SNAC Gateway/LAN Enforcement: Failed to receive an authentication reply from the RADIUS server (Reversible Password Storage Disabled)
Before proceeding further with the discussion of this issue, lets all agree that this issue is not limited to the Symantec NAC Solution. So at no point in time, it need to be perceived that the requirement to enable Reversible Password Encryption for AD is a Symantec specific requirement. May it be Nevis, Napera, Aruba, Bradford, Cisco, Juniper or Forescout, we need a RADIUS implementation that supports ms-chap-v2 to continue to use encrypted passwords. It needs to be an ms-chap hash to compare them. If not, then Windows needs the passwords in to Reversible Password Encryption. How can it know if the right password was put in if its can't get it in its ms-chap native format.
The Store password using reversible encryption policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable Store password using reversible encryption for all users in the domain unless application requirements outweigh the need to protect password information.
If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting.
Fulfiling this requirement would stop Enforcer's user.log dialoging its failed attempt to receive an authentication reply from the RADIUS server. This would resultantly stop the RADIUS packets timeing out when the Enforcer forwards the authentication request from the authenticator
You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003) to ensure that issue is completely resolved after making the required changes:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
This issue is mainly seen with:
- Network switch with 802.1x enabled, role is Authenticator.
- Symantec Network Access Control (SNAC) Enforcer, check the endpoint security and compliance posture.
- Remote Authentication Dial-in User Server (RADIUS) / Network Access Protection (NAP), checks the customer Directory server for the user or computer authentication.