(RADIATOR) Radiator and Watchguard Firewall VPN
Bostic, Chuck
ACCBosti at nmhg.com
Tue Apr 20 07:08:15 CDT 2004
Hugh/all others,
We had discovered the "AutoMPPEKeys" ourselves, and it works great. I have 1
other question at this point. Can we restrict the validation to members of 1
or more NT Groups? I would like to thank all of you for your replies. They
are very helpful.
Chuck
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Monday, April 19, 2004 8:40 PM
To: Chuck Bostic
Cc: 'radiator at open.com.au'
Subject: Re: (RADIATOR) Radiator and Watchguard Firewall VPN
Hello Chuck -
Actually, you should use AutoMPPEKeys in the AuthBy clause instead.
Apologies for the confusion.
AutoMPPEKeys
AddToReply Filter-Id = pptp_users
regards
Hugh
On 20 Apr 2004, at 09:47, Hugh Irvine wrote:
>
> Hello Chuck -
>
> You should use a single AddToReply as follows:
>
> AddToReply Filter-Id = pptp_users, \
> MS-MPPE-Recv-Key = ....., \
> MS-MPPE-Send-Key = ........
>
> You will need to set the keys as required by your client.
>
> See sections 13.2.5 and 13.2.6 in the Radiator 3.9 reference manual
> ("doc/ref.html").
>
> regards
>
> Hugh
>
>
>
> On 20 Apr 2004, at 02:03, Bostic, Chuck wrote:
>
>>
>> Hugh,
>> I added the AddToReply as you suggested and then got another error
>> from my
>> Watchguard box asking for two additional parameters..
>> I then added 2 additional AddToReply statements as shown in my
>> config. I got
>> the following error in the trace. My config is quite simple as I am
>> still
>> testing and evaluating the product.
>> Chuck
>>
>> Foreground
>> LogStdout
>> LogDir c:/program files/radiator
>> DbDir c:/program files/radiator
>> # User a lower trace level in production systems:
>> Trace 4
>>
>> # You will probably want to add other Clients to suit your site,
>> # one for each NAS you want to work with
>> <Client DEFAULT>
>> Secret
>> DupInterval 0
>> </Client>
>>
>> <Realm DEFAULT>
>> <AuthBy LSA>
>> # Specifies which Windows Domain is to be used to
>> authenticate
>> # users. Empty string means the local machine only
>> # Special characters are supported. Can be an Active
>> # directory domain or a Windows NT domain controller
>>
>> Domain nmhgmcz1
>> AddToReply Filter-Id = pptp_users
>> AddToReply MS-MPPE-Recv-Key
>> AddToReply MS-MPPE-Send-Key
>>
>> # Empty string (the default) means the local machine
>> #Domain OPEN
>>
>> # This specifies the workstation to the LSA. It might be
>> used to check
>> # whether the the user is permitted to log in. If the user
>> has any
>> # workstation logon restrictions, this is the name that it
>> # will be checked against. Defaults to 'Radiator'
>> #Workstation WLAN
>>
>> # If you specify EAPType LEAP, you can also handle
>> # Cisco LEAP with any LSA native authentication
>> EAPType LEAP
>> </AuthBy>
>> </Realm>
>>
>> Mon Apr 19 10:44:57 2004: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Mon Apr 19 10:44:57 2004: DEBUG: Deleting session for accbosti,
>> 172.19.12.5, 216
>> Mon Apr 19 10:44:57 2004: DEBUG: Handling with Radius::AuthLSA:
>> Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA looks for match with
>> accbosti
>> Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA ACCEPT:
>> Mon Apr 19 10:44:57 2004: DEBUG: Access accepted for accbosti
>> Mon Apr 19 10:44:57 2004: DEBUG: Packet dump:
>> *** Sending to 172.19.12.5 port 1241 ....
>> Code: Access-Accept
>> Identifier: 116
>> Authentic: t<147><155>y<29>%kk<231>op<186><163>7=@
>> Attributes:
>> MS-CHAP2-Success = "<129>S=B9C1E1458CB11D3A2A189350CC834FEE21C60AA5"
>> Filter-Id = "pptp_users"
>>
>> Mon Apr 19 10:47:42 2004: DEBUG: Finished reading configuration file
>> 'C:\Program Files\Radiator\radius.cfg'
>> Mon Apr 19 10:47:42 2004: DEBUG: Reading dictionary file 'c:/program
>> files/radiator/dictionary'
>> Mon Apr 19 10:47:43 2004: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Mon Apr 19 10:47:43 2004: DEBUG: Creating accounting port 0.0.0.0:1646
>> Mon Apr 19 10:47:43 2004: NOTICE: Server started: Radiator 3.8 on
>> acmutil
>> (EVALUATION)
>> Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
>> *** Received from 172.19.12.5 port 1249 ....
>> Code: Access-Request
>> Identifier: 40
>> Authentic: (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
>> Attributes:
>> User-Name = "accbosti"
>> MS-CHAP-Challenge = "<133><177>^`<15><9>_Xa<13><155><189>NH<141>M"
>> MS-CHAP2-Response =
>> "<129><0><211><133><211>5+<9><163>Z<128>Gc<221><5><229><208>g<0><0><0>
>> <0><0>
>> <0><0><0><179><255><6>;f<156>EX/0<156>-
>> <239><157><137>|i<193><23><30>b<206>^
>> <8>"
>> NAS-Identifier = "firebox"
>> NAS-Port = 224
>> NAS-Port-Type = Virtual
>> Service-Type = Authenticate-Only
>>
>> Mon Apr 19 10:48:03 2004: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Mon Apr 19 10:48:03 2004: DEBUG: Deleting session for accbosti,
>> 172.19.12.5, 224
>> Mon Apr 19 10:48:03 2004: DEBUG: Handling with Radius::AuthLSA:
>> Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA looks for match with
>> accbosti
>> Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA ACCEPT:
>> Mon Apr 19 10:48:03 2004: ERR: Bad attribute=value pair:
>> MS-MPPE-Send-Key
>> Mon Apr 19 10:48:03 2004: DEBUG: Access accepted for accbosti
>> Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
>> *** Sending to 172.19.12.5 port 1249 ....
>> Code: Access-Accept
>> Identifier: 40
>> Authentic: (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
>> Attributes:
>> MS-CHAP2-Success = "<129>S=6AB960FA6FA3203ABB8C423B5C8C7CBD594464D3"
>>
>> Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
>> *** Received from 172.19.12.5 port 1271 ....
>> Code: Access-Request
>> Identifier: 219
>> Authentic:
>> <219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
>> Attributes:
>> User-Name = "accbosti"
>> MS-CHAP-Challenge =
>> "<29>s<194>o<187><23>P<7>p<187><133>D<200><199><163><152>"
>> MS-CHAP2-Response =
>> "<129><0>M<180><199><166><149><212><166>wW<149>j<153>U5<255><243><0><0
>> ><0><0
>>> <0><0><0><0><178>s<234><28><23><17>G<253><253><9>4`S<136><159><249><2
>>> 7><134
>>> <191>e<167><179><249><197>"
>> NAS-Identifier = "firebox"
>> NAS-Port = 246
>> NAS-Port-Type = Virtual
>> Service-Type = Authenticate-Only
>>
>> Mon Apr 19 10:48:26 2004: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Mon Apr 19 10:48:26 2004: DEBUG: Deleting session for accbosti,
>> 172.19.12.5, 246
>> Mon Apr 19 10:48:26 2004: DEBUG: Handling with Radius::AuthLSA:
>> Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA looks for match with
>> accbosti
>> Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA ACCEPT:
>> Mon Apr 19 10:48:26 2004: ERR: Bad attribute=value pair:
>> MS-MPPE-Send-Key
>> Mon Apr 19 10:48:26 2004: DEBUG: Access accepted for accbosti
>> Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
>> *** Sending to 172.19.12.5 port 1271 ....
>> Code: Access-Accept
>> Identifier: 219
>> Authentic:
>> <219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
>> Attributes:
>> MS-CHAP2-Success = "<129>S=3B934C54628133FC74EA3CE923416DDA5CA74873"
>>
>> Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
>> *** Received from 172.19.12.5 port 1289 ....
>> Code: Access-Request
>> Identifier: 91
>> Authentic:
>> [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
>> Attributes:
>> User-Name = "accbosti"
>> MS-CHAP-Challenge =
>> "<28>+<29><138><7>E;<223>h<219>G<13><141><159><186>l"
>> MS-CHAP2-Response =
>> "<129><0><211>(a<133>dO<247><171><250><177>a5<199><221>`<221><0><0><0>
>> <0><0>
>> <0><0><0><162>i<159><166><215><221><22><139><17>%9<208><150>?,7<249>$<
>> 146><1
>> 4><148><128><221>z"
>> NAS-Identifier = "firebox"
>> NAS-Port = 264
>> NAS-Port-Type = Virtual
>> Service-Type = Authenticate-Only
>>
>> Mon Apr 19 10:49:23 2004: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Mon Apr 19 10:49:23 2004: DEBUG: Deleting session for accbosti,
>> 172.19.12.5, 264
>> Mon Apr 19 10:49:23 2004: DEBUG: Handling with Radius::AuthLSA:
>> Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA looks for match with
>> accbosti
>> Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA ACCEPT:
>> Mon Apr 19 10:49:23 2004: ERR: Bad attribute=value pair:
>> MS-MPPE-Send-Key
>> Mon Apr 19 10:49:23 2004: DEBUG: Access accepted for accbosti
>> Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
>> *** Sending to 172.19.12.5 port 1289 ....
>> Code: Access-Accept
>> Identifier: 91
>> Authentic:
>> [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
>> Attributes:
>> MS-CHAP2-Success = "<129>S=AC0BC372584D6D4F71CF3F8B023C2F2FEC6285CC"
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Friday, April 16, 2004 6:22 PM
>> To: Bostic, Chuck
>> Cc: 'radiator at open.com.au'
>> Subject: Re: (RADIATOR) Radiator and Watchguard Firewall VPN
>>
>>
>>
>> Hello Chuck -
>>
>> I will need to see a copy of your configuration file and a trace 4
>> debug from Radiator showing what is happening.
>>
>> You can return a Filter-Id with something like this:
>>
>> <AuthBy LSA>
>> .....
>> AddToReply Filter-Id = pptp_user
>> </AuthBy>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 17 Apr 2004, at 05:56, Bostic, Chuck wrote:
>>
>>> I have Radiator installed on a Win2k server using Authby LSA
>>> validating user
>>> on an NT4.0 Primary Domain controller. I am trying to use a dial-up
>>> connection to a Watchguard firewall VPN. The error I see is on the
>>> Watchguard log, rejecting the connection because something is not
>>> matching a
>>> filter-id of pptp_user. Has any one experienced this and is there a
>>> solution?
>>> Chuck
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list