(RADIATOR) Authenticating MS l2tp/clients on a cisco VPN server

Bob Shafer bshafer at du.edu
Tue Feb 20 14:45:16 CST 2007


Hugh,

Thanks, as usual, for the quick response and the offer of further 
assistance!

Crude diagram follows - (requires fixed width font to display correctly)


############		 ######		    ###############		
# Internet #-------------# FW #-------------# Our Network #
############  |		 ######        |    ###############
               |                        |          |
               |   ##################   |     ##################
               ----# Cisco 3000 VPN #----     # Radius servers #
                   ##################         ##################

Current scenario:

Remote users on the Internet use Cisco VPN client to connect to VPN 
server authenticating against radius servers, running radiator, on our 
network.  Currently the radius servers are isolated from the Internet.

Proposed new world, at least for MS platforms:

MS remote users on the Internet use the MS L2TP/IPsec client to connect 
to that same VPN server (which one of our guys has confirmed does 
support L2TP/IPsec) and authenticating, some how, against our existing 
authentication infrastructure.  Which is ldap, flat files and db's with 
radiator as the "front end".  Some passwords are encrypted (LDAP and 
DB's) some are not (flat files).

Some of us would prefer to avoid having to hand out individual 
certificates and/or shared keys.

Some of them would prefer to avoid installing any software on the client 
machines.  Some of us don't mind this idea as long as there's a clean 
method of updating said software.

Does that help with understanding where we are and what (the powers that 
be) want?

What I need to know is, is this possible?  If so, what choices I have? 
Some recommendation on which choice might get us there fairly quickly 
(did I mention that they want this in place in about 2 weeks? :(.

Pointers to relevant information and implementation details are always 
welcome.

Thanks,

Bob

Hugh Irvine wrote:
> 
> Hello Bob -
> 
> You sound like a man after my own heart!
> 
> Yes you can keep running Radiator, but what are you going to use as 
> client devices? And what are you going to use as client software?
> 
> We have many customers using SecureW2 on Windows as an 802.1x supplicant:
> 
>     http://www.securew2.com/
> 
> If you can give us a bit more information we will be able to make more 
> suggestions.
> 
> regards
> 
> Hugh
> 
> 
> On 20 Feb 2007, at 11:58, Bob Shafer wrote:
> 
>> We've been using Cisco VPN servers - authenticating via radiator with 
>> a variety of authentication back ends for years. flat file, db and ldap.
>>
>> The powers that be are unhappy because that environment seems to 
>> require an inordinate amount of support time at our Help Desk..  They 
>> would like us to look at using l2tp/ipsec, at least for MS desktops.  
>> Which, of course, is the platform of choice for most everyone.
>>
>> I have never had to deal much with MS stuff, myself.  I do unix and 
>> use a Mac for my desktop.
>>
>> Can anyone give me an idea whether I can still use radiator to 
>> leverage my dumb old ldap, flat file and db back ends for 
>> authentication?  That is, and still provide a secure and stable 
>> environment?  Or do I, at the age of 58, need to taint my perfect 
>> record of having never had to deal, directly, with MS products?  (And 
>> me getting closer to retirement, every day? ;)
>>
>> Any hints pointers and ideas will be most appreciated.
>>
>> Thanks,
>>
>> Bob Shafer
>> University of Denver
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> --Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> -- 
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list