Skip to main content
aguerriero
aguerriero
Explorer
September 10, 2021
Question

7.0.X possible IPS bug with VWP and RADIUS

  • September 10, 2021
  • 1 reply
  • 12425 views

I am using the default IPS profile and for some reason radius traffic is being blocked but logs are not showing it being blocked. If I disable IPS on the bottom rule and disable certificate inspection radius traffic works.  But if I create a higher rule with the specific source/destination IP address and port the traffic matches the rule and the radius traffic is still blocked.  It is only when I disable the IPS inspection on the bottom rule is when it works. 

    1 reply

    Kangming
    Staff
    Kangming
    Staff
    September 10, 2021

    Hi

    Cloud you try to cap Radius packets:

    # diagnose sniffer packet any "port 1812 or port 1813" 4 0 l  

     

    I will try it in LAB.

    aguerriero
    aguerrieroAuthor
    Explorer
    September 10, 2021

    I can see the packets in the capture but the client connected to port B never gets authenticated.  The only time the authentication is successful is if I disable APP/IPS/SSL inspection and only on the bottom rule that is ALL/ALL/ALL. A custom rule with specific /32 addresses doesn't work even if I drag it to the top. 

     

    interfaces=[any] filters=[port 1812 or port 1813] 66.219392 b in 10.0.10.1.1645 -> 10.0.10.17.1812: udp 74 66.219468 a out 10.0.10.1.1645 -> 10.0.10.17.1812: udp 74 66.223051 a in 10.0.10.17.1812 -> 10.0.10.1.1645: udp 146 66.223068 b out 10.0.10.17.1812 -> 10.0.10.1.1645: udp 146

    Kangming
    Staff
    Kangming
    Staff
    September 10, 2021

    It seems normal in my environment, my FGT is FGT-VM04.

     

    VWP # diagnose sniffer packet any "port 1812 or port 1813" 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[port 1812 or port 1813] 2021-09-10 11:38:58.406011 port2 in 10.6.30.111.11776 -> 10.6.30.225.1812: udp 113 2021-09-10 11:38:58.406552 port3 out 10.6.30.111.11776 -> 10.6.30.225.1812: udp 113 2021-09-10 11:38:58.433666 port3 in 10.6.30.225.1812 -> 10.6.30.111.11776: udp 20 2021-09-10 11:38:58.433767 port2 out 10.6.30.225.1812 -> 10.6.30.111.11776: udp 20

     

    What is your FGT model? Can the Radius packets of the VWP interface be directly captured? 

    You should be able to know the reason for the rejection by opening and viewing the content in the radius packet through wireshark.

    Terms & ConditionsAccessibility statement