Hi,
Im trying to get the above mentioned combo working.
freeradius is version: "radiusd: FreeRADIUS Version 0.8.1, for host i686-pc-linux-gnu,
built on Mar 13 2003 at 18:00:13"
The Cisco is running version: "Cisco Systems, Inc./VPN 3000 Concentrator Version
3.6.7.A Feb 06 2003 23:29:48" vpn3005-3.6.7.A-k9.bin
I can get the Cisco to send authentication requests for a group to freeradius, and
freeradius replying back to the Cisco. To get the Cisco to send the request for user
authentication to freeradius, I understand you have to send the right attributes back
to the Cisco [1], "IPSec Authentication = RADIUS".
I include the following in my /etc/raddb/dictionary:
$INCLUDE dictionary.cisco
$INCLUDE dictionary.cisco.vpn3000
I have configured the group/users in /etc/raddb/users (and understand the security
implications) like this:
user1 Auth-Type := Local, User-Password == "passwd1"
group1 Auth-Type := Local, User-Password == "passwd2"
CVPN3000-IPSec-Authentication = "2"
I can see the value is sent back to the Cisco, see [2], but the Cisco never asks for
authentication of the user.
I tried with values 0..4 of the CVPN3000-IPSec-Authentication without any change in
behaviour.
Am I doing something wrong or overseeing something simple?
Any help apriciated.
[1]:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml
[2]:
x:/etc/raddb # radiusd -A -f -s -x
Starting - reading configuration files ...
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host x.y.z.a:1296, id=1, length=100
User-Name = "group1"
User-Password = "pass2"
NAS-Port = 0
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = "80.y.243.x"
Attr-201588758 = 0x00000005
NAS-IP-Address = x.y.z.a
NAS-Port-Type = Virtual
rlm_chap: Could not find proper Chap-Password attribute in request
Login OK: [group1/pass2] (from client x.y.z.a port 0)
Sending Access-Accept of id 1 to x.y.z.a:1296
CVPN3000-IPSec-Authentication = 2
--
Dangaard Telecom IT A/S
Lars Knudsen
Technical Engineer
Phone: +45 73303270 Fax: +45 73303271
E-mail: Mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
