(RADIATOR) Cisco PIX & Radius Authentication Help!
Nicole Layne
NLayne at bb.ibm.com
Tue Jan 17 16:20:51 CST 2006
Thanks Hugh.
I've generated some logs and am convinced now that the problem lies with
my database i.e. Platypus.
The PIX passes username, password & domain to the radius server, which
then looks to Platypus for these fields.
Problem here is that Radiator interprets the fields from the PIX as
username = Domain\username, password = password, but my Platypus database
stores entries as username = username, password = password.
e.g.
Radiator sends Workgroup\User1
Platypus contains User1
Therefore, Radiator will never match to any of the users in the database.
I have a call set up with Platypus to see if there's a way to get around
this or edit the database, etc.
Anyone with Platypus running that saves domain information? :-)
Thanks for all of your comments and suggestions, as always...
Kind Regards,
Nicôle
Hugh Irvine <hugh at open.com.au>
01/17/2006 05:19 PM
To
Nicole Layne/Barbados/IBM at IBMCA
cc
radiator at open.com.au
Subject
Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
Hello Nicole -
Comments below.
On 18 Jan 2006, at 03:09, Nicole Layne wrote:
>
> Ok,
>
> I'm checking with Cisco as well.
>
> When you look at my platypus.cfg file, is it ok?
>
> Like this part here:
>
This is a normal Client clause.
> <Client 192.168.x.y>
> Secret pixsecret
> </Client>
>
This is an optional special Client clause that will match any Clients
not specified by individual Client clauses.
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
DEFAULT simply means "match any Clients not specified by individual
Client clauses.
> does the DEFAULT refer to the group? with attributes, i.e. should I
> set my shared password for client & server in the second client
> group or the first?
>
In general you should specify all your Clients with individual Client
clauses and remove the Client DEFAULT clause.
> because it continues in the cfg to define the realm, using the word
> DEFAULT again....
>
> <Realm DEFAULT>
> <AuthBy PLATYPUS>
>
Again this is a Realm clause that will match any Realm suffix not
explicitly defined by individual Realm ... clauses.
>
> Just trying to understand the config commands.
>
I suggest you read the Radiator 3.14 reference manual ("doc/
ref.html"), and have a look at the comments in the example
configuration files in the "goodies" directory of the Radiator
distribution.
regards
Hugh
>
> Kind Regards,
> Nicôle
>
>
>
> Hugh Irvine <hugh at open.com.au>
> Sent by: owner-radiator at open.com.au
> 01/16/2006 06:32 PM
>
> To
> Nicole Layne/Barbados/IBM at IBMCA
> cc
> "Chris Rosan" <Chris.Rosan at europcar.com.au>, radiator at open.com.au
> Subject
> Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
>
>
>
>
>
>
> Hello Nicole -
>
> As mentioned in my previous email, I would expect that it is the VPN
> client that is asking for a Domain - I don't think Radiator is
> involved in asking for a Domain at all. From memory the Cisco VPN
> client requires some configuration, so you should check with Cisco
> how to configure it.
>
>
> Where it says port 0.0.0.0:1645, should this be "ip
> address of
> machine running radiator":1645?
>
>
> In answer to your question, "0.0.0.0:1645" means to listen on all
> interfaces present in the machine, which in the simple case is just
> one.
>
> regards
>
> Hugh
>
>
>
> On 17 Jan 2006, at 06:39, Nicole Layne wrote:
>
> >
> > Hi,
> >
> > It would be beneficial if I could set up a default domain for all
> > users in the cfg file.
> >
> > Currently radius is getting its user credentials from Platypus 5.1
> > Billing software. In the software, there is no provision for domain
> > when creating a user.
> >
> > When I test locally with radiator, this setup works... as I only
> > need to supply username & password in the command window... so I
> > know that Platypus and radiator are talking ok...
> >
> >
> > Kind Regards,
> > Nicôle Layne
> > IT Specialist
> > IBM World Trade Corporation
> > nlayne at bb.ibm.com
> > Tel 246-430-8210 (direct )
> > Tel 246-426-0670 (PBX)
> > Fax 246-429-4684
> >
> >
> > "Chris Rosan" <Chris.Rosan at europcar.com.au>
> > Sent by: owner-radiator at open.com.au
> > 01/16/2006 12:04 PM
> >
> > To
> > Nicole Layne/Barbados/IBM at IBMCA
> > cc
> > <radiator at open.com.au>
> > Subject
> > RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> >
> >
> >
> > Sorry, one more thing.
> >
> > We specify the domain in EACH user entry in our database. I know
> > you can write it into the config file, but as I said, the same
> > database hosts authentication for multiple access methods through
> > different providers & different gateways.
> >
> > Chris Rosan
> > Systems Administrator
> > Europcar Asia Pacific
> > 157 Mickleham Rd
> > Tullamarine
> > VIC 3043
> > Australia
> > Ph: +61 3 9330 6114
> > Fax: +61 3 9338 6278
> > Mob: +61 410 612 031
> > Email: chris.rosan at europcar.com.au
> >
> >
> >
> > From: Nicole Layne [mailto:NLayne at bb.ibm.com]
> > Sent: Tuesday, 17 January 2006 2:54 AM
> > To: Chris Rosan
> > Cc: radiator at open.com.au
> > Subject: RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> > Hi Chris,
> >
> > Thanks! I have the PIX set up very similar to your examples, but
> > will go over, just to make sure...
> >
> > Two things,
> >
> > On the VPN client side, does it prompt for username, password AND
> > domain? 'Cause I'm stuck at the domain part, as the PIX has a
> > domain name but the network is just a workgroup.
> >
> > Also, how did you set up your radiator config file?
> >
> > Could you send an example of that?
> >
> >
> > Kind Regards,
> > Nicôle
> >
> > "Chris Rosan" <Chris.Rosan at europcar.com.au>
> > 01/16/2006 11:41 AM
> >
> >
> > To
> > Nicole Layne/Barbados/IBM at IBMCA, "Hugh Irvine" <hugh at open.com.au>,
> > Nicole Layne/Barbados/IBM at IBMCA
> > cc
> > <radiator at open.com.au>
> > Subject
> > RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > I have similar setup. This is the config lines from my PIX 6.3
> > (I?ve got similar running a V7.
> >
> > aaa-server RADIUS protocol radius
> > aaa-server $RADIUSSERVER protocol radius
> > aaa-server $RADIUSSERVER (inside) host $IPADDRESS $SECRET timeout 5
> >
> >
> >
> > $RADIUSSERVER is the name of your radius server, $IPADDRESS the IP
> > address of your radius server, $SECRET the secret, which has to
> > match both ends.
> >
> > Don?t forget to assign a pool of IP?s, eg:
> >
> > ip local pool vpn-client 192.168.151.1-192.168.151.254
> >
> > THEN
> >
> > vpngroup eurovpn-all address-pool vpn-client
> > vpngroup eurovpn-all dns-server x.x.x.x
> > vpngroup eurovpn-all default-domain DNSDOMAIN
> > vpngroup eurovpn-all idle-time 1800
> > vpngroup eurovpn-all authentication-server $RADIUSSERVER (must
> > match above name
> > vpngroup eurovpn-all password ******** (The password in your
> > profile).
> >
> > We aren?t using certificates for the first level authentication.
> >
> > Hope this helps.
> >
> >
> > Chris Rosan
> >
> >
> >
> >
> >
> >
> > From: owner-radiator at open.com.au [mailto:owner-
> > radiator at open.com.au] On Behalf Of Nicole Layne
> > Sent: Tuesday, 17 January 2006 1:14 AM
> > To: Hugh Irvine
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> > Importance: High
> >
> >
> > Thanks for looking at this problem and sorry about the lack of
> > proper information:
> >
> > VPN Client: 4.6.00.0045
> >
> > Client is running on Windows XP, Server/Radiator is running on
> > Windows XP.
> >
> > It's a workgroup environment, no domain.
> >
> > Please find the radiator config file attached.
> >
> >
> >
> > On the PIX side, it's version 7.0(4)
> >
> > Here is the configuration:
> >
> >
> >
> > Trace from Radiator:
> >
> > C:\Project\Radiator\goodies>c:\perl\bin\perl c:\perl\bin\radiusd -
> > config_file platypus.cfg -trace 4
> >
> > Mon Jan 16 08:41:47 2006: DEBUG: Finished reading configuration
> > file 'platypus.cfg'
> > This Radiator license will expire on 2006-01-30
> > This Radiator license will stop operating after 1000 requests
> > To purchase an unlimited full source version of Radiator, see
> > http://www.open.com.au/ordering.html
> > To extend your license period, contact admin at open.com.au
> >
> > Mon Jan 16 08:41:48 2006: DEBUG: Reading dictionary file './
> > dictionary'
> > Mon Jan 16 08:41:48 2006: DEBUG: Creating authentication port
> > 0.0.0.0:1645
> > Mon Jan 16 08:41:48 2006: DEBUG: Creating accounting port
> 0.0.0.0:1646
> > Mon Jan 16 08:41:48 2006: NOTICE: Server started: Radiator 3.13 on
> > Billing (LOCKED)
> >
> > Question:
> >
> > Where it says port 0.0.0.0:1645, should this be "ip address of
> > machine running radiator":1645?
> >
> > Thanks again for any light you can shine...
> >
> >
> > Kind Regards,
> > Nicôle
> > Hugh Irvine <hugh at open.com.au>
> > 01/13/2006 08:01 PM
> >
> >
> >
> > To
> > Nicole Layne/Barbados/IBM at IBMCA
> > cc
> > <radiator at open.com.au>
> > Subject
> > Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Hello Nicole -
> >
> > What VPN client are you using? And what platform is the client
> > running on and what platform is the server running on?
> >
> > In general a VPN client on Windows will be looking for the Windows
> > domain to join.
> >
> > Also note that when you ask questions it is much easier for us to
> > help if you include as much information as possible, including at
> the
> > very least a copy of the configuration file and a trace 4 debug from
> > Radiator showing what is happening.
> >
> > regards
> >
> > Hugh
> >
> >
> > On 14 Jan 2006, at 00:31, Nicole Layne wrote:
> >
> > >
> > > Hi,
> > >
> > > I have a Cisco PIX 515E, which I've configured for radius
> > > authentication.
> > >
> > > Radiator is set up, where I have the ip address of the PIX as the
> > > client, and the standard author & authen ports.
> > >
> > > What puzzles me is that when a VPN client tries to log in & it
> > > tries to authenticate against the radius server, it asks for
> > > username, password & domain.
> > >
> > > What domain value is it looking for?
> > >
> > >
> > > Thanks in advance for any thoughts on this topic and how I may
> > > further configure.
> > >
> > >
> > > The PIX is at version 7.0(4). Platypus billing is the backend
> > > database that radius uses. I test the username & password against
> > > the radius server locally and that part works fine.
> > >
> > >
> > > Kind Regards,
> > > Nicôle
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/
> archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database
> independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like
> systems.
> >
> >
> >
> >
> >
> > This e-mail message has been scanned for Viruses and Content and
> > cleared by NetIQ MailMarshal
> >
> >
> > This e-mail and any files attached to it are confidential and
> > intended solely for the use of the individual or entity to
> > whom they are addressed. If you have received this e-mail
> > inadvertently or you are not the intended recipient, you may
> > not distribute, copy or in any way rely on it. Further, you
> > should notify the sender immediately and delete the e-mail
> > from your computer. The contents and opinions contained in
> > this e-mail are those of the individual sender unless they
> > are expressly stated to be those of Europcar. Whilst we have
> > taken precautions to alert us to the presence of computer
> > viruses, we cannot and do not guarantee that this email and
> > any files transmitted with it are free from such viruses.
> >
> >
> > This email was scanned for your safety and protection from
> > virus's and offensive content.
> > mailmarshal at europcar.com.au
> >
> >
> >
> > This e-mail message has been scanned for Viruses and Content and
> > cleared by NetIQ MailMarshal
> >
> > This e-mail and any files attached to it are confidential and
> > intended solely for the use of the individual or entity to
> > whom they are addressed. If you have received this e-mail
> > inadvertently or you are not the intended recipient, you may
> > not distribute, copy or in any way rely on it. Further, you
> > should notify the sender immediately and delete the e-mail
> > from your computer. The contents and opinions contained in
> > this e-mail are those of the individual sender unless they
> > are expressly stated to be those of Europcar. Whilst we have
> > taken precautions to alert us to the presence of computer
> > viruses, we cannot and do not guarantee that this email and
> > any files transmitted with it are free from such viruses.
> >
> >
> > This email was scanned for your safety and protection from
> > virus's and offensive content.
> > mailmarshal at europcar.com.au
> >
> >
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060117/a6cf0f47/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiator logs single (to send).txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060117/a6cf0f47/attachment.txt>
More information about the radiator
mailing list