(RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001

Hugh Irvine hugh at open.com.au
Thu Sep 6 00:53:07 CDT 2001


Hello Howard -

On Thursday 06 September 2001 08:26, Jares, Howard M wrote:
> I am having problems configuring Radiator v2.18.2 to authenticate to a
> Cisco VPN 5001.
>
> I have been testing the using the following configuration files:
>
> goodies\simple2.cfg:
> # simple2.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # a simple system. You can then add and change features.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate from a standard users file in
> # the current directory and log accounting to a file in the current
> # directory.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # And it will print out what its doing in great detail.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # You should consider this file to be a starting point only
> # $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
>
> Foreground
> LogStdout
> LogDir		.
> DbDir		.
> DictionaryFile ./dictionary
> # User a lower trace level in production systems:
> Trace 		4
> # Added by Howard Jares
> AuthPort 1812
> AcctPort 1813
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> 	Secret	*****
> 	DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> 	<AuthBy FILE>
> 		Filename ./users2
> 	</AuthBy>
> 	# Log accounting to a detail file
> 	AcctLogFileName	./detail
> </Realm>
>
>
> Users2:
> DEFAULT	Service-Type = Administrative-User, Auth-Type = System
> 	Idle-Timeout = 2000,
>
> DEFAULT	Service-Type = Login-User, Expiration = "Feb 2 2010"
> 	Idle-Timeout = 2001,
> 	Fall-Through = yes
>
> # User-Password can be in a number of formats: plaintext,
> # UNIX encrypted,
> # SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
> # defaults to plaintext
> pwtest1   User-Password = "fred"
> pwtest2   User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> pwtest3   User-Password = "{crypt}1xMKc0GIVUNbE"
> pwtest4   User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> # Encrypted-Password can by in a variety of encryption standards too
> # but defaults to Unix crypt
> pwtest5   Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> pwtest6   Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
> pwtest7  Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> pwtest8   Encrypted-Password = "1xMKc0GIVUNbE"
> pwtest9   Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
> pwtest10   User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
>
>
> fred at uh.edu	User-Password=fred
> 	cisco-VPNGroupInfo=Test,
> 	cisco-VPNPassword=fred
> #	Connect-Info = "Test"
>
> I modified the standard dictionary file to include:
>
> #HJ
> VENDORATTR      9 cisco-VPNPassword       66 string
> VENDORATTR      9 cisco-VPNGroupInfo       67 string
> #HJ
>
> On the server running Radiator:
> F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg
> Wed Sep  5 16:35:13 2001: DEBUG: Reading users file ./users2
> Wed Sep  5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
> Wed Sep  5 16:35:24 2001: DEBUG: Packet dump:
> *** Received from 129.7.209.253 port 2050 ....
> Code:       Access-Request
> Identifier: 41
> Authentic:  z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> Attributes:
>         NAS-IP-Address = 129.7.209.253
>         NAS-Port-Type = Virtual
>         Service-Type = Authenticate-Only
>         NAS-Port = 268435459
>         User-Name = "fred at uh.edu"
>         CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243>
>
> Wed Sep  5 16:35:24 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Sep  5 16:35:24 2001: DEBUG:  Deleting session for fred at uh.edu,
> 129.7.209.253, 268435459
> Wed Sep  5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
> Wed Sep  5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
> fred at uh.edu
> Wed Sep  5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Sep  5 16:35:24 2001: DEBUG: Access accepted for fred at uh.edu
> Wed Sep  5 16:35:24 2001: DEBUG: Packet dump:
> *** Sending to 129.7.209.253 port 2050 ....
> Code:       Access-Accept
> Identifier: 41
> Authentic:  z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> Attributes:
>         cisco-VPNGroupInfo = "Test"
>         cisco-VPNPassword = "fred"
>         Connect-Info = "Test"
>
> On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try to
> connect using fred at uh.edu, the system sits there and then eventually times
> out.
>
> On the Cisco VPN 5001, I do a
>   show sys log buffer
> and I get:
>
> Notice   9/5/01 16:35:21 New IKE connection: [129.7.225.8]:1284:fred at uh.edu
> Debug    9/5/01 16:35:24 Received RADIUS challenge resp. from fred at uh.edu
> at 129.7.225.8, contacting server
> Debug    9/5/01 16:35:24 No Connect-Info for fred at uh.edu
> Debug    9/5/01 16:35:24 Bad config from RADIUS server for fred at uh.edu
> Error    9/5/01 16:35:24 No Policy, "", for user, fred at uh.edu
> Notice   9/5/01 16:35:24 <No ifp> (fred at uh.edu) reset due to connection
> failure.
>
> On the Cisco VPN I am running VPN 5001 Concentrator V6.0.19.0001.
>
> I know I am missing something, but I really don't understand why this
> doesn't work.
>
> Any help you could provide would be appreciated.
>
> If we can make this work we are hoping to associate users with particular
> groups with assigned VPNs. This would be our remote access service to the
> university.
>

It looks to me like the Cisco 5001 is expecting some additional reply 
attributes to tell it what to do (most Cisco's expect at least the 
Service-Type to come back the same as it was sent). You should check the 
Cisco web site (or your local support engineer) to find out what additional 
reply attributes are necessary.

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list