(RADIATOR) Cisco PIX & Radius Authentication Help!

Hugh Irvine hugh at open.com.au
Wed Jan 18 00:49:31 CST 2006


Hello Nicole -

You can use a RewriteUsername in Radiator to change the User-Name.

Something like this:


RewriteUsername s/^Workgroup\\//


hope that helps

regards

Hugh


See section 5.4.20 in the Radiator 3.14 reference manual ("doc/ 
ref.html").

regards

Hugh


On 18 Jan 2006, at 09:20, Nicole Layne wrote:

>
> Thanks Hugh.
>
> I've generated some logs and am convinced now that the problem lies  
> with my database i.e. Platypus.
>
> The PIX passes username, password & domain to the radius server,  
> which then looks to Platypus for these fields.
>
> Problem here is that Radiator interprets the fields from the PIX as  
> username = Domain\username, password = password, but my Platypus  
> database stores entries as username = username, password = password.
>
> e.g.
>
> Radiator sends Workgroup\User1
>
> Platypus contains User1
>
> Therefore, Radiator will never match to any of the users in the  
> database.
>
> I have a call set up with Platypus to see if there's a way to get  
> around this or edit the database, etc.
>
>
> Anyone with Platypus running that saves domain information? :-)
>
>
> Thanks for all of your comments and suggestions, as always...
>
>
> Kind Regards,
> Nicôle
>
>
>
>
>
>
> Hugh Irvine <hugh at open.com.au>
> 01/17/2006 05:19 PM
>
> To
> Nicole Layne/Barbados/IBM at IBMCA
> cc
> radiator at open.com.au
> Subject
> Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
>
>
>
>
>
>
> Hello Nicole -
>
> Comments below.
>
> On 18 Jan 2006, at 03:09, Nicole Layne wrote:
>
> >
> > Ok,
> >
> > I'm checking with Cisco as well.
> >
> > When you look at my platypus.cfg file, is it ok?
> >
> > Like this part here:
> >
>
> This is a normal Client clause.
>
> > <Client 192.168.x.y>
> >         Secret pixsecret
> > </Client>
> >
>
> This is an optional special Client clause that will match any Clients
> not specified by individual Client clauses.
>
> > <Client DEFAULT>
> >         Secret        mysecret
> >         DupInterval 0
> > </Client>
> >
>
> DEFAULT simply means "match any Clients not specified by individual
> Client clauses.
>
> > does the DEFAULT refer to the group? with attributes, i.e. should I
> > set my shared password for client & server in the second client
> > group or the first?
> >
>
> In general you should specify all your Clients with individual Client
> clauses and remove the Client DEFAULT clause.
>
>
> > because it continues in the cfg to define the realm, using the word
> > DEFAULT again....
> >
> > <Realm DEFAULT>
> >         <AuthBy PLATYPUS>
> >
>
> Again this is a Realm clause that will match any Realm suffix not
> explicitly defined by individual Realm ... clauses.
>
> >
> > Just trying to understand the config commands.
> >
>
> I suggest you read the Radiator 3.14 reference manual ("doc/
> ref.html"), and have a look at the comments in the example
> configuration files in the "goodies" directory of the Radiator
> distribution.
>
> regards
>
> Hugh
>
>
> >
> > Kind Regards,
> > Nicôle
> >
> >
> >
> > Hugh Irvine <hugh at open.com.au>
> > Sent by: owner-radiator at open.com.au
> > 01/16/2006 06:32 PM
> >
> > To
> > Nicole Layne/Barbados/IBM at IBMCA
> > cc
> > "Chris Rosan" <Chris.Rosan at europcar.com.au>, radiator at open.com.au
> > Subject
> > Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> >
> >
> >
> >
> >
> >
> > Hello Nicole -
> >
> > As mentioned in my previous email, I would expect that it is the VPN
> > client that is asking for a Domain - I don't think Radiator is
> > involved in asking for a Domain at all. From memory the Cisco VPN
> > client requires some configuration, so you should check with Cisco
> > how to configure it.
> >
> >
> >                 Where it says port 0.0.0.0:1645, should this be "ip
> > address of
> > machine running radiator":1645?
> >
> >
> > In answer to your question, "0.0.0.0:1645" means to listen on all
> > interfaces present in the machine, which in the simple case is just
> > one.
> >
> > regards
> >
> > Hugh
> >
> >
> >
> > On 17 Jan 2006, at 06:39, Nicole Layne wrote:
> >
> > >
> > > Hi,
> > >
> > > It would be beneficial if I could set up a default domain for all
> > > users in the cfg file.
> > >
> > > Currently radius is getting its user credentials from Platypus 5.1
> > > Billing software. In the software, there is no provision for  
> domain
> > > when creating a user.
> > >
> > > When I test locally with radiator, this setup works... as I only
> > > need to supply username & password in the command window... so I
> > > know that Platypus and radiator are talking ok...
> > >
> > >
> > > Kind Regards,
> > > Nicôle Layne
> > > IT Specialist
> > > IBM World Trade Corporation
> > > nlayne at bb.ibm.com
> > > Tel 246-430-8210 (direct )
> > > Tel 246-426-0670 (PBX)
> > > Fax 246-429-4684
> > >
> > >
> > > "Chris Rosan" <Chris.Rosan at europcar.com.au>
> > > Sent by: owner-radiator at open.com.au
> > > 01/16/2006 12:04 PM
> > >
> > > To
> > > Nicole Layne/Barbados/IBM at IBMCA
> > > cc
> > > <radiator at open.com.au>
> > > Subject
> > > RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> > >
> > >
> > >
> > >
> > >
> > > Sorry, one more thing.
> > >
> > > We specify the domain in EACH user entry in our database. I know
> > > you can write it into the config file, but as I said, the same
> > > database hosts authentication for multiple access methods through
> > > different providers & different gateways.
> > >
> > > Chris Rosan
> > > Systems Administrator
> > > Europcar Asia Pacific
> > > 157 Mickleham Rd
> > > Tullamarine
> > > VIC 3043
> > > Australia
> > > Ph: +61 3 9330 6114
> > > Fax: +61 3 9338 6278
> > > Mob: +61 410 612 031
> > > Email: chris.rosan at europcar.com.au
> > >
> > >
> > >
> > > From: Nicole Layne [mailto:NLayne at bb.ibm.com]
> > > Sent: Tuesday, 17 January 2006 2:54 AM
> > > To: Chris Rosan
> > > Cc: radiator at open.com.au
> > > Subject: RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> > >
> > >
> > > Hi Chris,
> > >
> > > Thanks! I have the PIX set up very similar to your examples, but
> > > will go over, just to make sure...
> > >
> > > Two things,
> > >
> > > On the VPN client side, does it prompt for username, password AND
> > > domain? 'Cause I'm stuck at the domain part, as the PIX has a
> > > domain name but the network is just a workgroup.
> > >
> > > Also, how did you set up your radiator config file?
> > >
> > > Could you send an example of that?
> > >
> > >
> > > Kind Regards,
> > > Nicôle
> > >
> > > "Chris Rosan" <Chris.Rosan at europcar.com.au>
> > > 01/16/2006 11:41 AM
> > >
> > >
> > > To
> > > Nicole Layne/Barbados/IBM at IBMCA, "Hugh Irvine" <hugh at open.com.au>,
> > > Nicole Layne/Barbados/IBM at IBMCA
> > > cc
> > > <radiator at open.com.au>
> > > Subject
> > > RE: (RADIATOR) Cisco PIX & Radius Authentication Help!
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > I have similar setup. This is the config lines from my PIX 6.3
> > > (I’ve got similar running a V7.
> > >
> > > aaa-server RADIUS protocol radius
> > > aaa-server $RADIUSSERVER protocol radius
> > > aaa-server $RADIUSSERVER (inside) host $IPADDRESS $SECRET  
> timeout 5
> > >
> > >
> > >
> > > $RADIUSSERVER is the name of your radius server, $IPADDRESS the IP
> > > address of your radius server, $SECRET the secret, which has to
> > > match both ends.
> > >
> > > Don’t forget to assign a pool of IP’s, eg:
> > >
> > > ip local pool vpn-client 192.168.151.1-192.168.151.254
> > >
> > > THEN
> > >
> > > vpngroup eurovpn-all address-pool vpn-client
> > > vpngroup eurovpn-all dns-server x.x.x.x
> > > vpngroup eurovpn-all default-domain DNSDOMAIN
> > > vpngroup eurovpn-all idle-time 1800
> > > vpngroup eurovpn-all authentication-server $RADIUSSERVER (must
> > > match above name
> > > vpngroup eurovpn-all password ********   (The password in your
> > > profile).
> > >
> > > We aren’t using certificates for the first level authentication.
> > >
> > > Hope this helps.
> > >
> > >
> > > Chris Rosan
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: owner-radiator at open.com.au [mailto:owner-
> > > radiator at open.com.au] On Behalf Of Nicole Layne
> > > Sent: Tuesday, 17 January 2006 1:14 AM
> > > To: Hugh Irvine
> > > Cc: radiator at open.com.au
> > > Subject: Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> > > Importance: High
> > >
> > >
> > > Thanks for looking at this problem and sorry about the lack of
> > > proper information:
> > >
> > > VPN Client: 4.6.00.0045
> > >
> > > Client is running on Windows XP, Server/Radiator is running on
> > > Windows XP.
> > >
> > > It's a workgroup environment, no domain.
> > >
> > > Please find the radiator config file attached.
> > >
> > >
> > >
> > > On the PIX side, it's version 7.0(4)
> > >
> > > Here is the configuration:
> > >
> > >
> > >
> > > Trace from Radiator:
> > >
> > > C:\Project\Radiator\goodies>c:\perl\bin\perl c:\perl\bin\radiusd -
> > > config_file platypus.cfg -trace 4
> > >
> > > Mon Jan 16 08:41:47 2006: DEBUG: Finished reading configuration
> > > file 'platypus.cfg'
> > > This Radiator license will expire on 2006-01-30
> > > This Radiator license will stop operating after 1000 requests
> > > To purchase an unlimited full source version of Radiator, see
> > > http://www.open.com.au/ordering.html
> > > To extend your license period, contact admin at open.com.au
> > >
> > > Mon Jan 16 08:41:48 2006: DEBUG: Reading dictionary file './
> > > dictionary'
> > > Mon Jan 16 08:41:48 2006: DEBUG: Creating authentication port
> > > 0.0.0.0:1645
> > > Mon Jan 16 08:41:48 2006: DEBUG: Creating accounting port
> > 0.0.0.0:1646
> > > Mon Jan 16 08:41:48 2006: NOTICE: Server started: Radiator 3.13 on
> > > Billing (LOCKED)
> > >
> > > Question:
> > >
> > > Where it says port 0.0.0.0:1645, should this be "ip address of
> > > machine running radiator":1645?
> > >
> > > Thanks again for any light you can shine...
> > >
> > >
> > > Kind Regards,
> > > Nicôle
> > > Hugh Irvine <hugh at open.com.au>
> > > 01/13/2006 08:01 PM
> > >
> > >
> > >
> > > To
> > > Nicole Layne/Barbados/IBM at IBMCA
> > > cc
> > > <radiator at open.com.au>
> > > Subject
> > > Re: (RADIATOR) Cisco PIX & Radius Authentication Help!
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Hello Nicole -
> > >
> > > What VPN client are you using? And what platform is the client
> > > running on and what platform is the server running on?
> > >
> > > In general a VPN client on Windows will be looking for the Windows
> > > domain to join.
> > >
> > > Also note that when you ask questions it is much easier for us to
> > > help if you include as much information as possible, including at
> > the
> > > very least a copy of the configuration file and a trace 4 debug  
> from
> > > Radiator showing what is happening.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > >
> > > On 14 Jan 2006, at 00:31, Nicole Layne wrote:
> > >
> > > >
> > > > Hi,
> > > >
> > > > I have a Cisco PIX 515E, which I've configured for radius
> > > > authentication.
> > > >
> > > > Radiator is set up, where I have the ip address of the PIX as  
> the
> > > > client, and the standard author & authen ports.
> > > >
> > > > What puzzles me is that when a VPN client tries to log in & it
> > > > tries to authenticate against the radius server, it asks for
> > > > username, password & domain.
> > > >
> > > > What domain value is it looking for?
> > > >
> > > >
> > > > Thanks in advance for any thoughts on this topic and how I may
> > > > further configure.
> > > >
> > > >
> > > > The PIX is at version 7.0(4). Platypus billing is the backend
> > > > database that radius uses. I test the username & password  
> against
> > > > the radius server locally and that part works fine.
> > > >
> > > >
> > > > Kind Regards,
> > > > Nicôle
> > >
> > >
> > > NB:
> > >
> > > Have you read the reference manual ("doc/ref.html")?
> > > Have you searched the mailing list archive (www.open.com.au/
> > archives/
> > > radiator)?
> > > Have you had a quick look on Google (www.google.com)?
> > > Have you included a copy of your configuration file (no secrets),
> > > together with a trace 4 debug showing what is happening?
> > >
> > > --
> > > Radiator: the most portable, flexible and configurable RADIUS  
> server
> > > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > -
> > > Nets: internetwork inventory and management - graphical,  
> extensible,
> > > flexible with hardware, software, platform and database
> > independence.
> > > -
> > > CATool: Private Certificate Authority for Unix and Unix-like
> > systems.
> > >
> > >
> > >
> > >
> > >
> > > This e-mail message has been scanned for Viruses and Content and
> > > cleared by NetIQ MailMarshal
> > >
> > >
> > > This e-mail and any files attached to it are confidential and
> > > intended solely for the use of the individual or entity to
> > > whom they are addressed. If you have received this e-mail
> > > inadvertently or you are not the intended recipient, you may
> > > not distribute, copy or in any way rely on it. Further, you
> > > should notify the sender immediately and delete the e-mail
> > > from your computer. The contents and opinions contained in
> > > this e-mail are those of the individual sender unless they
> > > are expressly stated to be those of Europcar. Whilst we have
> > > taken precautions to alert us to the presence of computer
> > > viruses, we cannot and do not guarantee that this email and
> > > any files transmitted with it are free from such viruses.
> > >
> > >
> > > This email was scanned for your safety and protection from
> > > virus's and offensive content.
> > > mailmarshal at europcar.com.au
> > >
> > >
> > >
> > > This e-mail message has been scanned for Viruses and Content and
> > > cleared by NetIQ MailMarshal
> > >
> > > This e-mail and any files attached to it are confidential and
> > > intended solely for the use of the individual or entity to
> > > whom they are addressed. If you have received this e-mail
> > > inadvertently or you are not the intended recipient, you may
> > > not distribute, copy or in any way rely on it. Further, you
> > > should notify the sender immediately and delete the e-mail
> > > from your computer. The contents and opinions contained in
> > > this e-mail are those of the individual sender unless they
> > > are expressly stated to be those of Europcar. Whilst we have
> > > taken precautions to alert us to the presence of computer
> > > viruses, we cannot and do not guarantee that this email and
> > > any files transmitted with it are free from such viruses.
> > >
> > >
> > > This email was scanned for your safety and protection from
> > > virus's and offensive content.
> > > mailmarshal at europcar.com.au
> > >
> > >
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/ 
> archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database  
> independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like  
> systems.
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> <radiator logs single (to send).txt>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list