When aaa-server authentication ceases to work after it is fully setup and running for a while (or is configured correctly, but just starts and then stops), it is typically due to the fact that the DNS service has taken over the port that IAS service needs to start up with. The permanent resolution will require that the server be rebooted so that the fix is good. However, if the server is a production server and needs to stay online, the follow solution can also be used until a reboot is scheduled.
When you start the IAS service, it just then stops, Event Viewer will note that the service cannot start because the server port is being used by another application or service. The major likelihood is that the DNS service has taken control of the port at boot up or startup and therefore, IAS cannot start properly.
- Stop DNS server service
- Start the IAS service and confirm that it stays on
- Start the DNS server service
This will allow the service to stay on and users should be able to authenticate again. Since the port is now being used by IAS, DNS will skip over the port.
The Temporary Fix is just a temporary fix because when the server is rebooted for any reason, there is a high chance that DNS server will take over the port again. Thus, you will need to reserve the ports that RADIUS needs to work with. The ports that are typically used by aaa RADIUS type authentication are UDP ports 1645-1646 && 1812-1813.
1645-1646 - These ports were used in the past when standards were not created yet for RADIUS and thus, became a de facto standard by the industry as it became a widely used set of ports for AAA RADIUS authentication.
1812-1813 - These ports became the industry standard and approved by the community and newer systems are now using this port as the RADIUS authentication port
Within Windows 2003 and greater, IAS/NPS will respond to both sets of UDP ports. Thus, it is good to reserve both set of ports when requiring to reserve the ports within the Windows server. To reserve the ports, do the following inside the registry of the server
- Open up the Registry Editor
- Goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- If the key has not been created yet, create the Data Type of REG_MULTI_SZ with the value name ReservedPorts
- Modify the Multi-String with
Add a carriage return in the multi-string value. The server will need to be rebooted for the reservation to take effect. Upon reboot, the IAS service should startup correctly.