Simon,
I got Authentication to work with the method you described, but that's only the first level. I realize that I can't make username, the group name. I guess I am not wording it correctly, let me try better this time =).
The Cisco VPN Dialer has a setup section where the user must enter their group name and group password. When they attempt to connect to our VPN, it passes the group name and group password to the concentrator. If that group name and pass is authenticated either via RADIUS or it's the VPN's internal database, it then prompts the user to enter their username and password for themselves (individual authorization/authentication). There's no real way to bypass this dual authentication, unless we used Digital Certificates which at this point we really can't. So my question is, can I somehow *trick* FreeRadius into realizing that the first authorization/authentication request is the Group Name and Pass, and then it will still listen for another request (Username/Pass)?
Thanks again for your patience,
Chris DeRamus
-----Original Message-----
From: Simon [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 29, 2002 4:39 PM
To: [EMAIL PROTECTED]
Subject: Re: Problems with MySQL Auth-Type
On Wed, May 29, 2002 at 03:28:36PM -0400, Deramus, Chris wrote:
> Simon,
>
> For the record you are the man :). I'm *almost* there and I do appreciate
> you being in a good today...it must be my lucky day.
>
> I made the changes you suggested and I am now a step further, it does check
> the password file it seems, however it is almost like it's checking the
> radcheck table and not radgroupcheck. It seems that it's taking TestRad as
> the username, and not the group name. This could be the Cisco VPN client or
> maybe I should switch up the query order in sql.conf ? The VPN client first
> logs into the Group, and then prompts the user to enter their username and
> password into a popup dialogue box. It seems that this takes both entries at
> once, any way to change this?
I'm not sure i understand what you mean with the group part above, but
is it the username TestRad your entering into the dialog box your
prompted with?
> Thanks again Simon, I owe ya =)!
>
> User-Name = "TestRad"
> User-Password = "\255\014\020e\345\377rG\305\014\000n\351\317\0349"
> NAS-Port = 0
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Tunnel-Client-Endpoint:0 = "63.188.96.2"
> Attr-201588758 = "\000\000\000\005"
> NAS-IP-Address = 172.16.0.2
> NAS-Port-Type = Virtual
Your NAS is sending an auth packet with the attribute User-Name set to
TestRad. Just to make everything as simple as possible i suggest you do
the following (if it's PAP you want to use for authentication):
Add an entry to radcheck with:
UserName = TestRad
Attribute = Password <-- Literally
Value = YourPassword
op = :=
Add an entry to usergroup with:
UserName = TestRad
GroupName = testgroup
Add an entry to radgroupcheck with:
GroupName = testgroup
Attribute = PAP
op = :=
Then set encryption_scheme in the pap section of the module section in
radiusd.conf to clear .
Does authentication/authorization work then?
