Jump to content
Welcome to our new Citrix community!

RADIUS authentication server vs monitor


Recommended Posts

Hi,

 

We're setting up a RADIUS authentication towards a customer's MS NPS (Azure MFA). Our ADC is in Azure and running HA INC setup (12.1-51.19). We're struggling to get this bit working.

 

Issue #1 - RADIUS authentication, prio 1 issue to resolve

In a RADIUS monitor, it's possible to add "NAS IP" information, but for the RADIUS Server this is not possible. The NPS drops our connection currently and we're seeing in the NPS events an audit failure entry where the "NAS IPv4 Address" field is empty. Is there a way to add this information for the RADIUS Server as it's required?

 

We're able to enter the NAS Identifier and it shows properly on the NPS and also use the MS-CHAPv2 for password encoding.

 

---

 

Issue #2 - Radius monitoring, optional question that might lead in to resolution

With Azure, ADC in HA INC and MS NPS we could successfully configure the monitoring to work, but the monitoring probes are sent from the same SNIP as are the actual RADIUS authentication requests.

 

Without HA INC this can be resolved by adding an extra SNIP for the HA pair and configuring this as the "NAS IP" in the monitor. However with HA INC this becomes a problem as both of the nodes have their respective SNIPs. I tried to circle around the issue by using 127.0.0.1 in the NAS IP field (to initiate the probes from the NSIP), but apparently this didn't help and the requests still pop out from the SNIP.

 

MS NPS apparently only allows one policy per source IP, so this causes the challenge for us.

Link to comment
Share on other sites

59 minutes ago, Kari Ruissalo said:

Hi,

 

We're setting up a RADIUS authentication towards a customer's MS NPS (Azure MFA). Our ADC is in Azure and running HA INC setup (12.1-51.19). We're struggling to get this bit working.

 

Issue #1 - RADIUS authentication, prio 1 issue to resolve

In a RADIUS monitor, it's possible to add "NAS IP" information, but for the RADIUS Server this is not possible. The NPS drops our connection currently and we're seeing in the NPS events an audit failure entry where the "NAS IPv4 Address" field is empty. Is there a way to add this information for the RADIUS Server as it's required?

 

We're able to enter the NAS Identifier and it shows properly on the NPS and also use the MS-CHAPv2 for password encoding.

 

Got this one resolved by checking the "Enable NAS IP address extraction" in the RADIUS server profile. It seems to push the NSIP instead of the SNIP in here though so fixing this to match the SNIP would require AppExpert rewrite on the RADIUS request packet? I think that the rewrite might be the answer for the monitoring also...?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...