Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 25 subscribers
  • Views 471 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STATS NPS Extensions for Azure and NCFCSI Problems

EEVW

We enabled NPS Extension for Azure MFA and NCFCSI reports a lack of internet connection.

In fact, Internet access was working. However, the NCFCI message caused MS services (Outlook/OneDrive) to not work.

After we deactivated STATS, the problem disappeared.

Any idea on causal relationsship?

Any hint how to get STATS working again?

Details: XG310 (SFOS 18.0.1 MR-1-Build396), Windows 2019 Standard with NPS, Windows 10H2 Edu.

We have been working with the combination: Windows Radius Server and STATS for several months without any problems.

For further protection of an internal resource we have added another Radius Server to the network and extended it with the NPS Extension 4 Azure.

This Radius server is not mentioned under the authentication servers at the XG, because we do not need it for the XG.

After we put the new radius server with the NPS extensions into operation, the globe icon appeared in the status bar of the client computers. I.e. the NCFSCI reported "no Internet".

Even if we built a rule that allowed access to the NCSCI web pages and placed this rule on top of all rules, nothing changed.
After many attempts, only the deactivation of STATS brought a solution. Now Outlook etc. works normally again, but we don't have STATS.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Did you notice any packet drops on your firewall with STAS enabled?

    If you do not require the new RADIUS server on the XG firewall and if it's part of the network monitored by STAS, try to add it to Exclusion List and let us know how that turns out for you. 

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

    I'm not a professional, so I don't know how to detect dropped packets for sure.
    We searched the log for "log subtype - is not allowed" and found no indication of problems with the IP addresses belonging to clientmachines or  the NCSCI  websites. 


    But maybe I didn't use the right method.

    Besides, the NCFSCI web pages  can be reached via multiple IP addresses.

    Therefore, I may not have noticed any dropped packets in the firewall log.

    How can I add it to the exclusion list?

    The new Radius server was installed on an existing server.
    No STATS is running on this server nor are there any login operations monitored on this server.

    Nevertheless, the server is included in the firewall ruleset.

    Therefore I would not like to exclude it from the firewall ruleset (I may have misunderstood).

    Thanks

  • FormerMember
    0 FormerMember in reply to EEVW

    Hi ,

    Thank you for the update. 

    Check out the following KBA on How to monitor dropped packets using CLI.

    If the new server is part of the network monitored by the STAS, you can Exclude that on STAS from the Exclusion List tab. 

    If you still face the same issue after excluding the server from STAS, we would need to check the packet capture and logs to find out what is dropping this traffic when STAS is enabled. 

    Thanks,

  • 0 in reply to FormerMember

    Thank you very much! - We will come back to this as soon as we have been able to run the tests. This may take some time as we must not hinder communication (Outlook / Teams etc.) again.

Reply Children
No Data