check the Backend Database
If you're having system-wide issues, verify that the database configured with the RADIUS server is up and running properly. If there's a single-user issue, make sure to verify any access settings for that user in the database, such as the remote access policy on Windows Servers.
Check Authorization Attributes
If you're having authentication issues, especially with a particular user or user group, double-check any authorization attributes or limits that may be enabled on the RADIUS server. For instance, verify any Called-Station-ID, Calling-Station-ID, or Login-Time, or any vendor-specific attributes that may be configured on the RADIUS server.
Use Test Clients
For further debugging you might find it useful to use simulated clients to send requests to the RADIUS server and check the reply. Consider using Radius Test, a Windows-based GUI and command-line tool, or Radlogin, which is available for Windows, FreeBSD, Sparc Solaris or Linux.
Perform Tracing and Review Client Logs
For further troubleshooting of Windows clients, consider utilizing the tracing features of the Netsh command-line tool to help identify the underlying issue. In Windows XP you can use the netsh ras commands. In Windows Vista or later, you can perform wireless tracing with the netsh wlan commands.
Check the RADIUS Server Logs
Looking through any logs or verbose output on the server may help you identify issues. For wide-system issues you may find that an issue with the server configuration is being logged, and for denied-client requests you might see error details in the logs.
Eric Geier is a freelance tech writer — keep up with his writings on Facebook. He's also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.