Re: (RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001
Hello Jc - What you describe is not correct. The radius packets themselves are not encrypted, neither from the NAS nor from Radiator. The shared secret is only used for the encryption of the password, and it is the configuration of the NAS that determines this (either PAP or CHAP authentication). In any case, if there is a Cisco bug, please let us know the resolution of the problem. regards Hugh On Friday 07 September 2001 05:23, Reynoso, Jc wrote: > Hello! > I may have experienced a similar problem. > > Radiator sends encrypted radius packets to the cs5001 > The cs5001 cannot understand the encrypted packet. > > This is the "shared secret" between radiator and the cs5001. > > You will have to send the packet in the clear (bad defeats purpose of pw in > the clear!)... very much so. > > But cisco is working on this. They have a software bug trac on it. > > There is a way to tell radiator to send the shared secret in the clear. It > is a tweak in the .cfg file. I do not know what it is. I'm not the > radiator admin. Perhaps Hugh would be so kind as to give you the syntax. > > I hope this helps you > > -jc > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001
Hello! I may have experienced a similar problem. Radiator sends encrypted radius packets to the cs5001 The cs5001 cannot understand the encrypted packet. This is the "shared secret" between radiator and the cs5001. You will have to send the packet in the clear (bad defeats purpose of pw in the clear!)... very much so. But cisco is working on this. They have a software bug trac on it. There is a way to tell radiator to send the shared secret in the clear. It is a tweak in the .cfg file. I do not know what it is. I'm not the radiator admin. Perhaps Hugh would be so kind as to give you the syntax. I hope this helps you -jc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001
Hello Howard -
On Thursday 06 September 2001 08:26, Jares, Howard M wrote:
> I am having problems configuring Radiator v2.18.2 to authenticate to a
> Cisco VPN 5001.
>
> I have been testing the using the following configuration files:
>
> goodies\simple2.cfg:
> # simple2.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # a simple system. You can then add and change features.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate from a standard users file in
> # the current directory and log accounting to a file in the current
> # directory.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # And it will print out what its doing in great detail.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # You should consider this file to be a starting point only
> # $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
>
> Foreground
> LogStdout
> LogDir.
> DbDir .
> DictionaryFile ./dictionary
> # User a lower trace level in production systems:
> Trace 4
> # Added by Howard Jares
> AuthPort 1812
> AcctPort 1813
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
>
> Secret *
> DupInterval 0
>
>
>
>
> Filename ./users2
>
> # Log accounting to a detail file
> AcctLogFileName ./detail
>
>
>
> Users2:
> DEFAULT Service-Type = Administrative-User, Auth-Type = System
> Idle-Timeout = 2000,
>
> DEFAULT Service-Type = Login-User, Expiration = "Feb 2 2010"
> Idle-Timeout = 2001,
> Fall-Through = yes
>
> # User-Password can be in a number of formats: plaintext,
> # UNIX encrypted,
> # SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
> # defaults to plaintext
> pwtest1 User-Password = "fred"
> pwtest2 User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> pwtest3 User-Password = "{crypt}1xMKc0GIVUNbE"
> pwtest4 User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> # Encrypted-Password can by in a variety of encryption standards too
> # but defaults to Unix crypt
> pwtest5 Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
> pwtest6 Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
> pwtest7 Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
> pwtest8 Encrypted-Password = "1xMKc0GIVUNbE"
> pwtest9 Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
> pwtest10 User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
>
>
> [EMAIL PROTECTED] User-Password=fred
> cisco-VPNGroupInfo=Test,
> cisco-VPNPassword=fred
> # Connect-Info = "Test"
>
> I modified the standard dictionary file to include:
>
> #HJ
> VENDORATTR 9 cisco-VPNPassword 66 string
> VENDORATTR 9 cisco-VPNGroupInfo 67 string
> #HJ
>
> On the server running Radiator:
> F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg
> Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2
> Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
> Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
> *** Received from 129.7.209.253 port 2050
> Code: Access-Request
> Identifier: 41
> Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> Attributes:
> NAS-IP-Address = 129.7.209.253
> NAS-Port-Type = Virtual
> Service-Type = Authenticate-Only
> NAS-Port = 268435459
> User-Name = "[EMAIL PROTECTED]"
> CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243>
>
> Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for [EMAIL PROTECTED],
> 129.7.209.253, 268435459
> Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
> Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
> [EMAIL PROTECTED]
> Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
> Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
> *** Sending to 129.7.209.253 port 2050
> Code: Access-Accept
> Identifier: 41
> Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
> Attributes:
> cisco-VPNGroupInfo = "Test"
> cisco-VPNPassword = "fred"
> Connect-Info = "Test"
>
> On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try to
> connect using [EMAIL PROTECTED], the system sits there and then eventually times
> out.
>
> On the Cisco VPN 5001, I do a
> show sys log buffer
> and I get:
>
> Notice 9/5/01 16:35:21 New IKE connection: [129.7.225.8]:1284:[EMAIL PROTECTED]
> Debug9/5/01 16:35:24 Received RA
(RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001
I am having problems configuring Radiator v2.18.2 to authenticate to a Cisco
VPN 5001.
I have been testing the using the following configuration files:
goodies\simple2.cfg:
# simple2.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory and log accounting to a file in the current
# directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
DictionaryFile ./dictionary
# User a lower trace level in production systems:
Trace 4
# Added by Howard Jares
AuthPort 1812
AcctPort 1813
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
Secret *
DupInterval 0
Filename ./users2
# Log accounting to a detail file
AcctLogFileName ./detail
Users2:
DEFAULT Service-Type = Administrative-User, Auth-Type = System
Idle-Timeout = 2000,
DEFAULT Service-Type = Login-User, Expiration = "Feb 2 2010"
Idle-Timeout = 2001,
Fall-Through = yes
# User-Password can be in a number of formats: plaintext,
# UNIX encrypted,
# SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
# defaults to plaintext
pwtest1 User-Password = "fred"
pwtest2 User-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
pwtest3 User-Password = "{crypt}1xMKc0GIVUNbE"
pwtest4 User-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
# Encrypted-Password can by in a variety of encryption standards too
# but defaults to Unix crypt
pwtest5 Encrypted-Password = "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
pwtest6 Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
pwtest7 Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
pwtest8 Encrypted-Password = "1xMKc0GIVUNbE"
pwtest9 Encrypted-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
pwtest10 User-Password = "{MD5}VwqQv7+MfqtdxdTiaDLVsQ=="
[EMAIL PROTECTED] User-Password=fred
cisco-VPNGroupInfo=Test,
cisco-VPNPassword=fred
# Connect-Info = "Test"
I modified the standard dictionary file to include:
#HJ
VENDORATTR 9 cisco-VPNPassword 66 string
VENDORATTR 9 cisco-VPNGroupInfo 67 string
#HJ
On the server running Radiator:
F:\Radiator-2.18.2>perl radiusd -config=goodies\simple2.cfg
Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2
Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
*** Received from 129.7.209.253 port 2050
Code: Access-Request
Identifier: 41
Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
Attributes:
NAS-IP-Address = 129.7.209.253
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
NAS-Port = 268435459
User-Name = "[EMAIL PROTECTED]"
CHAP-Password = ^Y<18><<228><239><246><230>G^46h1<136>(<243>
Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for [EMAIL PROTECTED],
129.7.209.253, 268435459
Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
[EMAIL PROTECTED]
Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
*** Sending to 129.7.209.253 port 2050
Code: Access-Accept
Identifier: 41
Authentic: z<190><244>T<25><144><143><7>L1A<15><143>v<27><3>
Attributes:
cisco-VPNGroupInfo = "Test"
cisco-VPNPassword = "fred"
Connect-Info = "Test"
On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try to
connect using [EMAIL PROTECTED], the system sits there and then eventually times
out.
On the Cisco VPN 5001, I do a
show sys log buffer
and I get:
Notice 9/5/01 16:35:21 New IKE connection: [129.7.225.8]:1284:[EMAIL PROTECTED]
Debug9/5/01 16:35:24 Received RADIUS challenge resp. from [EMAIL PROTECTED] at
129.7.225.8, contacting server
Debug9/5/01 16:35:24 No Connect-Info for [EMAIL PROTECTED]
Debug9/5/01 16:35:24 Bad config from RADIUS server for [EMAIL PROTECTED]
Error9/5/01 16:35:24 No Policy, "", for user, [EMAIL PROTECTED]
Notice 9/5/01 16:35:24 ([EMAIL PROTECTE
