(RADIATOR) Authenticating MS l2tp/clients on a cisco VPN server

Hugh Irvine hugh at open.com.au
Tue Feb 20 15:00:58 CST 2007 

Hello Bob -

Thanks for the additional information.

As long as the MS VPN client can connect to the Cisco and the Cisco  
can then send a RADIUS authentication request to Radiator it should  
be possible to do what you describe.

The best thing to do is set up a test lab and try it out. Once we  
have a trace 4 debug from Radiator to look at we will be able to see  
what is possible.

regards

Hugh


On 21 Feb 2007, at 07:45, Bob Shafer wrote:

> Hugh,
>
> Thanks, as usual, for the quick response and the offer of further  
> assistance!
>
> Crude diagram follows - (requires fixed width font to display  
> correctly)
>
>
> ############		 ######		    ###############		
> # Internet #-------------# FW #-------------# Our Network #
> ############  |		 ######        |    ###############
>               |                        |          |
>               |   ##################   |     ##################
>               ----# Cisco 3000 VPN #----     # Radius servers #
>                   ##################         ##################
>
> Current scenario:
>
> Remote users on the Internet use Cisco VPN client to connect to VPN  
> server authenticating against radius servers, running radiator, on  
> our network.  Currently the radius servers are isolated from the  
> Internet.
>
> Proposed new world, at least for MS platforms:
>
> MS remote users on the Internet use the MS L2TP/IPsec client to  
> connect to that same VPN server (which one of our guys has  
> confirmed does support L2TP/IPsec) and authenticating, some how,  
> against our existing authentication infrastructure.  Which is ldap,  
> flat files and db's with radiator as the "front end".  Some  
> passwords are encrypted (LDAP and DB's) some are not (flat files).
>
> Some of us would prefer to avoid having to hand out individual  
> certificates and/or shared keys.
>
> Some of them would prefer to avoid installing any software on the  
> client machines.  Some of us don't mind this idea as long as  
> there's a clean method of updating said software.
>
> Does that help with understanding where we are and what (the powers  
> that be) want?
>
> What I need to know is, is this possible?  If so, what choices I  
> have? Some recommendation on which choice might get us there fairly  
> quickly (did I mention that they want this in place in about 2  
> weeks? :(.
>
> Pointers to relevant information and implementation details are  
> always welcome.
>
> Thanks,
>
> Bob
>
> Hugh Irvine wrote:
>> Hello Bob -
>> You sound like a man after my own heart!
>> Yes you can keep running Radiator, but what are you going to use  
>> as client devices? And what are you going to use as client software?
>> We have many customers using SecureW2 on Windows as an 802.1x  
>> supplicant:
>>     http://www.securew2.com/
>> If you can give us a bit more information we will be able to make  
>> more suggestions.
>> regards
>> Hugh
>> On 20 Feb 2007, at 11:58, Bob Shafer wrote:
>>> We've been using Cisco VPN servers - authenticating via radiator  
>>> with a variety of authentication back ends for years. flat file,  
>>> db and ldap.
>>>
>>> The powers that be are unhappy because that environment seems to  
>>> require an inordinate amount of support time at our Help Desk..   
>>> They would like us to look at using l2tp/ipsec, at least for MS  
>>> desktops.  Which, of course, is the platform of choice for most  
>>> everyone.
>>>
>>> I have never had to deal much with MS stuff, myself.  I do unix  
>>> and use a Mac for my desktop.
>>>
>>> Can anyone give me an idea whether I can still use radiator to  
>>> leverage my dumb old ldap, flat file and db back ends for  
>>> authentication?  That is, and still provide a secure and stable  
>>> environment?  Or do I, at the age of 58, need to taint my perfect  
>>> record of having never had to deal, directly, with MS products?   
>>> (And me getting closer to retirement, every day? ;)
>>>
>>> Any hints pointers and ideas will be most appreciated.
>>>
>>> Thanks,
>>>
>>> Bob Shafer
>>> University of Denver
>>>
>>> -- 
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>> NB:
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> --Radiator: the most portable, flexible and configurable RADIUS  
>> server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list