(RADIATOR) Cisco PIX & Radius Authentication Help!

Chris Rosan Chris.Rosan at europcar.com.au
Tue Jan 17 21:32:33 CST 2006


Can I suggest you try mysql? As you remember, this is what I am using with Radiator & PIX and works very well.

 

Chris Rosan 

Systems Administrator 

Europcar Asia Pacific 

157 Mickleham Rd 

Tullamarine 

VIC 3043 

Australia 

Ph: +61 3 9330 6114 

Fax: +61 3 9338 6278 

Mob: +61 410 612 031 

Email: chris.rosan at europcar.com.au 

 

________________________________

From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On Behalf Of Nicole Layne
Sent: Wednesday, 18 January 2006 9:21 AM
To: Hugh Irvine
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Cisco PIX & Radius Authentication Help!

 


Thanks Hugh. 

I've generated some logs and am convinced now that the problem lies with my database i.e. Platypus. 

The PIX passes username, password & domain to the radius server, which then looks to Platypus for these fields. 

Problem here is that Radiator interprets the fields from the PIX as username = Domain\username, password = password, but my Platypus database stores entries as username = username, password = password. 

e.g. 

Radiator sends Workgroup\User1 

Platypus contains User1 

Therefore, Radiator will never match to any of the users in the database. 

I have a call set up with Platypus to see if there's a way to get around this or edit the database, etc. 


Anyone with Platypus running that saves domain information? :-) 


Thanks for all of your comments and suggestions, as always... 


Kind Regards,
Nicôle 







Hugh Irvine <hugh at open.com.au> 

01/17/2006 05:19 PM 

To

Nicole Layne/Barbados/IBM at IBMCA 

cc

radiator at open.com.au 

Subject

Re: (RADIATOR) Cisco PIX & Radius Authentication Help!

 

 

 





Hello Nicole -

Comments below.

On 18 Jan 2006, at 03:09, Nicole Layne wrote:

>
> Ok,
>
> I'm checking with Cisco as well.
>
> When you look at my platypus.cfg file, is it ok?
>
> Like this part here:
>

This is a normal Client clause.

> <Client 192.168.x.y>
>         Secret pixsecret
> </Client>
>

This is an optional special Client clause that will match any Clients  
not specified by individual Client clauses.

> <Client DEFAULT>
>         Secret        mysecret
>         DupInterval 0
> </Client>
>

DEFAULT simply means "match any Clients not specified by individual  
Client clauses.

> does the DEFAULT refer to the group? with attributes, i.e. should I  
> set my shared password for client & server in the second client  
> group or the first?
>

In general you should specify all your Clients with individual Client  
clauses and remove the Client DEFAULT clause.


> because it continues in the cfg to define the realm, using the word  
> DEFAULT again....
>
> <Realm DEFAULT>
>         <AuthBy PLATYPUS>
>

Again this is a Realm clause that will match any Realm suffix not  
explicitly defined by individual Realm ... clauses.

>
> Just trying to understand the config commands.
>

I suggest you read the Radiator 3.14 reference manual ("doc/ 
ref.html"), and have a look at the comments in the example  
configuration files in the "goodies" directory of the Radiator  
distribution.

regards

Hugh


>
> Kind Regards,
> Nicôle
>
>
>
> Hugh Irvine <hugh at open.com.au>
> Sent by: owner-radiator at open.com.au
> 01/16/2006 06:32 PM
>
> To
> Nicole Layne/Barbados/IBM at IBMCA
> cc
> "Chris Rosan" <Chris.Rosan at europcar.com.au>, radiator at open.com.au
> Subject
> Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
>
>
>
>
>
>
> Hello Nicole -
>
> As mentioned in my previous email, I would expect that it is the VPN
> client that is asking for a Domain - I don't think Radiator is
> involved in asking for a Domain at all. From memory the Cisco VPN
> client requires some configuration, so you should check with Cisco
> how to configure it.
>
>
>                 Where it says port 0.0.0.0:1645, should this be "ip  
> address of
> machine running radiator":1645?
>
>
> In answer to your question, "0.0.0.0:1645" means to listen on all
> interfaces present in the machine, which in the simple case is just  
> one.
>
> regards
>
> Hugh
>
>
>
> On 17 Jan 2006, at 06:39, Nicole Layne wrote:
>
> >
> > Hi,
> >
> > It would be beneficial if I could set up a default domain for all
> > users in the cfg file.
> >
> > Currently radius is getting its user credentials from Platypus 5.1
> > Billing software. In the software, there is no provision for domain
> > when creating a user.
> >
> > When I test locally with radiator, this setup works... as I only
> > need to supply username & password in the command window... so I
> > know that Platypus and radiator are talking ok...
> >
> >
> > Kind Regards,
> > Nicôle Layne
> > IT Specialist
> > IBM World Trade Corporation
> > nlayne at bb.ibm.com
> > Tel 246-430-8210 (direct )
> > Tel 246-426-0670 (PBX)
> > Fax 246-429-4684
> >
> >
> > "Chris Rosan" <Chris.Rosan at europcar.com.au>
> > Sent by: owner-radiator at open.com.au
> > 01/16/2006 12:04 PM
> >
> > To
> > Nicole Layne/Barbados/IBM at IBMCA
> > cc
> > <radiator at open.com.au>
> > Subject
> > RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> >
> >
> >
> > Sorry, one more thing.
> >
> > We specify the domain in EACH user entry in our database. I know
> > you can write it into the config file, but as I said, the same
> > database hosts authentication for multiple access methods through
> > different providers & different gateways.
> >
> > Chris Rosan
> > Systems Administrator
> > Europcar Asia Pacific
> > 157 Mickleham Rd
> > Tullamarine
> > VIC 3043
> > Australia
> > Ph: +61 3 9330 6114
> > Fax: +61 3 9338 6278
> > Mob: +61 410 612 031
> > Email: chris.rosan at europcar.com.au
> >
> >
> >
> > From: Nicole Layne [mailto:NLayne at bb.ibm.com]
> > Sent: Tuesday, 17 January 2006 2:54 AM
> > To: Chris Rosan
> > Cc: radiator at open.com.au
> > Subject: RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> > Hi Chris,
> >
> > Thanks! I have the PIX set up very similar to your examples, but
> > will go over, just to make sure...
> >
> > Two things,
> >
> > On the VPN client side, does it prompt for username, password AND
> > domain? 'Cause I'm stuck at the domain part, as the PIX has a
> > domain name but the network is just a workgroup.
> >
> > Also, how did you set up your radiator config file?
> >
> > Could you send an example of that?
> >
> >
> > Kind Regards,
> > Nicôle
> >
> > "Chris Rosan" <Chris.Rosan at europcar.com.au>
> > 01/16/2006 11:41 AM
> >
> >
> > To
> > Nicole Layne/Barbados/IBM at IBMCA, "Hugh Irvine" <hugh at open.com.au>,
> > Nicole Layne/Barbados/IBM at IBMCA
> > cc
> > <radiator at open.com.au>
> > Subject
> > RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > I have similar setup. This is the config lines from my PIX 6.3
> > (I've got similar running a V7.
> >
> > aaa-server RADIUS protocol radius
> > aaa-server $RADIUSSERVER protocol radius
> > aaa-server $RADIUSSERVER (inside) host $IPADDRESS $SECRET timeout 5
> >
> >
> >
> > $RADIUSSERVER is the name of your radius server, $IPADDRESS the IP
> > address of your radius server, $SECRET the secret, which has to
> > match both ends.
> >
> > Don't forget to assign a pool of IP's, eg:
> >
> > ip local pool vpn-client 192.168.151.1-192.168.151.254
> >
> > THEN
> >
> > vpngroup eurovpn-all address-pool vpn-client
> > vpngroup eurovpn-all dns-server x.x.x.x
> > vpngroup eurovpn-all default-domain DNSDOMAIN
> > vpngroup eurovpn-all idle-time 1800
> > vpngroup eurovpn-all authentication-server $RADIUSSERVER (must
> > match above name
> > vpngroup eurovpn-all password ********   (The password in your
> > profile).
> >
> > We aren't using certificates for the first level authentication.
> >
> > Hope this helps.
> >
> >
> > Chris Rosan
> >
> >
> >
> >
> >
> >
> > From: owner-radiator at open.com.au [mailto:owner-
> > radiator at open.com.au] On Behalf Of Nicole Layne
> > Sent: Tuesday, 17 January 2006 1:14 AM
> > To: Hugh Irvine
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> > Importance: High
> >
> >
> > Thanks for looking at this problem and sorry about the lack of
> > proper information:
> >
> > VPN Client: 4.6.00.0045
> >
> > Client is running on Windows XP, Server/Radiator is running on
> > Windows XP.
> >
> > It's a workgroup environment, no domain.
> >
> > Please find the radiator config file attached.
> >
> >
> >
> > On the PIX side, it's version 7.0(4)
> >
> > Here is the configuration:
> >
> >
> >
> > Trace from Radiator:
> >
> > C:\Project\Radiator\goodies>c:\perl\bin\perl c:\perl\bin\radiusd -
> > config_file platypus.cfg -trace 4
> >
> > Mon Jan 16 08:41:47 2006: DEBUG: Finished reading configuration
> > file 'platypus.cfg'
> > This Radiator license will expire on 2006-01-30
> > This Radiator license will stop operating after 1000 requests
> > To purchase an unlimited full source version of Radiator, see
> > http://www.open.com.au/ordering.html
> > To extend your license period, contact admin at open.com.au
> >
> > Mon Jan 16 08:41:48 2006: DEBUG: Reading dictionary file './
> > dictionary'
> > Mon Jan 16 08:41:48 2006: DEBUG: Creating authentication port
> > 0.0.0.0:1645
> > Mon Jan 16 08:41:48 2006: DEBUG: Creating accounting port  
> 0.0.0.0:1646
> > Mon Jan 16 08:41:48 2006: NOTICE: Server started: Radiator 3.13 on
> > Billing (LOCKED)
> >
> > Question:
> >
> > Where it says port 0.0.0.0:1645, should this be "ip address of
> > machine running radiator":1645?
> >
> > Thanks again for any light you can shine...
> >
> >
> > Kind Regards,
> > Nicôle
> > Hugh Irvine <hugh at open.com.au>
> > 01/13/2006 08:01 PM
> >
> >
> >
> > To
> > Nicole Layne/Barbados/IBM at IBMCA
> > cc
> > <radiator at open.com.au>
> > Subject
> > Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Hello Nicole -
> >
> > What VPN client are you using? And what platform is the client
> > running on and what platform is the server running on?
> >
> > In general a VPN client on Windows will be looking for the Windows
> > domain to join.
> >
> > Also note that when you ask questions it is much easier for us to
> > help if you include as much information as possible, including at  
> the
> > very least a copy of the configuration file and a trace 4 debug from
> > Radiator showing what is happening.
> >
> > regards
> >
> > Hugh
> >
> >
> > On 14 Jan 2006, at 00:31, Nicole Layne wrote:
> >
> > >
> > > Hi,
> > >
> > > I have a Cisco PIX 515E, which I've configured for radius
> > > authentication.
> > >
> > > Radiator is set up, where I have the ip address of the PIX as the
> > > client, and the standard author & authen ports.
> > >
> > > What puzzles me is that when a VPN client tries to log in & it
> > > tries to authenticate against the radius server, it asks for
> > > username, password & domain.
> > >
> > > What domain value is it looking for?
> > >
> > >
> > > Thanks in advance for any thoughts on this topic and how I may
> > > further configure.
> > >
> > >
> > > The PIX is at version 7.0(4). Platypus billing is the backend
> > > database that radius uses. I test the username & password against
> > > the radius server locally and that part works fine.
> > >
> > >
> > > Kind Regards,
> > > Nicôle
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/ 
> archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database  
> independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like  
> systems.
> >
> >
> >
> >
> >
> > This e-mail message has been scanned for Viruses and Content and
> > cleared by NetIQ MailMarshal
> >
> >
> > This e-mail and any files attached to it are confidential and
> > intended solely for the use of the individual or entity to
> > whom they are addressed. If you have received this e-mail
> > inadvertently or you are not the intended recipient, you may
> > not distribute, copy or in any way rely on it. Further, you
> > should notify the sender immediately and delete the e-mail
> > from your computer. The contents and opinions contained in
> > this e-mail are those of the individual sender unless they
> > are expressly stated to be those of Europcar. Whilst we have
> > taken precautions to alert us to the presence of computer
> > viruses, we cannot and do not guarantee that this email and
> > any files transmitted with it are free from such viruses.
> >
> >
> > This email was scanned for your safety and protection from
> > virus's and offensive content.
> > mailmarshal at europcar.com.au
> >
> >
> >
> > This e-mail message has been scanned for Viruses and Content and
> > cleared by NetIQ MailMarshal
> >
> > This e-mail and any files attached to it are confidential and
> > intended solely for the use of the individual or entity to
> > whom they are addressed. If you have received this e-mail
> > inadvertently or you are not the intended recipient, you may
> > not distribute, copy or in any way rely on it. Further, you
> > should notify the sender immediately and delete the e-mail
> > from your computer. The contents and opinions contained in
> > this e-mail are those of the individual sender unless they
> > are expressly stated to be those of Europcar. Whilst we have
> > taken precautions to alert us to the presence of computer
> > viruses, we cannot and do not guarantee that this email and
> > any files transmitted with it are free from such viruses.
> >
> >
> > This email was scanned for your safety and protection from
> > virus's and offensive content.
> > mailmarshal at europcar.com.au
> >
> >
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




________________________________

This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal 

________________________________


This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses.

This email was scanned for your safety and protection from
virus's and offensive content. 
mailmarshal at europcar.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060118/49fa443d/attachment.html>


More information about the radiator mailing list