(RADIATOR) Cisco 2611 VPN group authentication

Hugh Irvine hugh at open.com.au
Fri Jan 24 00:12:11 CST 2003


Hello Emily -

Thanks for sending the URL.

As far as I can see, you will need to use the Cisco VPN client to make  
the connection which will first ask you for the group and the group  
password, then the username and the username password.

You should configure both the name of the group with its password and  
corresponding reply attributes, and the username and password with its  
reply attributes.

If you have any other questions, don't hesitate to ask.

regards

Hugh


On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop  
wrote:

> Hugh,
>
> You are correct about the authentication of the group first, and then  
> the username.
>
> Here is the url where Cisco explains how to do it on a Cisco Radius  
> server.  
> http://www.cisco.com/en/US/tech/tk648/tk367/ 
> technologies_configuration_example09186a00800949ba.shtml
>
> Does that help?
>
> Thanks,
> Emilie
>
> At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote:
>
>> Hello Emilie -
>>
>> Thanks for sending the trace files.
>>
>> I am not familiar with this aspect of the Cisco IOS, but it may be  
>> that it tries the group first, and then if it gets an accept it will  
>> try the username.
>>
>> You should check the Cisco web site to verify how this is supposed to  
>> work, then configure Radiator in consequence.
>>
>> If you can send me a reference to the Cisco URL I will take a look.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop  
>> wrote:
>>
>>> Thanks for the quick response.
>>>
>>>
>>> This is the trace as I see it with the cisco configured with aaa  
>>> authorization network groupauthor local.
>>> *** Received from x.x.x.x port 1645 ....
>>>
>>> Packet length = 75
>>> 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa
>>> b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00
>>> 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34
>>> 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af
>>> 70 8d 39 bf 20 17 0d 76 d3 71 0a
>>> Code:       Access-Request
>>> Identifier: 244
>>> Authentic:  <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
>>> Attributes:
>>>         NAS-IP-Address = x.x.x.x
>>>         NAS-Port-Type = Async
>>>         User-Name = "eshoop"
>>>         Calling-Station-Id = "y.y.y.y"
>>>         User-Password = "jJ<164><144><175>p<141>9<191>  
>>> <23><13>v<211>q<10>"
>>>
>>> Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler  
>>> 'NAS-IP-Address  = "x.x.x.x"'
>>> Wed Jan 22 08:57:06 2003: DEBUG:  Deleting session for eshoop,  
>>> x.x.x.x,
>>> Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match  
>>> with eshoop
>>> Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>> Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop
>>> Wed Jan 22 08:57:06 2003: DEBUG: Packet dump:
>>> *** Sending to x.x.x.x port 1645 ....
>>>
>>> Packet length = 32
>>> 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac
>>> 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73
>>> Code:       Access-Accept
>>> Identifier: 244
>>> Authentic:  <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
>>> Attributes:
>>>
>>>
>>>
>>> This is the trace when I changed the cisco config. from aaa  
>>> authorization network groupauthor local to aaa authorization network  
>>> groupauthor group radius.
>>>
>>> Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
>>> *** Received from x.x.x.x port 1645 ....
>>>
>>> Packet length = 85
>>> 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e
>>> 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00
>>> 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34
>>> 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07
>>> 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06
>>> 06 00 00 00 05
>>> Code:       Access-Request
>>> Identifier: 245
>>> Authentic:
>>> K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
>>> Attributes:
>>>         NAS-IP-Address = x.x.x.x
>>>         NAS-Port-Type = Async
>>>         User-Name = "VPNclients"
>>>         Calling-Station-Id = "y.y.y.y"
>>>         User-Password =  
>>> "<7><135><220>Y$<215>c<7><2><31><144><201><207><21><207>@"
>>>         Service-Type = Outbound-User
>>>
>>> Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler  
>>> 'NAS-IP-Address  = "x.x.x.x"'
>>> Wed Jan 22 09:01:39 2003: DEBUG:  Deleting session for VPNclients,  
>>> x.x.x.x,
>>> Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match  
>>> with VPNclients
>>> Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad  
>>> Password
>>> Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad  
>>> Password
>>> Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
>>> *** Sending to 141.142.101.54 port 1645 ....
>>>
>>> Packet length = 36
>>> 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d
>>> fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65
>>> 6e 69 65 64
>>> Code:       Access-Reject
>>> Identifier: 245
>>> Authentic:
>>> K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
>>> Attributes:
>>>         Reply-Message = "Request Denied"
>>>
>>> It appears to me that it tries to authenticate the group information  
>>> (VPNclients and password) before it prompts me for my username.   
>>> This fails, so I never put in my personal information.  However, if  
>>> I change the cisco config back to group authorization locally, I can  
>>> log in successfully as a user named VPNclients.
>>>
>>> I'm not sure if this is what you were looking for or not?
>>>
>>> Thanks,
>>> Emilie
>>>
>>> At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote:
>>>
>>>> Hello Emilie -
>>>>
>>>> If the Cisco can be configured to do group authentication with  
>>>> radius, then it should be possible to use Radiator to deal with the  
>>>> requests.
>>>>
>>>> If you run Radiator at trace 4 you will be able to see the incoming  
>>>> requests and then you can configure accordingly.
>>>>
>>>> The simplest way to do this sort of debugging is to run radiusd  
>>>> from the command line and watch the log messages:
>>>>
>>>>         perl radiusd -foreground -log_stdout -trace 4 -config_file  
>>>> ......
>>>>
>>>> If you send me a copy of the trace 4 I will try to help.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>>
>>>>> I was wondering if anyone had a sample Radiator config. for  
>>>>> authenticating
>>>>> the group information on a Cisco 2611, and subsequently handing  
>>>>> out DNS and
>>>>> WINS information?
>>>>>
>>>>> I have my Radius set up to authenticate the users, but now would  
>>>>> like to
>>>>> move the group information (for the group VPNClients) to the  
>>>>> radius as well.
>>>>>
>>>>>
>>>>> Here is my Radius config:
>>>>>
>>>>> # radius.cfg
>>>>>
>>>>> LogDir /services/radius/log
>>>>> DbDir /services/radius/conf
>>>>> BindAddress x.x.x.x
>>>>> AuthPort 1812
>>>>> AcctPort 1813
>>>>> Trace   5
>>>>> #User
>>>>> #Group
>>>>>
>>>>>
>>>>> #For VPN access
>>>>> <Client x.x.x.x>
>>>>>     Secret   xxxx
>>>>> </Client>
>>>>>
>>>>> # For testing: this allows us to honour requests from radpwtst on  
>>>>> localhost
>>>>> <Client localhost>
>>>>>     Secret mysecret
>>>>>     DupInterval 0
>>>>> </Client>
>>>>>
>>>>> #Look for a Realm with an exact match on the realm name
>>>>> #look for a matching regular expression Realm
>>>>> #look for a <Realm DEFAULT>
>>>>> #look at each Handler in the order they appear
>>>>>
>>>>> #VPN Authentication x.x.x.x
>>>>> <Handler NAS-IP-Address  = "x.x.x.x">
>>>>>     <AuthBy FILE>
>>>>>          Filename   %D/vpn_users
>>>>>     </AuthBy>
>>>>>
>>>>> </Handler>
>>>>>
>>>>> #Default Handler for anything not specified above
>>>>> <Handler>
>>>>>     <AuthBy FILE>
>>>>>     #The Filename defaults to %D/users
>>>>>     </AuthBy>
>>>>> </Handler>
>>>>>
>>>>> Here is my Cisco 2611 config.:
>>>>>
>>>>> CLIENT_VPN#sh run
>>>>>
>>>>>
>>>>> aaa authentication login userauthen group radius
>>>>> aaa authorization network groupauthor local
>>>>> aaa session-id common
>>>>> !
>>>>> !
>>>>>
>>>>> crypto isakmp policy 3
>>>>>   encr 3des
>>>>>   authentication pre-share
>>>>>   group 2
>>>>> !
>>>>> crypto isakmp client configuration group VPNClients
>>>>>   key xxxx
>>>>>   dns x.x.x.x
>>>>>   wins x.x.x.x
>>>>>   domain ncsa.uiuc.edu
>>>>>   pool ippool
>>>>> !
>>>>> !
>>>>> crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
>>>>> !
>>>>> crypto dynamic-map dynmap 10
>>>>>   set transform-set SET1
>>>>> !
>>>>> !
>>>>> crypto map clientmap client authentication list userauthen
>>>>> crypto map clientmap isakmp authorization list groupauthor
>>>>> crypto map clientmap client configuration address respond
>>>>> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
>>>>> !
>>>>>
>>>>> interface FastEthernet0/0
>>>>>   crypto map clientmap
>>>>> !
>>>>>
>>>>> ip local pool ippool x.x.x.x y.y.y.y
>>>>>
>>>>> radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxx
>>>>> radius-server retransmit 3
>>>>> call rsvp-sync
>>>>> !
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Emilie
>>>>>
>>>>> *********************************************************
>>>>>    Emilie Shoop             Network Engineer
>>>>>    eshoop at ncsa.edu
>>>>>    Phone:  217.244.5407             Cell:  217.649.8514
>>>>>    National Center for Supercomputing Applications
>>>>> **********************************************************
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>> --
>>>>> Mike McCauley                               mikem at open.com.au
>>>>> Open System Consultants Pty. Ltd            Unix, Perl, Motif,  
>>>>> C++, WWW
>>>>> 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
>>>>> Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
>>>>>
>>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>>> server
>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,  
>>>>> Emerald,
>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,  
>>>>> TLS,
>>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>>
>>>>> ===
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database  
>>>> independence.
>>>
>>> *********************************************************
>>>   Emilie Shoop              Network Engineer
>>>   eshoop at ncsa.edu
>>>   Phone:  217.244.5407              Cell:  217.649.8514
>>>   National Center for Supercomputing Applications
>>> **********************************************************
>>>
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>
> *********************************************************
>   Emilie Shoop		    Network Engineer
>   eshoop at ncsa.edu 			  	
>   Phone:  217.244.5407  	    Cell:  217.649.8514			
>   National Center for Supercomputing Applications
> **********************************************************
>
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list