Hello Edward -
A Cisco usually requires the same Service-Type value that is present in the radius request to be returned in the radius response, which usually means Service-Type = Framed-User However, as mentioned below, the best source of Cisco configuration information is the Cisco web site. regards Hugh On Sat, 22 Dec 2001 01:25, Cheng T K, Edward (TECH_NP&IP NWT) wrote: > I have the same problem, how can i solve it > > Hello Howard - > > On Thursday 06 September 2001 08:26, Jares, Howard M wrote: > > I am having problems configuring Radiator v2.18.2 to authenticate to a > > Cisco VPN 5001. > > > > I have been testing the using the following configuration files: > > > > goodies\simple2.cfg: > > # simple2.cfg > > # > > # Example Radiator configuration file. > > # This very simple file will allow you to get started with > > # a simple system. You can then add and change features. > > # We suggest you start simple, prove to yourself that it > > # works and then develop a more complicated configuration. > > # > > # This example will authenticate from a standard users file in > > # the current directory and log accounting to a file in the current > > # directory. > > # It will accept requests from any client and try to handle request > > # for any realm. > > # And it will print out what its doing in great detail. > > # > > # See radius.cfg for more complete examples of features and > > # syntax, and refer to the reference manual for a complete description > > # of all the features and syntax. > > # > > # You should consider this file to be a starting point only > > # $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $ > > > > Foreground > > LogStdout > > LogDir . > > DbDir . > > DictionaryFile ./dictionary > > # User a lower trace level in production systems: > > Trace 4 > > # Added by Howard Jares > > AuthPort 1812 > > AcctPort 1813 > > > > # You will probably want to add other Clients to suit your site, > > # one for each NAS you want to work with > > <Client DEFAULT> > > Secret ***** > > DupInterval 0 > > </Client> > > > > <Realm DEFAULT> > > <AuthBy FILE> > > Filename ./users2 > > </AuthBy> > > # Log accounting to a detail file > > AcctLogFileName ./detail > > </Realm> > > > > > > Users2: > > DEFAULT Service-Type = Administrative-User, Auth-Type = System > > Idle-Timeout = 2000, > > > > DEFAULT Service-Type = Login-User, Expiration = "Feb 2 2010" > > Idle-Timeout = 2001, > > Fall-Through = yes > > > > # User-Password can be in a number of formats: plaintext, > > # UNIX encrypted, > > # SHA encrypted (as used in Netscape LDAP), or Linux MD5 password > > # defaults to plaintext > > pwtest1 User-Password = "fred" > > pwtest2 User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=" > > pwtest3 User-Password = "{crypt}1xMKc0GIVUNbE" > > pwtest4 User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0" > > # Encrypted-Password can by in a variety of encryption standards too > > # but defaults to Unix crypt > > pwtest5 Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=" > > pwtest6 Encrypted-Password = "{crypt}1xMKc0GIVUNbE" > > pwtest7 Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0" > > pwtest8 Encrypted-Password = "1xMKc0GIVUNbE" > > pwtest9 Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ==" > > pwtest10 User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ==" > > > > > > [EMAIL PROTECTED] User-Password=fred > > cisco-VPNGroupInfo=Test, > > cisco-VPNPassword=fred > > # Connect-Info = "Test" > > > > I modified the standard dictionary file to include: > > > > #HJ > > VENDORATTR 9 cisco-VPNPassword 66 string > > VENDORATTR 9 cisco-VPNGroupInfo 67 string > > #HJ > > > > On the server running Radiator: > > F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg > > Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2 > > Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1 > > Wed Sep 5 16:35:24 2001: DEBUG: Packet dump: > > *** Received from 129.7.209.253 port 2050 .... > > Code: Access-Request > > Identifier: 41 > > Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3> > > Attributes: > > NAS-IP-Address = 129.7.209.253 > > NAS-Port-Type = Virtual > > Service-Type = Authenticate-Only > > NAS-Port = 268435459 > > User-Name = "[EMAIL PROTECTED]" > > CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243> > > > > Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler > > 'Realm=DEFAULT' > > Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for [EMAIL PROTECTED], > > 129.7.209.253, 268435459 > > Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE > > Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with > > [EMAIL PROTECTED] > > Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT: > > Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for [EMAIL PROTECTED] > > Wed Sep 5 16:35:24 2001: DEBUG: Packet dump: > > *** Sending to 129.7.209.253 port 2050 .... > > Code: Access-Accept > > Identifier: 41 > > Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3> > > Attributes: > > cisco-VPNGroupInfo = "Test" > > cisco-VPNPassword = "fred" > > Connect-Info = "Test" > > > > On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try > > to > > > connect using [EMAIL PROTECTED], the system sits there and then eventually > > times out. > > > > On the Cisco VPN 5001, I do a > > show sys log buffer > > and I get: > > > > Notice 9/5/01 16:35:21 New IKE connection: > > [129.7.225.8]:1284:[EMAIL PROTECTED] > > > Debug 9/5/01 16:35:24 Received RADIUS challenge resp. from [EMAIL PROTECTED] > > at 129.7.225.8, contacting server > > Debug 9/5/01 16:35:24 No Connect-Info for [EMAIL PROTECTED] > > Debug 9/5/01 16:35:24 Bad config from RADIUS server for [EMAIL PROTECTED] > > Error 9/5/01 16:35:24 No Policy, "", for user, [EMAIL PROTECTED] > > Notice 9/5/01 16:35:24 <No ifp> ([EMAIL PROTECTED]) reset due to connection > > failure. > > > > On the Cisco VPN I am running VPN 5001 Concentrator V6.0.19.0001. > > > > I know I am missing something, but I really don't understand why this > > doesn't work. > > > > Any help you could provide would be appreciated. > > > > If we can make this work we are hoping to associate users with particular > > groups with assigned VPNs. This would be our remote access service to the > > university. > > It looks to me like the Cisco 5001 is expecting some additional reply > attributes to tell it what to do (most Cisco's expect at least the > Service-Type to come back the same as it was sent). You should check the > Cisco web site (or your local support engineer) to find out what additional > reply attributes are necessary. > > regards > > Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.