(RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5008
Hugh Irvine
hugh at open.com.au
Fri Dec 21 15:20:07 CST 2001
Hello Edward -
A Cisco usually requires the same Service-Type value that is present in the
radius request to be returned in the radius response, which usually means
Service-Type = Framed-User
However, as mentioned below, the best source of Cisco configuration
information is the Cisco web site.
regards
Hugh
On Sat, 22 Dec 2001 01:25, Cheng T K, Edward (TECH_NP&IP NWT) wrote:
> I have the same problem, how can i solve it
>
> Hello Howard -
>
> On Thursday 06 September 2001 08:26, Jares, Howard M wrote:
> > I am having problems configuring Radiator v2.18.2 to authenticate to a
> > Cisco VPN 5001.
> >
> > I have been testing the using the following configuration files:
> >
> > goodies\simple2.cfg:
> > # simple2.cfg
> > #
> > # Example Radiator configuration file.
> > # This very simple file will allow you to get started with
> > # a simple system. You can then add and change features.
> > # We suggest you start simple, prove to yourself that it
> > # works and then develop a more complicated configuration.
> > #
> > # This example will authenticate from a standard users file in
> > # the current directory and log accounting to a file in the current
> > # directory.
> > # It will accept requests from any client and try to handle request
> > # for any realm.
> > # And it will print out what its doing in great detail.
> > #
> > # See radius.cfg for more complete examples of features and
> > # syntax, and refer to the reference manual for a complete description
> > # of all the features and syntax.
> > #
> > # You should consider this file to be a starting point only
> > # $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
> >
> > Foreground
> > LogStdout
> > LogDir .
> > DbDir .
> > DictionaryFile ./dictionary
> > # User a lower trace level in production systems:
> > Trace 4
> > # Added by Howard Jares
> > AuthPort 1812
> > AcctPort 1813
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with
> > <Client DEFAULT>
> > Secret *****
> > DupInterval 0
> > </Client>
> >
> > <Realm DEFAULT>
> > <AuthBy FILE>
> > Filename ./users2
> > </AuthBy>
> > # Log accounting to a detail file
> > AcctLogFileName ./detail
> > </Realm>
> >
> >
> > Users2:
> > DEFAULT Service-Type = Administrative-User, Auth-Type = System
> > Idle-Timeout = 2000,
> >
> > DEFAULT Service-Type = Login-User, Expiration = "Feb 2 2010"
> > Idle-Timeout = 2001,
> > Fall-Through = yes
> >
> > # User-Password can be in a number of formats: plaintext,
> > # UNIX encrypted,
> > # SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
> > # defaults to plaintext
> > pwtest1 User-Password = "fred"
> > pwtest2 User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> > pwtest3 User-Password = "{crypt}1xMKc0GIVUNbE"
> > pwtest4 User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> > # Encrypted-Password can by in a variety of encryption standards too
> > # but defaults to Unix crypt
> > pwtest5 Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> > pwtest6 Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
> > pwtest7 Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> > pwtest8 Encrypted-Password = "1xMKc0GIVUNbE"
> > pwtest9 Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
> > pwtest10 User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
> >
> >
> > fred at uh.edu User-Password=fred
> > cisco-VPNGroupInfo=Test,
> > cisco-VPNPassword=fred
> > # Connect-Info = "Test"
> >
> > I modified the standard dictionary file to include:
> >
> > #HJ
> > VENDORATTR 9 cisco-VPNPassword 66 string
> > VENDORATTR 9 cisco-VPNGroupInfo 67 string
> > #HJ
> >
> > On the server running Radiator:
> > F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg
> > Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2
> > Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
> > Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
> > *** Received from 129.7.209.253 port 2050 ....
> > Code: Access-Request
> > Identifier: 41
> > Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> > Attributes:
> > NAS-IP-Address = 129.7.209.253
> > NAS-Port-Type = Virtual
> > Service-Type = Authenticate-Only
> > NAS-Port = 268435459
> > User-Name = "fred at uh.edu"
> > CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243>
> >
> > Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for fred at uh.edu,
> > 129.7.209.253, 268435459
> > Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
> > Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
> > fred at uh.edu
> > Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
> > Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for fred at uh.edu
> > Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
> > *** Sending to 129.7.209.253 port 2050 ....
> > Code: Access-Accept
> > Identifier: 41
> > Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> > Attributes:
> > cisco-VPNGroupInfo = "Test"
> > cisco-VPNPassword = "fred"
> > Connect-Info = "Test"
> >
> > On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try
>
> to
>
> > connect using fred at uh.edu, the system sits there and then eventually
> > times out.
> >
> > On the Cisco VPN 5001, I do a
> > show sys log buffer
> > and I get:
> >
> > Notice 9/5/01 16:35:21 New IKE connection:
>
> [129.7.225.8]:1284:fred at uh.edu
>
> > Debug 9/5/01 16:35:24 Received RADIUS challenge resp. from fred at uh.edu
> > at 129.7.225.8, contacting server
> > Debug 9/5/01 16:35:24 No Connect-Info for fred at uh.edu
> > Debug 9/5/01 16:35:24 Bad config from RADIUS server for fred at uh.edu
> > Error 9/5/01 16:35:24 No Policy, "", for user, fred at uh.edu
> > Notice 9/5/01 16:35:24 <No ifp> (fred at uh.edu) reset due to connection
> > failure.
> >
> > On the Cisco VPN I am running VPN 5001 Concentrator V6.0.19.0001.
> >
> > I know I am missing something, but I really don't understand why this
> > doesn't work.
> >
> > Any help you could provide would be appreciated.
> >
> > If we can make this work we are hoping to associate users with particular
> > groups with assigned VPNs. This would be our remote access service to the
> > university.
>
> It looks to me like the Cisco 5001 is expecting some additional reply
> attributes to tell it what to do (most Cisco's expect at least the
> Service-Type to come back the same as it was sent). You should check the
> Cisco web site (or your local support engineer) to find out what additional
> reply attributes are necessary.
>
> regards
>
> Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list