Did you look into whether the same UDP ports are used. I think FW-1 is using the default 1645 (authentication) 1646 (Accounting) while NT (at least Win2K for sure) is using 1812 and 1813 respectively (RFC 2026).
Hope it helps. Leonard .... -----Original Message----- From: Mohamed Maraikayar [mailto:[EMAIL PROTECTED]] Sent: September 28, 2001 12:42 AM To: Juan Concepcion Cc: [EMAIL PROTECTED]; mohamed maraikayar; Brockhoven,Werner Subject: Re: RE: [FW1] Re: RE: Radius authentication Couple of things you want to look at: > Make sure the Radius service is actually running (not > trying to insult your > intelligence, it's just better to be safe than to be > sorry). The Radius server is running.i checked by netstat -a command.Also i used the same machine as Radius server for pix firewall.So i conclude Radius server is running.I made the appropriate changes from pix firewall to Fw-1, e-g name of group, shared key etc. > Make sure the firewall and Radius server can ping each > other. There is a Layer 3 connectivity, i can ping. > Verify the Radius server is defined correctly in the > firewall and that you > have verified the shared secret between the two. This is also done.2 places.(1).In Manage servers, i defined Radius server.(2) I created a radius server group,same name defined in win 2k radius server,and added the server in the group. I created a user,and enabled authentication as radius in the user prop.If any other config needed,please let me know. > The next thing I would do is to try the authentication > straight from the > firewall and run some sort of sniffer so you can see > the traffic and ensure > that they are definitely communicating. Easiest way to > run this test would > be to run 'telnet localhost 259' on the firewall which > will invoke the > security server, enter a username of a user currently > configured for radius, > and then make sure it first works straight from the > firewall to the radius > server before you take the next step of getting actual > users to authenticate > from wherever they may be. The user authentication is working. i choosed password from VPN/FW-1.Also client and session authentication works fine.when it comes to radius,the error comes.i also get a Radius password prompt.After that only,the error" RADIUS servers not responding".Trying with sniffer is a good idea,but i have to download and learn to use.yet i will try as last resort. > As I said not trying to insult your intelligence in any > w st my experience that the longer > you look/work @ a > problem the further away the most obvious things get > away from you. I thank God for giving a good attitude,i never get insulted in fact iam learning,Thanks. Last but least, I would like to tell the versions, unfortunately the fw-1 is 4.1 version ,SP2 and OS is winNT 4 SP4.The radius server is Win ADV Server. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > On Behalf Of > mohamed maraikayar > Sent: Wednesday, September 26, 2001 8:58 AM > To: Brockhoven,Werner > Cc: [EMAIL PROTECTED] > Subject: [FW1] Re: RE: Radius authentication > > > > > I havent added any rules till now.now i added 2 rules, > from firewallgateway > to raduis server any is allowed and vice versa.Still i > recieve the same > error.i configured a rule as " allusers@any ftp-serv > ftp userauth gateway " > and in the user properties, i enabled radius > authentication for a user,say > mohd.when i ftp to ftp-serv,i get a prompt bcoz of of > user authentication > rule.i entered the username mohd,that is to be > authenticated by radius > server.so fw-1 gave a prompt, "radius password:" ,i > typed the password.then > it took some 10 seconds time and displayed,"radius > servers not responding".i > disconnected the cable from fw-1 to radius server and > tried again,i got the > same error.so i can now conclude that there is some > thing missing in the > configuration of fw-1 or fw-1 related.any clues ? > thanks > mohamed. > > On Wed, 26 Sep 2001 Brockhoven, Werner wrote : > > Hi, > > > > Do you have a rule to allow communication between the > > radius and the FW-1 ? > > What do you get in the logging ? > > > > I'm sorry but I should ask you to send mails to the > > checkpoint mailing list > > and not directly to me personally. > > > > Regards, > > > > Werner > > > > > > -----Original Message----- > ayar [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, September 26, 2001 12:41 PM > > To: Brockhoven, Werner > > Subject: Radius authentication > > > > > > > > Sorry, i am sending you a third mail.Now i have made a > > win 2000 advanced > > server as radius server.i have done the necesary > > configurations ,added the > > client as firewall's interface,defined radius server > > group etc.The win NT > > (SP4), i have installed checkpoint 4.1 (SP2).i have > > defined the radius > > server,shared key etc in check point also.but the > error > > i get is,"Radius > > server not responding" , i searched mailing list also, > > but didnt get the > > answer.what may be the problem ? > > thanks, > > mohamed. > > > > > > > > > ========================================================- > ==================== > ==== > To unsubscribe from this mailing list, please see > the instructions at > http://www.checkpoint.com/services/mailin- > g.html > ========================================================- > ==================== > ==== > > > > ========================================================- > ======================== > To unsubscribe from this mailing list, please see > the instructions at > http://www.checkpoint.com/services/mailin- > g.html > ========================================================- > ======================== > ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
