Screen OS

Hello,

I have setup a win2k8 server with NPS installed. I have gone in and configured the server to use both port 1645/46 and 1812/13. I have admin radius auth working against my EX switches without a problem however on the firewalls I am not having much luck.

Using the NPS i have the client enabled and the IP listed. under the Network Policy I have the Firewall auth policy as first one processed.  Under vendor specific using vendor id 3224 have both attributes 3 with string and then the group name identical spelling and case, and  1 with Decimal value of 2.

Only condition is group membership which I am a part of.

In the firewall log I am see is: "Admin user nmcconnell has been rejected via the Radius server at 10.1.100.237"

My logs for NPS are "A RADIUS message was received from the invalid RADIUS client IP address 172.27.2.253."

The ip listed is the same as the client listed. Any help would be awesome.

I use Server 2003 RADIUS not 2008 but I've seen this same message so I'm going to assume the configuration is similar.  In IAS on 2003 all RADIUS requests have to come for a pre-authorized client address.  These are setup on the server.

In ScreenOS you pick the address that the RADIUS request is sent from using the "source interface" parameter setting this to match what you put in the RADIUS client section.

Web:
Configuration--Auth--Auth servers--Edit--Source Interface

CLI:
set auth-server "RADIUSName" src-interface "INTERFACEName"

Thank you, once I added all the possible interfaces this could have come from since this is an HA pair and set the source interface that resolved it. I had the 1 ip that i thought it would have come from but didnt source it.

Thank you for this solution. This worked for me too, setting the source interface for the Radius server.

With regards,

Auke Bijlsma