Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emilie - Thanks for the update. I will need to see a trace 4 debug from Radiator showing what is happening. I suspect the Service-Type in the access request for eshoop does not match what you have in your users file. regards Hugh On Saturday, Feb 1, 2003, at 03:10 Australia/Melbourne, Emilie Shoop wrote: Hugh, It turns out that it was looking for the password cisco, so after I set it to that, it was successful. Now onto my next problem. I have been successful in getting the group and user to authenticate, but not establish a connection. I believe that I am missing some reply attributes. Can you tell me what I am missing? And where do I put them? Here is my working Radiator config: # radius.cfg LogDir /services/radius/log DbDir /services/radius/conf BindAddress x.x.x.25 AuthPort 1812 AcctPort 1813 Trace 5 #For VPN access Client x.x.x.54 Secret /Client #VPN Authentication x.x.x.54 Handler NAS-IP-Address = x.x.x.54 AuthBy FILE Filename %D/vpn_users /AuthBy PasswordLogFileName %D/passwordlog /Handler Here is my vpn_users file: eshoop User-Password = x Service-Type= Framed-User Framed-Protocol= PPP cisco-avpair= ISAKMP:addr-pool=ippool VPNclients User-Password = cisco cisco-avpair= ipsec:key-exchange=ike cisco-avpair= tunnel-password=bbb Here is my debug from my 2611: 5w1d: ISAKMP (0:0): received packet from x.x.x.127 (N) NEW SA 5w1d: ISAKMP: local port 500, remote port 500 5w1d: ISAKMP: Created a peer node for x.x.x.127 5w1d: ISAKMP (0:1): Setting client config settings 82DE3AE0 5w1d: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state 5w1d: ISAKMP: Locking CONFIG struct 0x82DE3AE0 from crypto_ikmp_config_initialize_sa, count 1 5w1d: ISAKMP (0:1): processing SA payload. message ID = 0 5w1d: ISAKMP (0:1): processing ID payload. message ID = 0 5w1d: ISAKMP (0:1): processing vendor id payload 5w1d: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major 5w1d: ISAKMP (0:1): vendor ID is XAUTH 5w1d: ISAKMP (0:1): processing vendor id payload 5w1d: ISAKMP (0:1): vendor ID is DPD 5w1d: ISAKMP (0:1): processing vendor id payload 5w1d: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major 5w1d: ISAKMP (0:1): processing vendor id payload 5w1d: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major 5w1d: ISAKMP (0:1): processing vendor id payload 5w1d: ISAKMP (0:1): vendor ID is Unity 5w1d: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 3 policy 5w1d: ISAKMP: encryption... What? 7? 5w1d: ISAKMP: hash SHA 5w1d: ISAKMP: default group 2 5w1d: ISAKMP: auth XAUTHInitPreShared 5w1d: ISAKMP: life type in seconds 5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 5w1d: ISAKMP: attribute 14 5w1d: ISAKMP (0:1): Encryption algorithm offered does not match policy! 5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3 5w1d: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 3 policy 5w1d: ISAKMP: encryption... What? 7? 5w1d: ISAKMP: hash MD5 5w1d: ISAKMP: default group 2 5w1d: ISAKMP: auth XAUTHInitPreShared 5w1d: ISAKMP: life type in seconds 5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 5w1d: ISAKMP: attribute 14 5w1d: ISAKMP (0:1): Encryption algorithm offered does not match policy! 5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3 5w1d: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 3 policy 5w1d: ISAKMP: encryption... What? 7? 5w1d: ISAKMP: hash SHA 5w1d: ISAKMP: default group 2 5w1d: ISAKMP: auth pre-share 5w1d: ISAKMP: life type in seconds 5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 5w1d: ISAKMP: attribute 14 5w1d: ISAKMP (0:1): Encryption algorithm offered does not match policy! 5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3 5w1d: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 3 policy 5w1d: ISAKMP: encryption... What? 7? 5w1d: ISAKMP: hash MD5 5w1d: ISAKMP: default group 2 5w1d: ISAKMP: auth pre-share 5w1d: ISAKMP: life type in seconds 5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 5w1d: ISAKMP: attribute 14 5w1d: ISAKMP (0:1): Encryption algorithm offered does not match policy! 5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3 5w1d: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 3 policy 5w1d: ISAKMP: encryption... What? 7? 5w1d: ISAKMP: hash SHA 5w1d: ISAKMP: default group 2 5w1d: ISAKMP: auth XAUTHInitPreShared 5w1d: ISAKMP: life type in seconds 5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 5w1d: ISAKMP: attribute 14 5w1d: ISAKMP (0:1): Encryption algorithm offered does not match policy! 5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3 5w1d: ISAKMP (0:1): Checking ISAKMP transform 6 against priority 3 policy 5w1d: ISAKMP: encryption... What? 7? 5w1d: ISAKMP: hash MD5 5w1d: ISAKMP: default group 2 5w1d: ISAKMP: auth XAUTHInitPreShared 5w1d: ISAKMP: life type in seconds 5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 5w1d: ISAKMP: attribute 14 5w1d:
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emilie - I can only think that the shared secret is incorrect between the Cisco and Radiator. Please check the shared secrets and if still unsuccessful please send me a trace 5 debug together with the real passwords and the shared secrets so we can check that they are correctly encrypted. regards Hugh On Saturday, Jan 25, 2003, at 08:29 Australia/Melbourne, Emilie Shoop wrote: Hugh, I've tried every way I can think of to make this work today. I was at first assuming that since it finds the user VPNclients (which is the group name) in the user file, that it should be able to authenticate the group with the user file. Here is the trace that is making me think that way. However, I get Bad Password...which I know is correct. I can log in as the user VPNclients with the same password, when I turn the group authentication on locally on the router. Code: Access-Request Identifier: 14 Authentic: 215iw23618914529N=23616243245\171145 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = |20RIQ)5175MV196211901915198 Service-Type = Outbound-User Fri Jan 24 15:26:59 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Fri Jan 24 15:26:59 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Fri Jan 24 15:26:59 2003: DEBUG: Handling with Radius::AuthFILE: Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Fri Jan 24 15:26:59 2003: INFO: Access rejected for VPNclients: Bad Password Fri Jan 24 15:26:59 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Code: Access-Reject Identifier: 14 Authentic: 215iw23618914529N=23616243245\171145 Attributes: Reply-Message = Request Denied I tried to create a group that was called VPNclients with the right password, but was unsuccessful in figuring that out. Any ideas? Thanks, Emilie At 05:12 PM 1/24/2003 +1100, Hugh Irvine wrote: Hello Emily - Thanks for sending the URL. As far as I can see, you will need to use the Cisco VPN client to make the connection which will first ask you for the group and the group password, then the username and the username password. You should configure both the name of the group with its password and corresponding reply attributes, and the username and password with its reply attributes. If you have any other questions, don't hesitate to ask. regards Hugh On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop wrote: Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/ technologies_configuration_example09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: Reply-Message = Request Denied It appears to me that it tries to authenticate the group information (VPNclients and password) before it prompts me for my username. This fails, so I never put in my personal information. However, if I change the cisco config back to group authorization locally, I can log in successfully as a user named VPNclients. I'm not sure if this is what you were looking for or not? Thanks, Emilie At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote: Hello Emilie - If the Cisco can be configured to do group authentication with radius, then it should be possible to use Radiator to deal with the requests. If you run Radiator at trace 4 you will be able to see the incoming requests and then you can configure accordingly. The simplest way to do this sort of debugging is to run radiusd from the command line and watch the log messages: perl radiusd -foreground -log_stdout -trace 4 -config_file .. If you send me a copy of the trace 4 I will try to help. regards Hugh I was wondering if anyone had a sample Radiator config. for authenticating the group information on a Cisco 2611, and subsequently handing out DNS and WINS information? I have my Radius set up to authenticate the users, but now would like to move the group information (for the group VPNClients) to the radius as well. Here is my Radius config: # radius.cfg LogDir
Re: (RADIATOR) Cisco 2611 VPN group authentication
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Emilie Shoop [EMAIL PROTECTED]] Date: Thu, 23 Jan 2003 04:17:30 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Thu Jan 23 04:17:19 2003 Received: from mail.ncsa.uiuc.edu (mail.ncsa.uiuc.edu [141.142.2.28]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id h0NAHJx20486; Thu, 23 Jan 2003 04:17:19 -0600 X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: from D7YKZ021.ncsa.uiuc.edu (cab-wireless-127.ncsa.uiuc.edu [141.142.102.127]) by mail.ncsa.uiuc.edu (8.11.6/8.11.6) with ESMTP id h0NFGRk25289; Thu, 23 Jan 2003 09:16:27 -0600 Message-Id: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 23 Jan 2003 09:15:50 -0600 To: Hugh Irvine [EMAIL PROTECTED] From: Emilie Shoop [EMAIL PROTECTED] Subject: Re: (RADIATOR) Cisco 2611 VPN group authentication Cc: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_exampl e09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emily - Thanks for sending the URL. As far as I can see, you will need to use the Cisco VPN client to make the connection which will first ask you for the group and the group password, then the username and the username password. You should configure both the name of the group with its password and corresponding reply attributes, and the username and password with its reply attributes. If you have any other questions, don't hesitate to ask. regards Hugh On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop wrote: Hugh, You are correct about the authentication of the group first, and then the username. Here is the url where Cisco explains how to do it on a Cisco Radius server. http://www.cisco.com/en/US/tech/tk648/tk367/ technologies_configuration_example09186a00800949ba.shtml Does that help? Thanks, Emilie At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote: Hello Emilie - Thanks for sending the trace files. I am not familiar with this aspect of the Cisco IOS, but it may be that it tries the group first, and then if it gets an accept it will try the username. You should check the Cisco web site to verify how this is supposed to work, then configure Radiator in consequence. If you can send me a reference to the Cisco URL I will take a look. regards Hugh On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop wrote: Thanks for the quick response. This is the trace as I see it with the cisco configured with aaa authorization network groupauthor local. *** Received from x.x.x.x port 1645 Packet length = 75 01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af 70 8d 39 bf 20 17 0d 76 d3 71 0a Code: Access-Request Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = eshoop Calling-Station-Id = y.y.y.y User-Password = jJ164144175p1419191 2313v211q10 Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 08:57:06 2003: DEBUG: Deleting session for eshoop, x.x.x.x, Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match with eshoop Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT: Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop Wed Jan 22 08:57:06 2003: DEBUG: Packet dump: *** Sending to x.x.x.x port 1645 Packet length = 32 02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac 78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73 Code: Access-Accept Identifier: 244 Authentic: 241228Ir168231)(148207*170178x19f Attributes: This is the trace when I changed the cisco config. from aaa authorization network groupauthor local to aaa authorization network groupauthor group radius. Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Received from x.x.x.x port 1645 Packet length = 85 01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e 83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00 01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34 31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07 87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06 06 00 00 00 05 Code: Access-Request Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: NAS-IP-Address = x.x.x.x NAS-Port-Type = Async User-Name = VPNclients Calling-Station-Id = y.y.y.y User-Password = 7135220Y$215c723114420120721207@ Service-Type = Outbound-User Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = x.x.x.x' Wed Jan 22 09:01:39 2003: DEBUG: Deleting session for VPNclients, x.x.x.x, Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE: Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad Password Wed Jan 22 09:01:39 2003: DEBUG: Packet dump: *** Sending to 141.142.101.54 port 1645 Packet length = 36 03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 245 Authentic: K1471472532131321208(213132301315i197 Attributes: Reply-Message = Request Denied It appears to me that it tries to authenticate the group information (VPNclients and password) before it prompts me for my username. This fails, so I never put in my personal information. However, if I change the cisco config back to group authorization locally, I can log in successfully as a user named VPNclients. I'm not sure if this is what you were looking for or not? Thanks, Emilie At 11:30 AM 1/22/2003 +1100, Hugh Irvine
Re: (RADIATOR) Cisco 2611 VPN group authentication
Hello Emilie - If the Cisco can be configured to do group authentication with radius, then it should be possible to use Radiator to deal with the requests. If you run Radiator at trace 4 you will be able to see the incoming requests and then you can configure accordingly. The simplest way to do this sort of debugging is to run radiusd from the command line and watch the log messages: perl radiusd -foreground -log_stdout -trace 4 -config_file .. If you send me a copy of the trace 4 I will try to help. regards Hugh I was wondering if anyone had a sample Radiator config. for authenticating the group information on a Cisco 2611, and subsequently handing out DNS and WINS information? I have my Radius set up to authenticate the users, but now would like to move the group information (for the group VPNClients) to the radius as well. Here is my Radius config: # radius.cfg LogDir /services/radius/log DbDir /services/radius/conf BindAddress x.x.x.x AuthPort 1812 AcctPort 1813 Trace 5 #User #Group #For VPN access Client x.x.x.x Secret /Client # For testing: this allows us to honour requests from radpwtst on localhost Client localhost Secret mysecret DupInterval 0 /Client #Look for a Realm with an exact match on the realm name #look for a matching regular expression Realm #look for a Realm DEFAULT #look at each Handler in the order they appear #VPN Authentication x.x.x.x Handler NAS-IP-Address = x.x.x.x AuthBy FILE Filename %D/vpn_users /AuthBy /Handler #Default Handler for anything not specified above Handler AuthBy FILE #The Filename defaults to %D/users /AuthBy /Handler Here is my Cisco 2611 config.: CLIENT_VPN#sh run aaa authentication login userauthen group radius aaa authorization network groupauthor local aaa session-id common ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPNClients key dns x.x.x.x wins x.x.x.x domain ncsa.uiuc.edu pool ippool ! ! crypto ipsec transform-set SET1 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set SET1 ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 crypto map clientmap ! ip local pool ippool x.x.x.x y.y.y.y radius-server host x.x.x.x auth-port 1812 acct-port 1813 key radius-server retransmit 3 call rsvp-sync ! Thanks, Emilie * Emilie Shoop Network Engineer [EMAIL PROTECTED] Phone: 217.244.5407 Cell: 217.649.8514 National Center for Supercomputing Applications ** --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
