(RADIATOR) Cisco PIX & Radius Authentication Help!

Nicole Layne NLayne at bb.ibm.com
Tue Jan 17 10:09:07 CST 2006


Ok, 

I'm checking with Cisco as well.

When you look at my platypus.cfg file, is it ok?

Like this part here:

<Client 192.168.x.y>
        Secret pixsecret
</Client>

<Client DEFAULT>
        Secret  mysecret
        DupInterval 0
</Client>

does the DEFAULT refer to the group? with attributes, i.e. should I set my 
shared password for client & server in the second client group or the 
first?

because it continues in the cfg to define the realm, using the word 
DEFAULT again....

<Realm DEFAULT>
        <AuthBy PLATYPUS>


Just trying to understand the config commands.


Kind Regards,
Nicôle




Hugh Irvine <hugh at open.com.au> 
Sent by: owner-radiator at open.com.au
01/16/2006 06:32 PM

To
Nicole Layne/Barbados/IBM at IBMCA
cc
"Chris Rosan" <Chris.Rosan at europcar.com.au>, radiator at open.com.au
Subject
Re: (RADIATOR) Cisco PIX & Radius Authentication Help!







Hello Nicole -

As mentioned in my previous email, I would expect that it is the VPN 
client that is asking for a Domain - I don't think Radiator is 
involved in asking for a Domain at all. From memory the Cisco VPN 
client requires some configuration, so you should check with Cisco 
how to configure it.


                 Where it says port 0.0.0.0:1645, should this be "ip 
address of 
machine running radiator":1645?


In answer to your question, "0.0.0.0:1645" means to listen on all 
interfaces present in the machine, which in the simple case is just one.

regards

Hugh



On 17 Jan 2006, at 06:39, Nicole Layne wrote:

>
> Hi,
>
> It would be beneficial if I could set up a default domain for all 
> users in the cfg file.
>
> Currently radius is getting its user credentials from Platypus 5.1 
> Billing software. In the software, there is no provision for domain 
> when creating a user.
>
> When I test locally with radiator, this setup works... as I only 
> need to supply username & password in the command window... so I 
> know that Platypus and radiator are talking ok...
>
>
> Kind Regards,
> Nicôle Layne
> IT Specialist
> IBM World Trade Corporation
> nlayne at bb.ibm.com
> Tel 246-430-8210 (direct )
> Tel 246-426-0670 (PBX)
> Fax 246-429-4684
>
>
> "Chris Rosan" <Chris.Rosan at europcar.com.au>
> Sent by: owner-radiator at open.com.au
> 01/16/2006 12:04 PM
>
> To
> Nicole Layne/Barbados/IBM at IBMCA
> cc
> <radiator at open.com.au>
> Subject
> RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
>
>
>
>
>
> Sorry, one more thing.
>
> We specify the domain in EACH user entry in our database. I know 
> you can write it into the config file, but as I said, the same 
> database hosts authentication for multiple access methods through 
> different providers & different gateways.
>
> Chris Rosan
> Systems Administrator
> Europcar Asia Pacific
> 157 Mickleham Rd
> Tullamarine
> VIC 3043
> Australia
> Ph: +61 3 9330 6114
> Fax: +61 3 9338 6278
> Mob: +61 410 612 031
> Email: chris.rosan at europcar.com.au
>
>
>
> From: Nicole Layne [mailto:NLayne at bb.ibm.com]
> Sent: Tuesday, 17 January 2006 2:54 AM
> To: Chris Rosan
> Cc: radiator at open.com.au
> Subject: RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
>
>
> Hi Chris,
>
> Thanks! I have the PIX set up very similar to your examples, but 
> will go over, just to make sure...
>
> Two things,
>
> On the VPN client side, does it prompt for username, password AND 
> domain? 'Cause I'm stuck at the domain part, as the PIX has a 
> domain name but the network is just a workgroup.
>
> Also, how did you set up your radiator config file?
>
> Could you send an example of that?
>
>
> Kind Regards,
> Nicôle
>
> "Chris Rosan" <Chris.Rosan at europcar.com.au>
> 01/16/2006 11:41 AM
>
>
> To
> Nicole Layne/Barbados/IBM at IBMCA, "Hugh Irvine" <hugh at open.com.au>, 
> Nicole Layne/Barbados/IBM at IBMCA
> cc
> <radiator at open.com.au>
> Subject
> RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
>
>
>
>
>
>
>
>
>
>
> I have similar setup. This is the config lines from my PIX 6.3 
> (I?ve got similar running a V7.
>
> aaa-server RADIUS protocol radius
> aaa-server $RADIUSSERVER protocol radius
> aaa-server $RADIUSSERVER (inside) host $IPADDRESS $SECRET timeout 5
>
>
>
> $RADIUSSERVER is the name of your radius server, $IPADDRESS the IP 
> address of your radius server, $SECRET the secret, which has to 
> match both ends.
>
> Don?t forget to assign a pool of IP?s, eg:
>
> ip local pool vpn-client 192.168.151.1-192.168.151.254
>
> THEN
>
> vpngroup eurovpn-all address-pool vpn-client
> vpngroup eurovpn-all dns-server x.x.x.x
> vpngroup eurovpn-all default-domain DNSDOMAIN
> vpngroup eurovpn-all idle-time 1800
> vpngroup eurovpn-all authentication-server $RADIUSSERVER (must 
> match above name
> vpngroup eurovpn-all password ********   (The password in your 
> profile).
>
> We aren?t using certificates for the first level authentication.
>
> Hope this helps.
>
>
> Chris Rosan
>
>
>
>
>
>
> From: owner-radiator at open.com.au [mailto:owner- 
> radiator at open.com.au] On Behalf Of Nicole Layne
> Sent: Tuesday, 17 January 2006 1:14 AM
> To: Hugh Irvine
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> Importance: High
>
>
> Thanks for looking at this problem and sorry about the lack of 
> proper information:
>
> VPN Client: 4.6.00.0045
>
> Client is running on Windows XP, Server/Radiator is running on 
> Windows XP.
>
> It's a workgroup environment, no domain.
>
> Please find the radiator config file attached.
>
>
>
> On the PIX side, it's version 7.0(4)
>
> Here is the configuration:
>
>
>
> Trace from Radiator:
>
> C:\Project\Radiator\goodies>c:\perl\bin\perl c:\perl\bin\radiusd - 
> config_file platypus.cfg -trace 4
>
> Mon Jan 16 08:41:47 2006: DEBUG: Finished reading configuration 
> file 'platypus.cfg'
> This Radiator license will expire on 2006-01-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Mon Jan 16 08:41:48 2006: DEBUG: Reading dictionary file './ 
> dictionary'
> Mon Jan 16 08:41:48 2006: DEBUG: Creating authentication port 
> 0.0.0.0:1645
> Mon Jan 16 08:41:48 2006: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Jan 16 08:41:48 2006: NOTICE: Server started: Radiator 3.13 on 
> Billing (LOCKED)
>
> Question:
>
> Where it says port 0.0.0.0:1645, should this be "ip address of 
> machine running radiator":1645?
>
> Thanks again for any light you can shine...
>
>
> Kind Regards,
> Nicôle
> Hugh Irvine <hugh at open.com.au>
> 01/13/2006 08:01 PM
>
>
>
> To
> Nicole Layne/Barbados/IBM at IBMCA
> cc
> <radiator at open.com.au>
> Subject
> Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Hello Nicole -
>
> What VPN client are you using? And what platform is the client
> running on and what platform is the server running on?
>
> In general a VPN client on Windows will be looking for the Windows
> domain to join.
>
> Also note that when you ask questions it is much easier for us to
> help if you include as much information as possible, including at the
> very least a copy of the configuration file and a trace 4 debug from
> Radiator showing what is happening.
>
> regards
>
> Hugh
>
>
> On 14 Jan 2006, at 00:31, Nicole Layne wrote:
>
> >
> > Hi,
> >
> > I have a Cisco PIX 515E, which I've configured for radius
> > authentication.
> >
> > Radiator is set up, where I have the ip address of the PIX as the
> > client, and the standard author & authen ports.
> >
> > What puzzles me is that when a VPN client tries to log in & it
> > tries to authenticate against the radius server, it asks for
> > username, password & domain.
> >
> > What domain value is it looking for?
> >
> >
> > Thanks in advance for any thoughts on this topic and how I may
> > further configure.
> >
> >
> > The PIX is at version 7.0(4). Platypus billing is the backend
> > database that radius uses. I test the username & password against
> > the radius server locally and that part works fine.
> >
> >
> > Kind Regards,
> > Nicôle
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
> This e-mail message has been scanned for Viruses and Content and 
> cleared by NetIQ MailMarshal
>
>
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.
>
>
> This email was scanned for your safety and protection from
> virus's and offensive content.
> mailmarshal at europcar.com.au
>
>
>
> This e-mail message has been scanned for Viruses and Content and 
> cleared by NetIQ MailMarshal
>
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.
>
>
> This email was scanned for your safety and protection from
> virus's and offensive content.
> mailmarshal at europcar.com.au
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060117/29c5d3fa/attachment.html>


More information about the radiator mailing list