(RADIATOR) Radiator and Watchguard Firewall VPN
Hugh Irvine
hugh at open.com.au
Tue Apr 20 17:26:36 CDT 2004
Hello Chuck -
The AuthBy LSA clause does not support groups at this time (we may add
groups at a later time).
In the meantime you could perhaps use the AuthBy NT clause which does
support groups.
This requires "cascaded" AuthBy clauses.
You would do something like this (I haven't tested this however):
# define AuthBy clauses with Identifiers
<AuthBy FILE>
Identifier CheckUsers
Filename %D/users
AddToReply Filter-Id = pptp_users
AutoMPPEKeys
EAPType LEAP
.....
</AuthBy>
<AuthBy NT>
Identifier CheckUsersAndGroups
.....
</AuthBy>
# define Realm
<Realm DEFAULT>
AuthBy CheckUsers
.....
</Realm>
The "users" file would contain this:
# users file to check NT and group
DEFAULT Auth-Type = CheckUsersAndGroups, Group = xxxxx
Hope this helps.
regards
Hugh
On 20 Apr 2004, at 22:08, Bostic, Chuck wrote:
> Hugh/all others,
> We had discovered the "AutoMPPEKeys" ourselves, and it works great. I
> have 1
> other question at this point. Can we restrict the validation to
> members of 1
> or more NT Groups? I would like to thank all of you for your replies.
> They
> are very helpful.
> Chuck
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Monday, April 19, 2004 8:40 PM
> To: Chuck Bostic
> Cc: 'radiator at open.com.au'
> Subject: Re: (RADIATOR) Radiator and Watchguard Firewall VPN
>
>
>
> Hello Chuck -
>
> Actually, you should use AutoMPPEKeys in the AuthBy clause instead.
>
> Apologies for the confusion.
>
>
> AutoMPPEKeys
>
> AddToReply Filter-Id = pptp_users
>
> regards
>
> Hugh
>
>
> On 20 Apr 2004, at 09:47, Hugh Irvine wrote:
>
>>
>> Hello Chuck -
>>
>> You should use a single AddToReply as follows:
>>
>> AddToReply Filter-Id = pptp_users, \
>> MS-MPPE-Recv-Key = ....., \
>> MS-MPPE-Send-Key = ........
>>
>> You will need to set the keys as required by your client.
>>
>> See sections 13.2.5 and 13.2.6 in the Radiator 3.9 reference manual
>> ("doc/ref.html").
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 20 Apr 2004, at 02:03, Bostic, Chuck wrote:
>>
>>>
>>> Hugh,
>>> I added the AddToReply as you suggested and then got another error
>>> from my
>>> Watchguard box asking for two additional parameters..
>>> I then added 2 additional AddToReply statements as shown in my
>>> config. I got
>>> the following error in the trace. My config is quite simple as I am
>>> still
>>> testing and evaluating the product.
>>> Chuck
>>>
>>> Foreground
>>> LogStdout
>>> LogDir c:/program files/radiator
>>> DbDir c:/program files/radiator
>>> # User a lower trace level in production systems:
>>> Trace 4
>>>
>>> # You will probably want to add other Clients to suit your site,
>>> # one for each NAS you want to work with
>>> <Client DEFAULT>
>>> Secret
>>> DupInterval 0
>>> </Client>
>>>
>>> <Realm DEFAULT>
>>> <AuthBy LSA>
>>> # Specifies which Windows Domain is to be used to
>>> authenticate
>>> # users. Empty string means the local machine only
>>> # Special characters are supported. Can be an Active
>>> # directory domain or a Windows NT domain controller
>>>
>>> Domain nmhgmcz1
>>> AddToReply Filter-Id = pptp_users
>>> AddToReply MS-MPPE-Recv-Key
>>> AddToReply MS-MPPE-Send-Key
>>>
>>> # Empty string (the default) means the local machine
>>> #Domain OPEN
>>>
>>> # This specifies the workstation to the LSA. It might be
>>> used to check
>>> # whether the the user is permitted to log in. If the user
>>> has any
>>> # workstation logon restrictions, this is the name that it
>>> # will be checked against. Defaults to 'Radiator'
>>> #Workstation WLAN
>>>
>>> # If you specify EAPType LEAP, you can also handle
>>> # Cisco LEAP with any LSA native authentication
>>> EAPType LEAP
>>> </AuthBy>
>>> </Realm>
>>>
>>> Mon Apr 19 10:44:57 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Mon Apr 19 10:44:57 2004: DEBUG: Deleting session for accbosti,
>>> 172.19.12.5, 216
>>> Mon Apr 19 10:44:57 2004: DEBUG: Handling with Radius::AuthLSA:
>>> Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA looks for match with
>>> accbosti
>>> Mon Apr 19 10:44:57 2004: DEBUG: Radius::AuthLSA ACCEPT:
>>> Mon Apr 19 10:44:57 2004: DEBUG: Access accepted for accbosti
>>> Mon Apr 19 10:44:57 2004: DEBUG: Packet dump:
>>> *** Sending to 172.19.12.5 port 1241 ....
>>> Code: Access-Accept
>>> Identifier: 116
>>> Authentic: t<147><155>y<29>%kk<231>op<186><163>7=@
>>> Attributes:
>>> MS-CHAP2-Success = "<129>S=B9C1E1458CB11D3A2A189350CC834FEE21C60AA5"
>>> Filter-Id = "pptp_users"
>>>
>>> Mon Apr 19 10:47:42 2004: DEBUG: Finished reading configuration file
>>> 'C:\Program Files\Radiator\radius.cfg'
>>> Mon Apr 19 10:47:42 2004: DEBUG: Reading dictionary file 'c:/program
>>> files/radiator/dictionary'
>>> Mon Apr 19 10:47:43 2004: DEBUG: Creating authentication port
>>> 0.0.0.0:1645
>>> Mon Apr 19 10:47:43 2004: DEBUG: Creating accounting port
>>> 0.0.0.0:1646
>>> Mon Apr 19 10:47:43 2004: NOTICE: Server started: Radiator 3.8 on
>>> acmutil
>>> (EVALUATION)
>>> Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
>>> *** Received from 172.19.12.5 port 1249 ....
>>> Code: Access-Request
>>> Identifier: 40
>>> Authentic: (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
>>> Attributes:
>>> User-Name = "accbosti"
>>> MS-CHAP-Challenge = "<133><177>^`<15><9>_Xa<13><155><189>NH<141>M"
>>> MS-CHAP2-Response =
>>> "<129><0><211><133><211>5+<9><163>Z<128>Gc<221><5><229><208>g<0><0><0
>>> >
>>> <0><0>
>>> <0><0><0><179><255><6>;f<156>EX/0<156>-
>>> <239><157><137>|i<193><23><30>b<206>^
>>> <8>"
>>> NAS-Identifier = "firebox"
>>> NAS-Port = 224
>>> NAS-Port-Type = Virtual
>>> Service-Type = Authenticate-Only
>>>
>>> Mon Apr 19 10:48:03 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Mon Apr 19 10:48:03 2004: DEBUG: Deleting session for accbosti,
>>> 172.19.12.5, 224
>>> Mon Apr 19 10:48:03 2004: DEBUG: Handling with Radius::AuthLSA:
>>> Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA looks for match with
>>> accbosti
>>> Mon Apr 19 10:48:03 2004: DEBUG: Radius::AuthLSA ACCEPT:
>>> Mon Apr 19 10:48:03 2004: ERR: Bad attribute=value pair:
>>> MS-MPPE-Send-Key
>>> Mon Apr 19 10:48:03 2004: DEBUG: Access accepted for accbosti
>>> Mon Apr 19 10:48:03 2004: DEBUG: Packet dump:
>>> *** Sending to 172.19.12.5 port 1249 ....
>>> Code: Access-Accept
>>> Identifier: 40
>>> Authentic: (4`<25><221><226>zT<248><239><30>r<5><228>Z<222>
>>> Attributes:
>>> MS-CHAP2-Success = "<129>S=6AB960FA6FA3203ABB8C423B5C8C7CBD594464D3"
>>>
>>> Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
>>> *** Received from 172.19.12.5 port 1271 ....
>>> Code: Access-Request
>>> Identifier: 219
>>> Authentic:
>>> <219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
>>> Attributes:
>>> User-Name = "accbosti"
>>> MS-CHAP-Challenge =
>>> "<29>s<194>o<187><23>P<7>p<187><133>D<200><199><163><152>"
>>> MS-CHAP2-Response =
>>> "<129><0>M<180><199><166><149><212><166>wW<149>j<153>U5<255><243><0><
>>> 0
>>>> <0><0
>>>> <0><0><0><0><178>s<234><28><23><17>G<253><253><9>4`S<136><159><249><
>>>> 2
>>>> 7><134
>>>> <191>e<167><179><249><197>"
>>> NAS-Identifier = "firebox"
>>> NAS-Port = 246
>>> NAS-Port-Type = Virtual
>>> Service-Type = Authenticate-Only
>>>
>>> Mon Apr 19 10:48:26 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Mon Apr 19 10:48:26 2004: DEBUG: Deleting session for accbosti,
>>> 172.19.12.5, 246
>>> Mon Apr 19 10:48:26 2004: DEBUG: Handling with Radius::AuthLSA:
>>> Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA looks for match with
>>> accbosti
>>> Mon Apr 19 10:48:26 2004: DEBUG: Radius::AuthLSA ACCEPT:
>>> Mon Apr 19 10:48:26 2004: ERR: Bad attribute=value pair:
>>> MS-MPPE-Send-Key
>>> Mon Apr 19 10:48:26 2004: DEBUG: Access accepted for accbosti
>>> Mon Apr 19 10:48:26 2004: DEBUG: Packet dump:
>>> *** Sending to 172.19.12.5 port 1271 ....
>>> Code: Access-Accept
>>> Identifier: 219
>>> Authentic:
>>> <219><31><175>i<177><173><165><197><24>1<186>x<185><236><178><204>
>>> Attributes:
>>> MS-CHAP2-Success = "<129>S=3B934C54628133FC74EA3CE923416DDA5CA74873"
>>>
>>> Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
>>> *** Received from 172.19.12.5 port 1289 ....
>>> Code: Access-Request
>>> Identifier: 91
>>> Authentic:
>>> [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
>>> Attributes:
>>> User-Name = "accbosti"
>>> MS-CHAP-Challenge =
>>> "<28>+<29><138><7>E;<223>h<219>G<13><141><159><186>l"
>>> MS-CHAP2-Response =
>>> "<129><0><211>(a<133>dO<247><171><250><177>a5<199><221>`<221><0><0><0
>>> >
>>> <0><0>
>>> <0><0><0><162>i<159><166><215><221><22><139><17>%9<208><150>?,7<249>$
>>> <
>>> 146><1
>>> 4><148><128><221>z"
>>> NAS-Identifier = "firebox"
>>> NAS-Port = 264
>>> NAS-Port-Type = Virtual
>>> Service-Type = Authenticate-Only
>>>
>>> Mon Apr 19 10:49:23 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Mon Apr 19 10:49:23 2004: DEBUG: Deleting session for accbosti,
>>> 172.19.12.5, 264
>>> Mon Apr 19 10:49:23 2004: DEBUG: Handling with Radius::AuthLSA:
>>> Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA looks for match with
>>> accbosti
>>> Mon Apr 19 10:49:23 2004: DEBUG: Radius::AuthLSA ACCEPT:
>>> Mon Apr 19 10:49:23 2004: ERR: Bad attribute=value pair:
>>> MS-MPPE-Send-Key
>>> Mon Apr 19 10:49:23 2004: DEBUG: Access accepted for accbosti
>>> Mon Apr 19 10:49:23 2004: DEBUG: Packet dump:
>>> *** Sending to 172.19.12.5 port 1289 ....
>>> Code: Access-Accept
>>> Identifier: 91
>>> Authentic:
>>> [o<143>k<187><180><221><222><179><248>l<192>R<161><246><254>
>>> Attributes:
>>> MS-CHAP2-Success = "<129>S=AC0BC372584D6D4F71CF3F8B023C2F2FEC6285CC"
>>>
>>> -----Original Message-----
>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>> Sent: Friday, April 16, 2004 6:22 PM
>>> To: Bostic, Chuck
>>> Cc: 'radiator at open.com.au'
>>> Subject: Re: (RADIATOR) Radiator and Watchguard Firewall VPN
>>>
>>>
>>>
>>> Hello Chuck -
>>>
>>> I will need to see a copy of your configuration file and a trace 4
>>> debug from Radiator showing what is happening.
>>>
>>> You can return a Filter-Id with something like this:
>>>
>>> <AuthBy LSA>
>>> .....
>>> AddToReply Filter-Id = pptp_user
>>> </AuthBy>
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 17 Apr 2004, at 05:56, Bostic, Chuck wrote:
>>>
>>>> I have Radiator installed on a Win2k server using Authby LSA
>>>> validating user
>>>> on an NT4.0 Primary Domain controller. I am trying to use a dial-up
>>>> connection to a Watchguard firewall VPN. The error I see is on the
>>>> Watchguard log, rejecting the connection because something is not
>>>> matching a
>>>> filter-id of pptp_user. Has any one experienced this and is there a
>>>> solution?
>>>> Chuck
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list