(RADIATOR) Radiator and PIX

Robert Blayzor rblayzor at inoc.net
Tue Mar 26 08:06:56 CST 2002 

The PIX is very limited in the attributes it understands from RADIUS.
To the point of fustration actually.  In fact, using the PIX with RADIUS
does nothing short of authentication only and totally ignores any return
attributes you give it. (ie: Framed-IP-Address and any Filter-Id)

I know what the PIX doc's say, and that Filter-Id is supposed to work,
but as of the PIX code 6.1(1) it simply does not.  Cisco's claim is that
it's supposed to work for RADIUS auth for internal users and not
VPN/PPTP clients.  There are many examples on how to setup the PIX with
PPTP and Radius authentication, the setup is trivial, but if you want to
do authorization, don't even bother.

I've heard that the latest PIX code, 6.1(2)? Is supposed to support some
VPN RADIUS reply attributes, but I've yet to read the software release
notes to confirm it up.

Basically all you have to do is to your PIX is:

aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host x.x.x.x <secret> timeout 10

And..

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local ippool
vpdn group 1 client configuration dns x.x.x.x x.x.x.x
vpdn group 1 client configuration wins x.x.x.x
vpdn group 1 client authentication aaa RADIUS
vpdn group 1 client accounting RADIUS
vpdn group 1 pptp echo 60
vpdn enable outside


Then in Radiator:

<Handler Client-Identifier = PIX-FW>
        <AuthBy FILE>
                Filename vpn-users
                AutoMPPEKeys
        </AuthBy>
        AcctLogFileName %L/vpn-detail
</Handler>


I repeat, as of PIX software 6.1(1) it was not able to pass back RADIUS
reply attributes to set Filter-Id or even Framed-IP-Address.  The best I
could tell is the PIX completely ignores all attributes sent back to it.
All it's looking for is an accept on password.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net

If the automobile had followed the same development cycle as the
computer, a Rolls-Royce would today cost $100, get a million miles per
gallon, and explode once a year, killing everyone inside. - Robert X.
Cringely


-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Shane Malden
Sent: Tuesday, March 26, 2002 8:11 AM
To: radiator at open.com.au
Subject: (RADIATOR) Radiator and PIX


Hi. Has anyone setup a Cisco PIX to authenticate with Radiator? Do you
know if it is possible to pass back firewall settings (ACLs)? Also
configuring a PIX to allow for VPNs and authenticate with Radiator. If
anyone has any sample of either PIX or Radiator, it would be
appreciated.

Regards,
Shane

-------------------------------------------------------

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list