(RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001

Jares, Howard M HJares at Central.UH.EDU
Wed Sep 5 17:26:24 CDT 2001 

I am having problems configuring Radiator v2.18.2 to authenticate to a Cisco
VPN 5001.

I have been testing the using the following configuration files:

goodies\simple2.cfg:
# simple2.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# a simple system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory and log accounting to a file in the current
# directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $

Foreground
LogStdout
LogDir		.
DbDir		.
DictionaryFile ./dictionary
# User a lower trace level in production systems:
Trace 		4
# Added by Howard Jares
AuthPort 1812
AcctPort 1813

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	*****
	DupInterval 0
</Client>

<Realm DEFAULT>
	<AuthBy FILE>
		Filename ./users2
	</AuthBy>
	# Log accounting to a detail file
	AcctLogFileName	./detail
</Realm>


Users2:
DEFAULT	Service-Type = Administrative-User, Auth-Type = System
	Idle-Timeout = 2000,

DEFAULT	Service-Type = Login-User, Expiration = "Feb 2 2010"
	Idle-Timeout = 2001,
	Fall-Through = yes

# User-Password can be in a number of formats: plaintext, 
# UNIX encrypted,
# SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
# defaults to plaintext
pwtest1   User-Password = "fred"
pwtest2   User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
pwtest3   User-Password = "{crypt}1xMKc0GIVUNbE"
pwtest4   User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
# Encrypted-Password can by in a variety of encryption standards too
# but defaults to Unix crypt
pwtest5   Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
pwtest6   Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
pwtest7  Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
pwtest8   Encrypted-Password = "1xMKc0GIVUNbE"
pwtest9   Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
pwtest10   User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="


fred at uh.edu	User-Password=fred
	cisco-VPNGroupInfo=Test,
	cisco-VPNPassword=fred
#	Connect-Info = "Test"

I modified the standard dictionary file to include:

#HJ
VENDORATTR      9 cisco-VPNPassword       66 string
VENDORATTR      9 cisco-VPNGroupInfo       67 string
#HJ

On the server running Radiator:
F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg
Wed Sep  5 16:35:13 2001: DEBUG: Reading users file ./users2
Wed Sep  5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
Wed Sep  5 16:35:24 2001: DEBUG: Packet dump:
*** Received from 129.7.209.253 port 2050 ....
Code:       Access-Request
Identifier: 41
Authentic:  z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
Attributes:
        NAS-IP-Address = 129.7.209.253
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        NAS-Port = 268435459
        User-Name = "fred at uh.edu"
        CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243>

Wed Sep  5 16:35:24 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Sep  5 16:35:24 2001: DEBUG:  Deleting session for fred at uh.edu,
129.7.209.253, 268435459
Wed Sep  5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
Wed Sep  5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
fred at uh.edu
Wed Sep  5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
Wed Sep  5 16:35:24 2001: DEBUG: Access accepted for fred at uh.edu
Wed Sep  5 16:35:24 2001: DEBUG: Packet dump:
*** Sending to 129.7.209.253 port 2050 ....
Code:       Access-Accept
Identifier: 41
Authentic:  z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
Attributes:
        cisco-VPNGroupInfo = "Test"
        cisco-VPNPassword = "fred"
        Connect-Info = "Test"

On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try to
connect using fred at uh.edu, the system sits there and then eventually times
out.

On the Cisco VPN 5001, I do a 
  show sys log buffer
and I get:

Notice   9/5/01 16:35:21 New IKE connection: [129.7.225.8]:1284:fred at uh.edu
Debug    9/5/01 16:35:24 Received RADIUS challenge resp. from fred at uh.edu at
129.7.225.8, contacting server
Debug    9/5/01 16:35:24 No Connect-Info for fred at uh.edu
Debug    9/5/01 16:35:24 Bad config from RADIUS server for fred at uh.edu
Error    9/5/01 16:35:24 No Policy, "", for user, fred at uh.edu
Notice   9/5/01 16:35:24 <No ifp> (fred at uh.edu) reset due to connection
failure.

On the Cisco VPN I am running VPN 5001 Concentrator V6.0.19.0001.

I know I am missing something, but I really don't understand why this
doesn't work. 

Any help you could provide would be appreciated. 

If we can make this work we are hoping to associate users with particular
groups with assigned VPNs. This would be our remote access service to the
university.

Howard Jares
University of Houston
jares at uh.edu
713-743-1565

Due to the current budget constraints, the light at the end of the tunnel
will be turned off until further notice. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list