Issues with communication beetween a NAS and a RADIUS server

Problem Description:

Issues with communication between the NAS and a RADIUS are one of the most common problems an operator will run on when running a network authenticated of a RADIUS server. In vast majority of cases all these issues can be diagnosed and resolved following the steps below. Communication issues will manifest in most typical scenarios with:

  • customers not being able to log in
  • usage data being missing in the Radius database (when browsing Usage details via SIMPLer)
  • missing data, strange spikes or gaps on usage graphs under customer accounts that are authenticated using a RADIUS server
  • NAS equipment reporting timeouts with RADIUS communication

Problem Resolution:

If any of the above happens - it is worth to check if the communication between a NAS and a RADIUS server work properly.

There are number of reasons for the above issues, but following steps should help resolve majority of them.

  • check IP connectivity between RADIUS and NAS server - this is most typical problem - regardless whether the RADIUS server is in operator network or might it be remote, there is a number of things that can go wrong and affect the IP connectivity. For example:
    1. a backhaul connection between NAS and RADIUS can be broken - there would be no communication between the NAS and RADIUS

To verify whether the IP connectivity is an issue do login to your NAS and start to ping the RADIUS server IP from the NAS. Do carry out the test for period long enough as some issues with IP connectivity might be intermittent and may manifest only if observed long enough:

  1. RADIUS server responds to ping queries - in case RADIUS server does not reply to ICMP packets do take steps to restore the connectivity. Tools like traceroute can help to identify where the connectivity is broken. I.e. in case of remote RADIUS servers there typically can be some issues with routes on the upstream provider where most of the internet sites will be working, but the connectivity to the RADIUS server will not be possible due to misrouting
    1. The ping response time is consistant - if the ping time jumps up and down it points at some issues with IP connectivity. Take steps that will result in getting consistant ping results. Tools like pingplotter can help to identify the problematic network segment
  2. The ping response time is considerably lower that the 'reply timeout' period as specified on the NAS. Most NAS vendors will require the RADIUS answer packet to come back within a pre-defined time. On some NASes it is possible to re-define this 'reply timeout' on other it might be hardcoded. If the pingtimes are close or over the specified 'timeout' period take steps to either improve the packet travel time (in cases where the 'reply timeout' is hardcoded to the NAS device) or change the 'reply timeout' on the NAS to be bigger than the maximum ping time seen during the tests
    • check if NAS IP address is set under the SIMPLer Radius: NAS page - note that only certain IP addresses are allowed to communicate with SIMPLer server. These IP addresses must be specified under "SIMPLer Radius->Network Access Servers" tab.

Fig. 1-1 SIMPLer: Radius page

Fig. 1-2 SIMPLer: Network Access Servers page

If adding a new NAS to your network make sure to add a new entry to SIMPLer. If a NAS entry have been added, but still no communication can be establised - it may be possible that NAS is being NATed with another IP address on the way up to the RADIUS server. There is a feature in SIMPLer that allows to check for requests coming from unauthenticated IP addresses. It might be worth checking if there are familiar Ip addressess appearing on this list as in some cases IP addresses might be changing i.e. in case of a Dynamic IP ADSL network feed or when an OSPF dynamic routing protocol is run at the core of the network (some NASes will start to report using an IP address from another interface):

2013-2Q: (v001): RADIUS: Service Log

    • check if the shared secret used on the NAS mathces one used under SIMPLer Radius: Network Access Servers page - this is a very typical issue where due to a typo the secret used on the NAS will be different to one specified under SIMPLer. Note that communication between SIMPLer and NASes is only possible when the same secret is used on both ends.