(RADIATOR) Cisco 2611 VPN group authentication
Hugh Irvine
hugh at open.com.au
Sat Jan 25 01:01:50 CST 2003
Hello Emilie -
I can only think that the shared secret is incorrect between the Cisco
and Radiator.
Please check the shared secrets and if still unsuccessful please send
me a trace 5 debug together with the real passwords and the shared
secrets so we can check that they are correctly encrypted.
regards
Hugh
On Saturday, Jan 25, 2003, at 08:29 Australia/Melbourne, Emilie Shoop
wrote:
>
> Hugh,
>
> I've tried every way I can think of to make this work today. I was at
> first assuming that since it finds the user "VPNclients" (which is the
> group name) in the user file, that it should be able to authenticate
> the group with the user file. Here is the trace that is making me
> think that way. However, I get Bad Password...which I know is
> correct. I can log in as the user VPNclients with the same password,
> when I turn the group authentication on locally on the router.
>
> Code: Access-Request
> Identifier: 14
> Authentic: <215>iw<236><189><145><29>N=<236><16><243><245>\<171><145>
> Attributes:
> NAS-IP-Address = x.x.x.x
> NAS-Port-Type = Async
> User-Name = "VPNclients"
> Calling-Station-Id = "y.y.y.y"
> User-Password = "|<20>RIQ)5<175>MV<196><21><190><191>5<198>"
> Service-Type = Outbound-User
>
> Fri Jan 24 15:26:59 2003: DEBUG: Handling request with Handler
> 'NAS-IP-Address = "x.x.x.x"'
> Fri Jan 24 15:26:59 2003: DEBUG: Deleting session for VPNclients,
> x.x.x.x,
> Fri Jan 24 15:26:59 2003: DEBUG: Handling with Radius::AuthFILE:
> Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE looks for match with
> VPNclients
> Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
> Fri Jan 24 15:26:59 2003: INFO: Access rejected for VPNclients: Bad
> Password
> Fri Jan 24 15:26:59 2003: DEBUG: Packet dump:
> *** Sending to 141.142.101.54 port 1645 ....
> Code: Access-Reject
> Identifier: 14
> Authentic: <215>iw<236><189><145><29>N=<236><16><243><245>\<171><145>
> Attributes:
> Reply-Message = "Request Denied"
>
> I tried to create a group that was called VPNclients with the right
> password, but was unsuccessful in figuring that out.
>
> Any ideas?
>
> Thanks,
> Emilie
>
>
>
>
> At 05:12 PM 1/24/2003 +1100, Hugh Irvine wrote:
>
>> Hello Emily -
>>
>> Thanks for sending the URL.
>>
>> As far as I can see, you will need to use the Cisco VPN client to make
>> the connection which will first ask you for the group and the group
>> password, then the username and the username password.
>>
>> You should configure both the name of the group with its password and
>> corresponding reply attributes, and the username and password with its
>> reply attributes.
>>
>> If you have any other questions, don't hesitate to ask.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop
>> wrote:
>>
>>> Hugh,
>>>
>>> You are correct about the authentication of the group first, and then
>>> the username.
>>>
>>> Here is the url where Cisco explains how to do it on a Cisco Radius
>>> server.
>>> http://www.cisco.com/en/US/tech/tk648/tk367/
>>> technologies_configuration_example09186a00800949ba.shtml
>>>
>>> Does that help?
>>>
>>> Thanks,
>>> Emilie
>>>
>>> At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote:
>>>
>>>> Hello Emilie -
>>>>
>>>> Thanks for sending the trace files.
>>>>
>>>> I am not familiar with this aspect of the Cisco IOS, but it may be
>>>> that it tries the group first, and then if it gets an accept it will
>>>> try the username.
>>>>
>>>> You should check the Cisco web site to verify how this is supposed
>>>> to
>>>> work, then configure Radiator in consequence.
>>>>
>>>> If you can send me a reference to the Cisco URL I will take a look.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie
>>>> Shoop
>>>> wrote:
>>>>
>>>>> Thanks for the quick response.
>>>>>
>>>>>
>>>>> This is the trace as I see it with the cisco configured with aaa
>>>>> authorization network groupauthor local.
>>>>> *** Received from x.x.x.x port 1645 ....
>>>>>
>>>>> Packet length = 75
>>>>> 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa
>>>>> b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00
>>>>> 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34
>>>>> 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af
>>>>> 70 8d 39 bf 20 17 0d 76 d3 71 0a
>>>>> Code: Access-Request
>>>>> Identifier: 244
>>>>> Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
>>>>> Attributes:
>>>>> NAS-IP-Address = x.x.x.x
>>>>> NAS-Port-Type = Async
>>>>> User-Name = "eshoop"
>>>>> Calling-Station-Id = "y.y.y.y"
>>>>> User-Password = "jJ<164><144><175>p<141>9<191>
>>>>> <23><13>v<211>q<10>"
>>>>>
>>>>> Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler
>>>>> 'NAS-IP-Address = "x.x.x.x"'
>>>>> Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop,
>>>>> x.x.x.x,
>>>>> Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE:
>>>>> Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match
>>>>> with eshoop
>>>>> Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>>>> Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop
>>>>> Wed Jan 22 08:57:06 2003: DEBUG: Packet dump:
>>>>> *** Sending to x.x.x.x port 1645 ....
>>>>>
>>>>> Packet length = 32
>>>>> 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac
>>>>> 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73
>>>>> Code: Access-Accept
>>>>> Identifier: 244
>>>>> Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
>>>>> Attributes:
>>>>>
>>>>>
>>>>>
>>>>> This is the trace when I changed the cisco config. from aaa
>>>>> authorization network groupauthor local to aaa authorization
>>>>> network
>>>>> groupauthor group radius.
>>>>>
>>>>> Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
>>>>> *** Received from x.x.x.x port 1645 ....
>>>>>
>>>>> Packet length = 85
>>>>> 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e
>>>>> 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00
>>>>> 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34
>>>>> 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07
>>>>> 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06
>>>>> 06 00 00 00 05
>>>>> Code: Access-Request
>>>>> Identifier: 245
>>>>> Authentic:
>>>>> K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
>>>>> Attributes:
>>>>> NAS-IP-Address = x.x.x.x
>>>>> NAS-Port-Type = Async
>>>>> User-Name = "VPNclients"
>>>>> Calling-Station-Id = "y.y.y.y"
>>>>> User-Password =
>>>>> "<7><135><220>Y$<215>c<7><2><31><144><201><207><21><207>@"
>>>>> Service-Type = Outbound-User
>>>>>
>>>>> Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler
>>>>> 'NAS-IP-Address = "x.x.x.x"'
>>>>> Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients,
>>>>> x.x.x.x,
>>>>> Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE:
>>>>> Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match
>>>>> with VPNclients
>>>>> Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad
>>>>> Password
>>>>> Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad
>>>>> Password
>>>>> Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
>>>>> *** Sending to 141.142.101.54 port 1645 ....
>>>>>
>>>>> Packet length = 36
>>>>> 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d
>>>>> fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65
>>>>> 6e 69 65 64
>>>>> Code: Access-Reject
>>>>> Identifier: 245
>>>>> Authentic:
>>>>> K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
>>>>> Attributes:
>>>>> Reply-Message = "Request Denied"
>>>>>
>>>>> It appears to me that it tries to authenticate the group
>>>>> information
>>>>> (VPNclients and password) before it prompts me for my username.
>>>>> This fails, so I never put in my personal information. However, if
>>>>> I change the cisco config back to group authorization locally, I
>>>>> can
>>>>> log in successfully as a user named VPNclients.
>>>>>
>>>>> I'm not sure if this is what you were looking for or not?
>>>>>
>>>>> Thanks,
>>>>> Emilie
>>>>>
>>>>> At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote:
>>>>>
>>>>>> Hello Emilie -
>>>>>>
>>>>>> If the Cisco can be configured to do group authentication with
>>>>>> radius, then it should be possible to use Radiator to deal with
>>>>>> the
>>>>>> requests.
>>>>>>
>>>>>> If you run Radiator at trace 4 you will be able to see the
>>>>>> incoming
>>>>>> requests and then you can configure accordingly.
>>>>>>
>>>>>> The simplest way to do this sort of debugging is to run radiusd
>>>>>> from the command line and watch the log messages:
>>>>>>
>>>>>> perl radiusd -foreground -log_stdout -trace 4 -config_file
>>>>>> ......
>>>>>>
>>>>>> If you send me a copy of the trace 4 I will try to help.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I was wondering if anyone had a sample Radiator config. for
>>>>>>> authenticating
>>>>>>> the group information on a Cisco 2611, and subsequently handing
>>>>>>> out DNS and
>>>>>>> WINS information?
>>>>>>>
>>>>>>> I have my Radius set up to authenticate the users, but now would
>>>>>>> like to
>>>>>>> move the group information (for the group VPNClients) to the
>>>>>>> radius as well.
>>>>>>>
>>>>>>>
>>>>>>> Here is my Radius config:
>>>>>>>
>>>>>>> # radius.cfg
>>>>>>>
>>>>>>> LogDir /services/radius/log
>>>>>>> DbDir /services/radius/conf
>>>>>>> BindAddress x.x.x.x
>>>>>>> AuthPort 1812
>>>>>>> AcctPort 1813
>>>>>>> Trace 5
>>>>>>> #User
>>>>>>> #Group
>>>>>>>
>>>>>>>
>>>>>>> #For VPN access
>>>>>>> <Client x.x.x.x>
>>>>>>> Secret xxxx
>>>>>>> </Client>
>>>>>>>
>>>>>>> # For testing: this allows us to honour requests from radpwtst on
>>>>>>> localhost
>>>>>>> <Client localhost>
>>>>>>> Secret mysecret
>>>>>>> DupInterval 0
>>>>>>> </Client>
>>>>>>>
>>>>>>> #Look for a Realm with an exact match on the realm name
>>>>>>> #look for a matching regular expression Realm
>>>>>>> #look for a <Realm DEFAULT>
>>>>>>> #look at each Handler in the order they appear
>>>>>>>
>>>>>>> #VPN Authentication x.x.x.x
>>>>>>> <Handler NAS-IP-Address = "x.x.x.x">
>>>>>>> <AuthBy FILE>
>>>>>>> Filename %D/vpn_users
>>>>>>> </AuthBy>
>>>>>>>
>>>>>>> </Handler>
>>>>>>>
>>>>>>> #Default Handler for anything not specified above
>>>>>>> <Handler>
>>>>>>> <AuthBy FILE>
>>>>>>> #The Filename defaults to %D/users
>>>>>>> </AuthBy>
>>>>>>> </Handler>
>>>>>>>
>>>>>>> Here is my Cisco 2611 config.:
>>>>>>>
>>>>>>> CLIENT_VPN#sh run
>>>>>>>
>>>>>>>
>>>>>>> aaa authentication login userauthen group radius
>>>>>>> aaa authorization network groupauthor local
>>>>>>> aaa session-id common
>>>>>>> !
>>>>>>> !
>>>>>>>
>>>>>>> crypto isakmp policy 3
>>>>>>> encr 3des
>>>>>>> authentication pre-share
>>>>>>> group 2
>>>>>>> !
>>>>>>> crypto isakmp client configuration group VPNClients
>>>>>>> key xxxx
>>>>>>> dns x.x.x.x
>>>>>>> wins x.x.x.x
>>>>>>> domain ncsa.uiuc.edu
>>>>>>> pool ippool
>>>>>>> !
>>>>>>> !
>>>>>>> crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
>>>>>>> !
>>>>>>> crypto dynamic-map dynmap 10
>>>>>>> set transform-set SET1
>>>>>>> !
>>>>>>> !
>>>>>>> crypto map clientmap client authentication list userauthen
>>>>>>> crypto map clientmap isakmp authorization list groupauthor
>>>>>>> crypto map clientmap client configuration address respond
>>>>>>> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
>>>>>>> !
>>>>>>>
>>>>>>> interface FastEthernet0/0
>>>>>>> crypto map clientmap
>>>>>>> !
>>>>>>>
>>>>>>> ip local pool ippool x.x.x.x y.y.y.y
>>>>>>>
>>>>>>> radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxx
>>>>>>> radius-server retransmit 3
>>>>>>> call rsvp-sync
>>>>>>> !
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Emilie
>>>>>>>
>>>>>>> *********************************************************
>>>>>>> Emilie Shoop Network Engineer
>>>>>>> eshoop at ncsa.edu
>>>>>>> Phone: 217.244.5407 Cell: 217.649.8514
>>>>>>> National Center for Supercomputing Applications
>>>>>>> **********************************************************
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>>
>>>>>>> --
>>>>>>> Mike McCauley mikem at open.com.au
>>>>>>> Open System Consultants Pty. Ltd Unix, Perl, Motif,
>>>>>>> C++, WWW
>>>>>>> 24 Bateman St Hampton, VIC 3188 Australia
>>>>>>> http://www.open.com.au
>>>>>>> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>>>>>>>
>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>> server
>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>>>>>>> Emerald,
>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory,
>>>>>>> EAP,
>>>>>>> TLS,
>>>>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>>>>
>>>>>>> ===
>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>
>>>>>> --
>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>> server
>>>>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS
>>>>>> X.
>>>>>> -
>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>> extensible,
>>>>>> flexible with hardware, software, platform and database
>>>>>> independence.
>>>>>
>>>>> *********************************************************
>>>>> Emilie Shoop Network Engineer
>>>>> eshoop at ncsa.edu
>>>>> Phone: 217.244.5407 Cell: 217.649.8514
>>>>> National Center for Supercomputing Applications
>>>>> **********************************************************
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>
>>> *********************************************************
>>> Emilie Shoop Network Engineer
>>> eshoop at ncsa.edu
>>> Phone: 217.244.5407 Cell: 217.649.8514
>>> National Center for Supercomputing Applications
>>> **********************************************************
>>>
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>
> *********************************************************
> Emilie Shoop Network Engineer
> eshoop at ncsa.edu
> Phone: 217.244.5407 Cell: 217.649.8514
> National Center for Supercomputing Applications
> **********************************************************
>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list