(RADIATOR) Cisco PIX & Radius Authentication Help!

Nicole Layne NLayne at bb.ibm.com
Mon Jan 16 13:39:11 CST 2006


Hi, 

It would be beneficial if I could set up a default domain for all users in 
the cfg file.

Currently radius is getting its user credentials from Platypus 5.1 Billing 
software. In the software, there is no provision for domain when creating 
a user.

When I test locally with radiator, this setup works... as I only need to 
supply username & password in the command window... so I know that 
Platypus and radiator are talking ok...


Kind Regards,
Nicôle Layne
IT Specialist
IBM World Trade Corporation
nlayne at bb.ibm.com
Tel 246-430-8210 (direct )
Tel 246-426-0670 (PBX)
Fax 246-429-4684



"Chris Rosan" <Chris.Rosan at europcar.com.au> 
Sent by: owner-radiator at open.com.au
01/16/2006 12:04 PM

To
Nicole Layne/Barbados/IBM at IBMCA
cc
<radiator at open.com.au>
Subject
RE: (RADIATOR) Cisco PIX & Radius Authentication Help!






Sorry, one more thing.
 
We specify the domain in EACH user entry in our database. I know you can 
write it into the config file, but as I said, the same database hosts 
authentication for multiple access methods through different providers & 
different gateways.
 
Chris Rosan 
Systems Administrator 
Europcar Asia Pacific 
157 Mickleham Rd 
Tullamarine 
VIC 3043 
Australia 
Ph: +61 3 9330 6114 
Fax: +61 3 9338 6278 
Mob: +61 410 612 031 
Email: chris.rosan at europcar.com.au 
 

From: Nicole Layne [mailto:NLayne at bb.ibm.com] 
Sent: Tuesday, 17 January 2006 2:54 AM
To: Chris Rosan
Cc: radiator at open.com.au
Subject: RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
 

Hi Chris, 

Thanks! I have the PIX set up very similar to your examples, but will go 
over, just to make sure... 

Two things, 

On the VPN client side, does it prompt for username, password AND domain? 
'Cause I'm stuck at the domain part, as the PIX has a domain name but the 
network is just a workgroup. 

Also, how did you set up your radiator config file?

Could you send an example of that? 


Kind Regards,
Nicôle 



"Chris Rosan" <Chris.Rosan at europcar.com.au> 
01/16/2006 11:41 AM 


To
Nicole Layne/Barbados/IBM at IBMCA, "Hugh Irvine" <hugh at open.com.au>, Nicole 
Layne/Barbados/IBM at IBMCA 
cc
<radiator at open.com.au> 
Subject
RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
 


 
 




I have similar setup. This is the config lines from my PIX 6.3 (I?ve got 
similar running a V7. 
  
aaa-server RADIUS protocol radius 
aaa-server $RADIUSSERVER protocol radius 
aaa-server $RADIUSSERVER (inside) host $IPADDRESS $SECRET timeout 5 
  
  
  
$RADIUSSERVER is the name of your radius server, $IPADDRESS the IP address 
of your radius server, $SECRET the secret, which has to match both ends. 
  
Don?t forget to assign a pool of IP?s, eg: 
  
ip local pool vpn-client 192.168.151.1-192.168.151.254 
  
THEN 
  
vpngroup eurovpn-all address-pool vpn-client 
vpngroup eurovpn-all dns-server x.x.x.x 
vpngroup eurovpn-all default-domain DNSDOMAIN 
vpngroup eurovpn-all idle-time 1800 
vpngroup eurovpn-all authentication-server $RADIUSSERVER (must match above 
name 
vpngroup eurovpn-all password ********   (The password in your profile). 
  
We aren?t using certificates for the first level authentication. 
  
Hope this helps. 
  
  
Chris Rosan 
  
 


From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On 
Behalf Of Nicole Layne
Sent: Tuesday, 17 January 2006 1:14 AM
To: Hugh Irvine
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
Importance: High 
  

Thanks for looking at this problem and sorry about the lack of proper 
information: 

VPN Client: 4.6.00.0045 

Client is running on Windows XP, Server/Radiator is running on Windows XP. 


It's a workgroup environment, no domain. 

Please find the radiator config file attached. 



On the PIX side, it's version 7.0(4) 

Here is the configuration: 



Trace from Radiator: 

C:\Project\Radiator\goodies>c:\perl\bin\perl c:\perl\bin\radiusd 
-config_file platypus.cfg -trace 4 

Mon Jan 16 08:41:47 2006: DEBUG: Finished reading configuration file 
'platypus.cfg' 
This Radiator license will expire on 2006-01-30 
This Radiator license will stop operating after 1000 requests 
To purchase an unlimited full source version of Radiator, see 
http://www.open.com.au/ordering.html 
To extend your license period, contact admin at open.com.au 

Mon Jan 16 08:41:48 2006: DEBUG: Reading dictionary file './dictionary' 
Mon Jan 16 08:41:48 2006: DEBUG: Creating authentication port 0.0.0.0:1645 

Mon Jan 16 08:41:48 2006: DEBUG: Creating accounting port 0.0.0.0:1646 
Mon Jan 16 08:41:48 2006: NOTICE: Server started: Radiator 3.13 on Billing 
(LOCKED) 

Question:

Where it says port 0.0.0.0:1645, should this be "ip address of machine 
running radiator":1645? 

Thanks again for any light you can shine... 


Kind Regards,
Nicôle 


Hugh Irvine <hugh at open.com.au> 
01/13/2006 08:01 PM 
 


To
Nicole Layne/Barbados/IBM at IBMCA 
cc
<radiator at open.com.au> 
Subject
Re: (RADIATOR) Cisco PIX & Radius Authentication Help!

 
 


 
 






Hello Nicole -

What VPN client are you using? And what platform is the client 
running on and what platform is the server running on?

In general a VPN client on Windows will be looking for the Windows 
domain to join.

Also note that when you ask questions it is much easier for us to 
help if you include as much information as possible, including at the 
very least a copy of the configuration file and a trace 4 debug from 
Radiator showing what is happening.

regards

Hugh


On 14 Jan 2006, at 00:31, Nicole Layne wrote:

>
> Hi,
>
> I have a Cisco PIX 515E, which I've configured for radius 
> authentication.
>
> Radiator is set up, where I have the ip address of the PIX as the 
> client, and the standard author & authen ports.
>
> What puzzles me is that when a VPN client tries to log in & it 
> tries to authenticate against the radius server, it asks for 
> username, password & domain.
>
> What domain value is it looking for?
>
>
> Thanks in advance for any thoughts on this topic and how I may 
> further configure.
>
>
> The PIX is at version 7.0(4). Platypus billing is the backend 
> database that radius uses. I test the username & password against 
> the radius server locally and that part works fine.
>
>
> Kind Regards,
> Nicôle


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
 


This e-mail message has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal 
 

This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses. 

This email was scanned for your safety and protection from
virus's and offensive content. 
mailmarshal at europcar.com.au 

This e-mail message has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal 

This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses.

This email was scanned for your safety and protection from
virus's and offensive content. 
mailmarshal at europcar.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060116/7724a2a8/attachment.html>


More information about the radiator mailing list