(RADIATOR) Cisco 2611 VPN group authentication
Emilie Shoop
eshoop at ncsa.uiuc.edu
Thu Jan 23 09:15:50 CST 2003
Hugh,
You are correct about the authentication of the group first, and then the
username.
Here is the url where Cisco explains how to do it on a Cisco Radius
server.
http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_exampl
e09186a00800949ba.shtml
Does that help?
Thanks,
Emilie
At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote:
>Hello Emilie -
>
>Thanks for sending the trace files.
>
>I am not familiar with this aspect of the Cisco IOS, but it may be that it
>tries the group first, and then if it gets an accept it will try the
> username.
>
>You should check the Cisco web site to verify how this is supposed to
>work, then configure Radiator in consequence.
>
>If you can send me a reference to the Cisco URL I will take a look.
>
>regards
>
>Hugh
>
>On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote:
>>Thanks for the quick response.
>>
>>
>>This is the trace as I see it with the cisco configured with aaa
>>authorization network groupauthor local.
>>*** Received from x.x.x.x port 1645 ....
>>
>>Packet length = 75
>>01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa
>>b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00
>>01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34
>>32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af
>>70 8d 39 bf 20 17 0d 76 d3 71 0a
>>Code: Access-Request
>>Identifier: 244
>>Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
>>Attributes:
>> NAS-IP-Address = x.x.x.x
>> NAS-Port-Type = Async
>> User-Name = "eshoop"
>> Calling-Station-Id = "y.y.y.y"
>> User-Password = "jJ<164><144><175>p<141>9<191>
>> <23><13>v<211>q<10>"
>>
>>Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler
>>'NAS-IP-Address = "x.x.x.x"'
>>Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x,
>>Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE:
>>Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with
>> eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop
>>Wed Jan 22 08:57:06 2003: DEBUG: Packet dump:
>>*** Sending to x.x.x.x port 1645 ....
>>
>>Packet length = 32
>>02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac
>>78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73
>>Code: Access-Accept
>>Identifier: 244
>>Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
>>Attributes:
>>
>>
>>
>>This is the trace when I changed the cisco config. from aaa authorization
>>network groupauthor local to aaa authorization network groupauthor group
>>radius.
>>
>>Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
>>*** Received from x.x.x.x port 1645 ....
>>
>>Packet length = 85
>>01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e
>>83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00
>>01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34
>>31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07
>>87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06
>>06 00 00 00 05
>>Code: Access-Request
>>Identifier: 245
>>Authentic:
>>K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
>>Attributes:
>> NAS-IP-Address = x.x.x.x
>> NAS-Port-Type = Async
>> User-Name = "VPNclients"
>> Calling-Station-Id = "y.y.y.y"
>> User-Password =
>> "<7><135><220>Y$<215>c<7><2><31><144><201><207><21><207>@"
>> Service-Type = Outbound-User
>>
>>Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler
>>'NAS-IP-Address = "x.x.x.x"'
>>Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x,
>>Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE:
>>Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with
>>VPNclients
>>Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
>>Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad
>> Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
>>*** Sending to 141.142.101.54 port 1645 ....
>>
>>Packet length = 36
>>03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d
>>fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65
>>6e 69 65 64
>>Code: Access-Reject
>>Identifier: 245
>>Authentic:
>>K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
>>Attributes:
>> Reply-Message = "Request Denied"
>>
>>It appears to me that it tries to authenticate the group information
>>(VPNclients and password) before it prompts me for my username. This
>>fails, so I never put in my personal information. However, if I change
>>the cisco config back to group authorization locally, I can log in
>>successfully as a user named VPNclients.
>>
>>I'm not sure if this is what you were looking for or not?
>>
>>Thanks,
>>Emilie
>>
>>At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote:
>>>Hello Emilie -
>>>
>>>If the Cisco can be configured to do group authentication with radius,
>>>then it should be possible to use Radiator to deal with the requests.
>>>
>>>If you run Radiator at trace 4 you will be able to see the incoming
>>>requests and then you can configure accordingly.
>>>
>>>The simplest way to do this sort of debugging is to run radiusd from the
>>>command line and watch the log messages:
>>>
>>> perl radiusd -foreground -log_stdout -trace 4 -config_file ......
>>>
>>>If you send me a copy of the trace 4 I will try to help.
>>>
>>>regards
>>>
>>>Hugh
>>>
>>>>I was wondering if anyone had a sample Radiator config. for
>>>> authenticating the group information on a Cisco 2611, and subsequently
>>>> handing out DNS and WINS information?
>>>>
>>>>I have my Radius set up to authenticate the users, but now would like to
>>>>move the group information (for the group VPNClients) to the radius as
>>>>well.
>>>>
>>>>
>>>>Here is my Radius config:
>>>>
>>>># radius.cfg
>>>>
>>>>LogDir /services/radius/log
>>>>DbDir /services/radius/conf
>>>>BindAddress x.x.x.x
>>>>AuthPort 1812
>>>>AcctPort 1813
>>>>Trace 5
>>>>#User
>>>>#Group
>>>>
>>>>
>>>>#For VPN access
>>>><Client x.x.x.x>
>>>> Secret xxxx
>>>></Client>
>>>>
>>>># For testing: this allows us to honour requests from radpwtst on
>>>> localhost <Client localhost>
>>>> Secret mysecret
>>>> DupInterval 0
>>>></Client>
>>>>
>>>>#Look for a Realm with an exact match on the realm name
>>>>#look for a matching regular expression Realm
>>>>#look for a <Realm DEFAULT>
>>>>#look at each Handler in the order they appear
>>>>
>>>>#VPN Authentication x.x.x.x
>>>><Handler NAS-IP-Address = "x.x.x.x">
>>>> <AuthBy FILE>
>>>> Filename %D/vpn_users
>>>> </AuthBy>
>>>>
>>>></Handler>
>>>>
>>>>#Default Handler for anything not specified above
>>>><Handler>
>>>> <AuthBy FILE>
>>>> #The Filename defaults to %D/users
>>>> </AuthBy>
>>>></Handler>
>>>>
>>>>Here is my Cisco 2611 config.:
>>>>
>>>>CLIENT_VPN#sh run
>>>>
>>>>
>>>>aaa authentication login userauthen group radius
>>>>aaa authorization network groupauthor local
>>>>aaa session-id common
>>>>!
>>>>!
>>>>
>>>>crypto isakmp policy 3
>>>> encr 3des
>>>> authentication pre-share
>>>> group 2
>>>>!
>>>>crypto isakmp client configuration group VPNClients
>>>> key xxxx
>>>> dns x.x.x.x
>>>> wins x.x.x.x
>>>> domain ncsa.uiuc.edu
>>>> pool ippool
>>>>!
>>>>!
>>>>crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
>>>>!
>>>>crypto dynamic-map dynmap 10
>>>> set transform-set SET1
>>>>!
>>>>!
>>>>crypto map clientmap client authentication list userauthen
>>>>crypto map clientmap isakmp authorization list groupauthor
>>>>crypto map clientmap client configuration address respond
>>>>crypto map clientmap 10 ipsec-isakmp dynamic dynmap
>>>>!
>>>>
>>>>interface FastEthernet0/0
>>>> crypto map clientmap
>>>>!
>>>>
>>>>ip local pool ippool x.x.x.x y.y.y.y
>>>>
>>>>radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxx
>>>>radius-server retransmit 3
>>>>call rsvp-sync
>>>>!
>>>>
>>>>
>>>>Thanks,
>>>>Emilie
>>>>
>>>>*********************************************************
>>>> Emilie Shoop Network Engineer
>>>> eshoop at ncsa.edu
>>>> Phone: 217.244.5407 Cell: 217.649.8514
>>>> National Center for Supercomputing Applications
>>>>**********************************************************
>>>>
>>>>-------------------------------------------------------
>>>>
>>>>--
>>>>Mike McCauley mikem at open.com.au
>>>>Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
>>>>24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
>>>>Phone +61 3 9598-0985 Fax +61 3 9598-0955
>>>>
>>>>Radiator: the most portable, flexible and configurable RADIUS server
>>>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>>>TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>
>>>>===
>>>>Archive at http://www.open.com.au/archives/radiator/
>>>>Announcements on radiator-announce at open.com.au
>>>>To unsubscribe, email 'majordomo at open.com.au' with
>>>>'unsubscribe radiator' in the body of the message.
>>>
>>>--
>>>Radiator: the most portable, flexible and configurable RADIUS server
>>>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>>-
>>>Nets: internetwork inventory and management - graphical, extensible,
>>>flexible with hardware, software, platform and database independence.
>>
>>*********************************************************
>> Emilie Shoop Network Engineer
>> eshoop at ncsa.edu
>> Phone: 217.244.5407 Cell: 217.649.8514
>> National Center for Supercomputing Applications
>>**********************************************************
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.
*********************************************************
Emilie Shoop Network Engineer
eshoop at ncsa.edu
Phone: 217.244.5407 Cell: 217.649.8514
National Center for Supercomputing Applications
**********************************************************
-------------------------------------------------------
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list