---------- Forwarded Message ----------
Subject: BOUNCE [EMAIL PROTECTED]: Non-member submission from [Emilie Shoop <[EMAIL PROTECTED]>] Date: Thu, 23 Jan 2003 04:17:30 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] >From [EMAIL PROTECTED] Thu Jan 23 04:17:19 2003 Received: from mail.ncsa.uiuc.edu (mail.ncsa.uiuc.edu [141.142.2.28]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id h0NAHJx20486; Thu, 23 Jan 2003 04:17:19 -0600 X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: from D7YKZ021.ncsa.uiuc.edu (cab-wireless-127.ncsa.uiuc.edu [141.142.102.127]) by mail.ncsa.uiuc.edu (8.11.6/8.11.6) with ESMTP id h0NFGRk25289; Thu, 23 Jan 2003 09:16:27 -0600 Message-Id: <[EMAIL PROTECTED]> X-Sender: [EMAIL PROTECTED] (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 23 Jan 2003 09:15:50 -0600 To: Hugh Irvine <[EMAIL PROTECTED]> From: Emilie Shoop <[EMAIL PROTECTED]> Subject: Re: (RADIATOR) Cisco 2611 VPN group authentication Cc: [EMAIL PROTECTED] In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_exampl e09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: >Hello Emilie - > >Thanks for sending the trace files. > >I am not familiar with this aspect of the Cisco IOS, but it may be that it >tries the group first, and then if it gets an accept it will try the > username. > >You should check the Cisco web site to verify how this is supposed to >work, then configure Radiator in consequence. > >If you can send me a reference to the Cisco URL I will take a look. > >regards > >Hugh > >On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: >>Thanks for the quick response. >> >> >>This is the trace as I see it with the cisco configured with aaa >>authorization network groupauthor local. >>*** Received from x.x.x.x port 1645 .... >> >>Packet length = 75 >>01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa >>b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 >>01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 >>32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af >>70 8d 39 bf 20 17 0d 76 d3 71 0a >>Code: Access-Request >>Identifier: 244 >>Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f >>Attributes: >> NAS-IP-Address = x.x.x.x >> NAS-Port-Type = Async >> User-Name = "eshoop" >> Calling-Station-Id = "y.y.y.y" >> User-Password = "jJ<164><144><175>p<141>9<191> >> <23><13>v<211>q<10>" >> >>Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler >>'NAS-IP-Address = "x.x.x.x"' >>Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, >>Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: >>Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with >> eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: >>Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop >>Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: >>*** Sending to x.x.x.x port 1645 .... >> >>Packet length = 32 >>02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac >>78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 >>Code: Access-Accept >>Identifier: 244 >>Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f >>Attributes: >> >> >> >>This is the trace when I changed the cisco config. from aaa authorization >>network groupauthor local to aaa authorization network groupauthor group >>radius. >> >>Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: >>*** Received from x.x.x.x port 1645 .... >> >>Packet length = 85 >>01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e >>83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 >>01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 >>31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 >>87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 >>06 00 00 00 05 >>Code: Access-Request >>Identifier: 245 >>Authentic: >>K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197> >>Attributes: >> NAS-IP-Address = x.x.x.x >> NAS-Port-Type = Async >> User-Name = "VPNclients" >> Calling-Station-Id = "y.y.y.y" >> User-Password = >> "<7><135><220>Y$<215>c<7><2><31><144><201><207><21><207>@" >> Service-Type = Outbound-User >> >>Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler >>'NAS-IP-Address = "x.x.x.x"' >>Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, >>Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: >>Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with >>VPNclients >>Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password >>Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad >> Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: >>*** Sending to 141.142.101.54 port 1645 .... >> >>Packet length = 36 >>03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d >>fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 >>6e 69 65 64 >>Code: Access-Reject >>Identifier: 245 >>Authentic: >>K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197> >>Attributes: >> Reply-Message = "Request Denied" >> >>It appears to me that it tries to authenticate the group information >>(VPNclients and password) before it prompts me for my username. This >>fails, so I never put in my personal information. However, if I change >>the cisco config back to group authorization locally, I can log in >>successfully as a user named VPNclients. >> >>I'm not sure if this is what you were looking for or not? >> >>Thanks, >>Emilie >> >>At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote: >>>Hello Emilie - >>> >>>If the Cisco can be configured to do group authentication with radius, >>>then it should be possible to use Radiator to deal with the requests. >>> >>>If you run Radiator at trace 4 you will be able to see the incoming >>>requests and then you can configure accordingly. >>> >>>The simplest way to do this sort of debugging is to run radiusd from the >>>command line and watch the log messages: >>> >>> perl radiusd -foreground -log_stdout -trace 4 -config_file ...... >>> >>>If you send me a copy of the trace 4 I will try to help. >>> >>>regards >>> >>>Hugh >>> >>>>I was wondering if anyone had a sample Radiator config. for >>>> authenticating the group information on a Cisco 2611, and subsequently >>>> handing out DNS and WINS information? >>>> >>>>I have my Radius set up to authenticate the users, but now would like to >>>>move the group information (for the group VPNClients) to the radius as >>>>well. >>>> >>>> >>>>Here is my Radius config: >>>> >>>># radius.cfg >>>> >>>>LogDir /services/radius/log >>>>DbDir /services/radius/conf >>>>BindAddress x.x.x.x >>>>AuthPort 1812 >>>>AcctPort 1813 >>>>Trace 5 >>>>#User >>>>#Group >>>> >>>> >>>>#For VPN access >>>><Client x.x.x.x> >>>> Secret xxxx >>>></Client> >>>> >>>># For testing: this allows us to honour requests from radpwtst on >>>> localhost <Client localhost> >>>> Secret mysecret >>>> DupInterval 0 >>>></Client> >>>> >>>>#Look for a Realm with an exact match on the realm name >>>>#look for a matching regular expression Realm >>>>#look for a <Realm DEFAULT> >>>>#look at each Handler in the order they appear >>>> >>>>#VPN Authentication x.x.x.x >>>><Handler NAS-IP-Address = "x.x.x.x"> >>>> <AuthBy FILE> >>>> Filename %D/vpn_users >>>> </AuthBy> >>>> >>>></Handler> >>>> >>>>#Default Handler for anything not specified above >>>><Handler> >>>> <AuthBy FILE> >>>> #The Filename defaults to %D/users >>>> </AuthBy> >>>></Handler> >>>> >>>>Here is my Cisco 2611 config.: >>>> >>>>CLIENT_VPN#sh run >>>> >>>> >>>>aaa authentication login userauthen group radius >>>>aaa authorization network groupauthor local >>>>aaa session-id common >>>>! >>>>! >>>> >>>>crypto isakmp policy 3 >>>> encr 3des >>>> authentication pre-share >>>> group 2 >>>>! >>>>crypto isakmp client configuration group VPNClients >>>> key xxxx >>>> dns x.x.x.x >>>> wins x.x.x.x >>>> domain ncsa.uiuc.edu >>>> pool ippool >>>>! >>>>! >>>>crypto ipsec transform-set SET1 esp-3des esp-md5-hmac >>>>! >>>>crypto dynamic-map dynmap 10 >>>> set transform-set SET1 >>>>! >>>>! >>>>crypto map clientmap client authentication list userauthen >>>>crypto map clientmap isakmp authorization list groupauthor >>>>crypto map clientmap client configuration address respond >>>>crypto map clientmap 10 ipsec-isakmp dynamic dynmap >>>>! >>>> >>>>interface FastEthernet0/0 >>>> crypto map clientmap >>>>! >>>> >>>>ip local pool ippool x.x.x.x y.y.y.y >>>> >>>>radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxx >>>>radius-server retransmit 3 >>>>call rsvp-sync >>>>! >>>> >>>> >>>>Thanks, >>>>Emilie >>>> >>>>********************************************************* >>>> Emilie Shoop Network Engineer >>>> [EMAIL PROTECTED] >>>> Phone: 217.244.5407 Cell: 217.649.8514 >>>> National Center for Supercomputing Applications >>>>********************************************************** >>>> >>>>------------------------------------------------------- >>>> >>>>-- >>>>Mike McCauley [EMAIL PROTECTED] >>>>Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW >>>>24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au >>>>Phone +61 3 9598-0985 Fax +61 3 9598-0955 >>>> >>>>Radiator: the most portable, flexible and configurable RADIUS server >>>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>>>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>>>TTLS, PEAP etc on Unix, Windows, MacOS etc. >>>> >>>>=== >>>>Archive at http://www.open.com.au/archives/radiator/ >>>>Announcements on [EMAIL PROTECTED] >>>>To unsubscribe, email '[EMAIL PROTECTED]' with >>>>'unsubscribe radiator' in the body of the message. >>> >>>-- >>>Radiator: the most portable, flexible and configurable RADIUS server >>>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. >>>- >>>Nets: internetwork inventory and management - graphical, extensible, >>>flexible with hardware, software, platform and database independence. >> >>********************************************************* >> Emilie Shoop Network Engineer >> [EMAIL PROTECTED] >> Phone: 217.244.5407 Cell: 217.649.8514 >> National Center for Supercomputing Applications >>********************************************************** > >-- >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. >- >Nets: internetwork inventory and management - graphical, extensible, >flexible with hardware, software, platform and database independence. ********************************************************* Emilie Shoop Network Engineer [EMAIL PROTECTED] Phone: 217.244.5407 Cell: 217.649.8514 National Center for Supercomputing Applications ********************************************************** ------------------------------------------------------- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.