1→# Session Log: 2025-12-20 2→ 3→## Session Summary 4→ 5→Completed RADIUS/OpenVPN authentication setup for Dataforth, troubleshooting why VPN connections were failing when RADIUS authentication was enabled on the Unifi UDM. Also created custom OpenVPN client profiles and investigated Windows Terminal rendering issues. 6→ 7→### Key Accomplishments 8→ 9→1. **Diagnosed and fixed RADIUS authentication failure** - VPN connections were timing out because NPS (Network Policy Server) required the Message-Authenticator attribute in RADIUS requests, but the UDM's pam_radius_auth module doesn't send it. 10→ 11→2. **Created custom OpenVPN client profiles** - Built clean .ovpn files for Windows and Linux with split tunnel (no redirect-gateway) and proper DNS configuration. 12→ 13→3. **Investigated Windows Terminal rendering glitch** - Added rendering options to Windows Terminal settings to try to fix visual artifacts. 14→ 15→### Problems Solved 16→ 17→- **RADIUS "failed to respond" error**: Root cause was NPS Event ID 17 showing Message-Authenticator requirement mismatch. Fixed by running `Set-NpsRadiusClient -Name "unifi" -AuthAttributeRequired $false` on AD1. 18→ 19→- **UDM client profile includes redirect-gateway**: UniFi bug - the exported .ovpn includes `redirect-gateway def1` even though server config has `redirectGateway: false`. Workaround: created custom profiles without this line. 20→ 21→--- 22→ 23→## Credentials 24→ 25→### Dataforth - UDM Firewall 26→- Host: 192.168.0.254 27→- SSH: root / Paper123!@#-unifi 28→- Web UI: azcomputerguru / r3tr0gradE99! (has 2FA) 29→- SSH Key Added: `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABnQjolTxDtfqOwdDjamK1oyFPiQnaNT/tAgsIHH1Zo claude-code` 30→ 31→### Dataforth - Active Directory 32→- AD1: 192.168.0.27 33→- AD2: 192.168.0.6 34→- Domain: INTRANET 35→- Credentials: INTRANET\sysadmin / Paper123!@# 36→ 37→### Dataforth - NPS RADIUS 38→- Server: 192.168.0.27 (AD1) 39→- Port: 1812/UDP 40→- RADIUS Client Name: unifi 41→- Shared Secret: Gptf*77ttb!@#!@# 42→ 43→### Dataforth - VPN 44→- Endpoint: 67.206.163.122:1194/TCP 45→- VPN Subnet: 192.168.6.0/24 46→- DNS Servers: 192.168.0.27, 192.168.0.6 47→- Domain: intranet.dataforth.com 48→ 49→--- 50→ 51→## Infrastructure & Configuration 52→ 53→### OpenVPN Server Config (UDM) 54→- Config location: `/etc/openvpn/openvpn-peer-1/` 55→- RADIUS config: `/etc/openvpn/openvpn-peer-1/radius.server.conf.*` 56→- PAM config: `/etc/pam.d/openvpn-peer-1*` 57→- Server settings in: `/data/udapi-config/udapi-net-cfg.json` 58→ 59→### Routes Pushed by VPN Server (Split Tunnel) 60→- 192.168.0.0/24 61→- 192.168.1.0/24 62→- 192.168.4.0/24 63→- 192.168.100.0/24 64→- 192.168.200.0/24 65→- 192.168.201.0/24 66→ 67→### NPS Configuration on AD1 68→- RADIUS Client "unifi" configured for 192.168.0.254 69→- Network Policy "Unifi" allows Domain Users 70→- **AuthAttributeRequired: False** (the fix) 71→ 72→--- 73→ 74→## Commands Run 75→ 76→### The Fix - Disable Message-Authenticator Requirement 77→```powershell 78→$pass = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force 79→$cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $pass) 80→Invoke-Command -ComputerName 192.168.0.27 -Credential $cred -ScriptBlock { 81→ Set-NpsRadiusClient -Name "unifi" -AuthAttributeRequired $false 82→} 83→Restart-Service IAS 84→``` 85→ 86→### Verify NPS Authentication Success 87→```powershell 88→Get-WinEvent -FilterHashtable @{LogName='Security'; ID=6272,6273} -MaxEvents 5 89→``` 90→- Event 6272 = Success: "Network Policy Server granted access to a user" 91→- Event 6273 = Failure 92→ 93→--- 94→ 95→## Files Created 96→ 97→### OpenVPN Client Profiles (on Desktop) 98→- `C:\Users\MikeSwanson\Desktop\dataforth-vpn.ovpn` - Windows client 99→- `C:\Users\MikeSwanson\Desktop\dataforth-vpn-linux.ovpn` - Linux/RHEL client 100→- `C:\Users\MikeSwanson\Desktop\dataforth-vpn-ticket-notes.txt` - Ticket documentation 101→ 102→### PowerShell Scripts Created (for troubleshooting) 103→- `C:\Users\MikeSwanson\claude-projects\fix-radius-client.ps1` 104→- `C:\Users\MikeSwanson\claude-projects\check-nps.ps1` 105→- `C:\Users\MikeSwanson\claude-projects\get-nps-config.ps1` 106→- `C:\Users\MikeSwanson\claude-projects\check-nps-listening.ps1` 107→- `C:\Users\MikeSwanson\claude-projects\trace-radius.ps1` 108→- `C:\Users\MikeSwanson\claude-projects\monitor-radius.ps1` 109→- `C:\Users\MikeSwanson\claude-projects\verify-and-restart-nps.ps1` 110→- `C:\Users\MikeSwanson\claude-projects\fix-nps-logging.ps1` 111→ 112→### Windows Terminal Settings Modified 113→- `C:\Users\MikeSwanson\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json` 114→- Added: `"rendering.forceFullRepaint": true` 115→- Added: `"rendering.software": false` 116→ 117→--- 118→ 119→## Testing Results 120→ 121→- VPN connection with RADIUS auth: **SUCCESS** 122→- User authenticated: INTRANET\sysadmin 123→- NPS Event 6272 confirmed successful authentication 124→- External test IP: 129.222.129.113 125→ 126→--- 127→ 128→## Pending/Notes 129→ 130→1. **Windows Terminal rendering glitch** - Added forceFullRepaint setting. User needs to restart terminal to test. If still happening, try `"rendering.software": true` instead. 131→ 132→2. **OpenVPN client profiles** - Ready for distribution. Linux users need `openvpn-systemd-resolved` package for DNS to work. 133→ 134→3. **UniFi bug** - Exported client profiles ignore `redirectGateway: false` setting. Custom profiles work around this. 135→ 136→--- 137→ 138→## Reference 139→ 140→### Useful NPS Event IDs 141→- 6272: Access granted 142→- 6273: Access denied 143→- 6274: Request discarded 144→- 6275: Accounting request discarded 145→- 6276: User quarantined 146→- 6278: Connection request discarded 147→- 17 (System log): Message-Authenticator error 148→ 149→### WinRM Setup for Remote PowerShell 150→```powershell 151→Start-Service WinRM 152→Set-Item WSMan:\localhost\Client\TrustedHosts -Value '192.168.0.27' -Force 153→``` 154→ Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.