RE: freeradius & Cisco VPN 3000

[Lars Knudsen]

> > I have configured the group/users in /etc/raddb/users (and 
> understand 
> > the security implications) like this:
> > 
> > user1 Auth-Type := Local, User-Password == "passwd1"
> > group1Auth-Type := Local, User-Password == "passwd2"
> > CVPN3000-IPSec-Authentication = "2"
> 
>   Huh?  What do you think that configuration does?

I would expect it to make it possible to get user1 and group1
authenticated using RADIUS? As group1 is authenticated,
CVPN3000-IPSec-Authentication = "2" is transmitted back to the client. 

To follow up on my post with the Cisco VPN Concentrator problems, I now
found the problem; the dictionary.cisco.vpn3000 is not correct. Compare
it to the dictionary.altiga to see the difference.

/lars

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius & Cisco VPN 3000

[Lars Knudsen]

Hi,

Im trying to get the above mentioned combo working.

freeradius is version: "radiusd: FreeRADIUS Version 0.8.1, for host i686-pc-linux-gnu, 
built on Mar 13 2003 at 18:00:13"
The Cisco is running version: "Cisco Systems, Inc./VPN 3000 Concentrator Version 
3.6.7.A Feb 06 2003 23:29:48" vpn3005-3.6.7.A-k9.bin

I can get the Cisco to send authentication requests for a group to freeradius, and 
freeradius replying back to the Cisco. To get the Cisco to send the request for user 
authentication to freeradius, I understand you have to send the right attributes back 
to the Cisco [1], "IPSec Authentication = RADIUS".

I include the following in my /etc/raddb/dictionary:

$INCLUDE dictionary.cisco
$INCLUDE dictionary.cisco.vpn3000

I have configured the group/users in /etc/raddb/users (and understand the security 
implications) like this:

user1 Auth-Type := Local, User-Password == "passwd1"
group1Auth-Type := Local, User-Password == "passwd2"
CVPN3000-IPSec-Authentication = "2"

I can see the value is sent back to the Cisco, see [2], but the Cisco never asks for 
authentication of the user.
I tried with values 0..4 of the CVPN3000-IPSec-Authentication without any change in 
behaviour.

Am I doing something wrong or overseeing something simple?

Any help apriciated.

[1]: 
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml

[2]: 
x:/etc/raddb # radiusd -A -f -s -x
Starting - reading configuration files ...
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host x.y.z.a:1296, id=1, length=100
User-Name = "group1"
User-Password = "pass2"
NAS-Port = 0
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = "80.y.243.x"
Attr-201588758 = 0x0005
NAS-IP-Address = x.y.z.a
NAS-Port-Type = Virtual
rlm_chap: Could not find proper Chap-Password attribute in request
Login OK: [group1/pass2] (from client x.y.z.a port 0)
Sending Access-Accept of id 1 to x.y.z.a:1296
CVPN3000-IPSec-Authentication = 2

--
Dangaard Telecom IT A/S
Lars Knudsen
Technical Engineer
Phone:  +45 73303270 Fax: +45 73303271
E-mail: Mailto:[EMAIL PROTECTED]
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html