Hello Emilie -
I can only think that the shared secret is incorrect between the Cisco and Radiator.
Please check the shared secrets and if still unsuccessful please send me a trace 5 debug together with the real passwords and the shared secrets so we can check that they are correctly encrypted.
regards
Hugh
On Saturday, Jan 25, 2003, at 08:29 Australia/Melbourne, Emilie Shoop wrote:
Hugh,
I've tried every way I can think of to make this work today. I was at first assuming that since it finds the user "VPNclients" (which is the group name) in the user file, that it should be able to authenticate the group with the user file. Here is the trace that is making me think that way. However, I get Bad Password...which I know is correct. I can log in as the user VPNclients with the same password, when I turn the group authentication on locally on the router.
Code: Access-Request
Identifier: 14
Authentic: <215>iw<236><189><145><29>N=<236><16><243><245>\<171><145>
Attributes:
NAS-IP-Address = x.x.x.x
NAS-Port-Type = Async
User-Name = "VPNclients"
Calling-Station-Id = "y.y.y.y"
User-Password = "|<20>RIQ)5<175>MV<196><21><190><191>5<198>"
Service-Type = Outbound-User
Fri Jan 24 15:26:59 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = "x.x.x.x"'
Fri Jan 24 15:26:59 2003: DEBUG: Deleting session for VPNclients, x.x.x.x,
Fri Jan 24 15:26:59 2003: DEBUG: Handling with Radius::AuthFILE:
Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients
Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
Fri Jan 24 15:26:59 2003: INFO: Access rejected for VPNclients: Bad Password
Fri Jan 24 15:26:59 2003: DEBUG: Packet dump:
*** Sending to 141.142.101.54 port 1645 ....
Code: Access-Reject
Identifier: 14
Authentic: <215>iw<236><189><145><29>N=<236><16><243><245>\<171><145>
Attributes:
Reply-Message = "Request Denied"
I tried to create a group that was called VPNclients with the right password, but was unsuccessful in figuring that out.
Any ideas?
Thanks,
Emilie
At 05:12 PM 1/24/2003 +1100, Hugh Irvine wrote:
Hello Emily - Thanks for sending the URL.As far as I can see, you will need to use the Cisco VPN client to make the connection which will first ask you for the group and the group password, then the username and the username password. You should configure both the name of the group with its password and corresponding reply attributes, and the username and password with its reply attributes. If you have any other questions, don't hesitate to ask. regards Hugh On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop wrote:Hugh,
You are correct about the authentication of the group first, and then
the username.
Here is the url where Cisco explains how to do it on a Cisco Radius
server.
http://www.cisco.com/en/US/tech/tk648/tk367/ technologies_configuration_example09186a00800949ba.shtml
Does that help?
Thanks,
Emilie
At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote:
Hello Emilie -
Thanks for sending the trace files.
I am not familiar with this aspect of the Cisco IOS, but it may be
that it tries the group first, and then if it gets an accept it will
try the username.
You should check the Cisco web site to verify how this is supposed to
work, then configure Radiator in consequence.
If you can send me a reference to the Cisco URL I will take a look.
regards
Hugh
On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop
wrote:
Thanks for the quick response.--
This is the trace as I see it with the cisco configured with aaa
authorization network groupauthor local.
*** Received from x.x.x.x port 1645 ....
Packet length = 75
01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa
b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00
01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34
32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af
70 8d 39 bf 20 17 0d 76 d3 71 0a
Code: Access-Request
Identifier: 244
Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
Attributes:
NAS-IP-Address = x.x.x.x
NAS-Port-Type = Async
User-Name = "eshoop"
Calling-Station-Id = "y.y.y.y"
User-Password = "jJ<164><144><175>p<141>9<191>
<23><13>v<211>q<10>"
Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler
'NAS-IP-Address = "x.x.x.x"'
Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop,
x.x.x.x,
Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match
with eshoop
Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT:
Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop
Wed Jan 22 08:57:06 2003: DEBUG: Packet dump:
*** Sending to x.x.x.x port 1645 ....
Packet length = 32
02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac
78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73
Code: Access-Accept
Identifier: 244
Authentic: <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
Attributes:
This is the trace when I changed the cisco config. from aaa
authorization network groupauthor local to aaa authorization network
groupauthor group radius.
Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
*** Received from x.x.x.x port 1645 ....
Packet length = 85
01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e
83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00
01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34
31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07
87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06
06 00 00 00 05
Code: Access-Request
Identifier: 245
Authentic:
K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
Attributes:
NAS-IP-Address = x.x.x.x
NAS-Port-Type = Async
User-Name = "VPNclients"
Calling-Station-Id = "y.y.y.y"
User-Password =
"<7><135><220>Y$<215>c<7><2><31><144><201><207><21><207>@"
Service-Type = Outbound-User
Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler
'NAS-IP-Address = "x.x.x.x"'
Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients,
x.x.x.x,
Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match
with VPNclients
Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad
Password
Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad
Password
Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
*** Sending to 141.142.101.54 port 1645 ....
Packet length = 36
03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d
fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 245
Authentic:
K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
Attributes:
Reply-Message = "Request Denied"
It appears to me that it tries to authenticate the group information
(VPNclients and password) before it prompts me for my username.
This fails, so I never put in my personal information. However, if
I change the cisco config back to group authorization locally, I can
log in successfully as a user named VPNclients.
I'm not sure if this is what you were looking for or not?
Thanks,
Emilie
At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote:
Hello Emilie -
If the Cisco can be configured to do group authentication with
radius, then it should be possible to use Radiator to deal with the
requests.
If you run Radiator at trace 4 you will be able to see the incoming
requests and then you can configure accordingly.
The simplest way to do this sort of debugging is to run radiusd
from the command line and watch the log messages:
perl radiusd -foreground -log_stdout -trace 4 -config_file
......
If you send me a copy of the trace 4 I will try to help.
regards
Hugh
I was wondering if anyone had a sample Radiator config. for--
authenticating
the group information on a Cisco 2611, and subsequently handing
out DNS and
WINS information?
I have my Radius set up to authenticate the users, but now would
like to
move the group information (for the group VPNClients) to the
radius as well.
Here is my Radius config:
# radius.cfg
LogDir /services/radius/log
DbDir /services/radius/conf
BindAddress x.x.x.x
AuthPort 1812
AcctPort 1813
Trace 5
#User
#Group
#For VPN access
<Client x.x.x.x>
Secret xxxx
</Client>
# For testing: this allows us to honour requests from radpwtst on
localhost
<Client localhost>
Secret mysecret
DupInterval 0
</Client>
#Look for a Realm with an exact match on the realm name
#look for a matching regular expression Realm
#look for a <Realm DEFAULT>
#look at each Handler in the order they appear
#VPN Authentication x.x.x.x
<Handler NAS-IP-Address = "x.x.x.x">
<AuthBy FILE>
Filename %D/vpn_users
</AuthBy>
</Handler>
#Default Handler for anything not specified above
<Handler>
<AuthBy FILE>
#The Filename defaults to %D/users
</AuthBy>
</Handler>
Here is my Cisco 2611 config.:
CLIENT_VPN#sh run
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa session-id common
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNClients
key xxxx
dns x.x.x.x
wins x.x.x.x
domain ncsa.uiuc.edu
pool ippool
!
!
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set SET1
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
crypto map clientmap
!
ip local pool ippool x.x.x.x y.y.y.y
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxx
radius-server retransmit 3
call rsvp-sync
!
Thanks,
Emilie
*********************************************************
Emilie Shoop Network Engineer
[EMAIL PROTECTED]
Phone: 217.244.5407 Cell: 217.649.8514
National Center for Supercomputing Applications
**********************************************************
-------------------------------------------------------
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif,
C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS
server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database
independence.
********************************************************* Emilie Shoop Network Engineer [EMAIL PROTECTED] Phone: 217.244.5407 Cell: 217.649.8514 National Center for Supercomputing Applications **********************************************************
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
********************************************************* Emilie Shoop Network Engineer [EMAIL PROTECTED] Phone: 217.244.5407 Cell: 217.649.8514 National Center for Supercomputing Applications **********************************************************-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.********************************************************* Emilie Shoop Network Engineer [EMAIL PROTECTED] Phone: 217.244.5407 Cell: 217.649.8514 National Center for Supercomputing Applications **********************************************************
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
