---------- Forwarded Message ----------
Subject: BOUNCE [EMAIL PROTECTED]: Non-member submission from ["Robert
Blayzor" <[EMAIL PROTECTED]>]
Date: Tue, 26 Mar 2002 06:36:41 -0600
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
>From [EMAIL PROTECTED] Tue Mar 26 06:36:40 2002
Received: from mx0.inoc.net (mx0.inoc.net [64.246.130.30])
by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g2QCae321339
for <[EMAIL PROTECTED]>; Tue, 26 Mar 2002 06:36:40 -0600
Received: from nimbus (unverified [10.0.0.111]) by mx0.inoc.net
(Vircom SMTPRS 5.2.204) with ESMTP id <[EMAIL PROTECTED]>;
Tue, 26 Mar 2002 09:06:57 -0500
Reply-To: <[EMAIL PROTECTED]>
From: "Robert Blayzor" <[EMAIL PROTECTED]>
To: "'Shane Malden'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject: RE: (RADIATOR) Radiator and PIX
Date: Tue, 26 Mar 2002 09:06:56 -0500
Organization: INOC, LLC
Message-ID: <02f101c1d4cf$7d6a93e0$[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
In-Reply-To: <003a01c1d4c7$b597f620$913dfea9@MALDENSH>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
The PIX is very limited in the attributes it understands from RADIUS.
To the point of fustration actually. In fact, using the PIX with RADIUS
does nothing short of authentication only and totally ignores any return
attributes you give it. (ie: Framed-IP-Address and any Filter-Id)
I know what the PIX doc's say, and that Filter-Id is supposed to work,
but as of the PIX code 6.1(1) it simply does not. Cisco's claim is that
it's supposed to work for RADIUS auth for internal users and not
VPN/PPTP clients. There are many examples on how to setup the PIX with
PPTP and Radius authentication, the setup is trivial, but if you want to
do authorization, don't even bother.
I've heard that the latest PIX code, 6.1(2)? Is supposed to support some
VPN RADIUS reply attributes, but I've yet to read the software release
notes to confirm it up.
Basically all you have to do is to your PIX is:
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host x.x.x.x <secret> timeout 10
And..
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local ippool
vpdn group 1 client configuration dns x.x.x.x x.x.x.x
vpdn group 1 client configuration wins x.x.x.x
vpdn group 1 client authentication aaa RADIUS
vpdn group 1 client accounting RADIUS
vpdn group 1 pptp echo 60
vpdn enable outside
Then in Radiator:
<Handler Client-Identifier = PIX-FW>
<AuthBy FILE>
Filename vpn-users
AutoMPPEKeys
</AuthBy>
AcctLogFileName %L/vpn-detail
</Handler>
I repeat, as of PIX software 6.1(1) it was not able to pass back RADIUS
reply attributes to set Filter-Id or even Framed-IP-Address. The best I
could tell is the PIX completely ignores all attributes sent back to it.
All it's looking for is an accept on password.
--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
If the automobile had followed the same development cycle as the
computer, a Rolls-Royce would today cost $100, get a million miles per
gallon, and explode once a year, killing everyone inside. - Robert X.
Cringely
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of Shane Malden
Sent: Tuesday, March 26, 2002 8:11 AM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Radiator and PIX
Hi. Has anyone setup a Cisco PIX to authenticate with Radiator? Do you
know if it is possible to pass back firewall settings (ACLs)? Also
configuring a PIX to allow for VPNs and authenticate with Radiator. If
anyone has any sample of either PIX or Radiator, it would be
appreciated.
Regards,
Shane
-------------------------------------------------------
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
