[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnu-radius] Configuring Radius for Cisco equipment
|
From: |
Chris Partsenidis |
|
Subject: |
[Help-gnu-radius] Configuring Radius for Cisco equipment |
|
Date: |
Thu, 2 Dec 2004 00:59:48 +0200 |
Greeting everyone,
I'm a new radius server user and have spent the past week trying to discover
how to configure and use the service correctly, but with little progress, so
I'm now seeking help and hope that a few technically advanced people will be
kind enough to help here!
I've decided to use the gnu radius server in order to control access to
multiple Cisco routers, switches and other devices in a new and 'under
development' Cisco lab for my website. The system will compromise an automatic
booking system where users are able to make a booking and reserve a specific
lab to work with.
My goal is to successfully control access to the labs according to the bookings
created by the users, so this is where the radius server comes into play.
At the point, I'm experimenting with my Cisco 2600 router, which I've tried to
setup so it can communicate with the radius server I've setup. Using the
provided documentation, I've successfully configured and installed the radius
server, but there are still some parts I'm missing, due to the fact I have not
fully comprehended in-depth the services and capabilities of the radius server.
I've setup the server to listen on specific ports for authentication and
accounting by creating the required entries in the config file:
/usr/local/etc/raddb/config
-------------------
auth {
max-requests 127;
listen 192.168.0.15:1645;
request-cleanup-delay 2;
detail yes;
detail-file-name "=nas_name(request_source_ip()) + \"/detail.auth\"";
strip-names yes;
checkrad-assume-logged yes;
};
acct {
max-requests 127;
listen 192.168.0.15:1646;
request-cleanup-delay 2;
detail-file-name "=nas_name(request_source_ip()) + \"/detail\"";
};
---------------------
I've also added the client name (192.168.0.15) and key (firewall) in the
/usr/local/etc/raddb/clients file, then used the example code in the
manual to add a user in /usr/local/etc/raddb/users that will authenticate using
the local linux server system:
----------------------------
DEFAULT Auth-Type = System,
Login-Time = "Al",
Simultaneous-Use = 1
Exec-Program-Wait = "/usr/local/sbin/telauth \
%C{User-Name} \
%C{Calling-Station-Id} \
%C{NAS-IP-Address} \
%C{NAS-Port-Id}"
-----------------------------------
and changed the Login-time to 'Al' and Exec-Program-Wait to
/usr/local/sbin/radauth since 'telauth' dosen't exist.
For the Cisco gurus out there, I've configured the 2600 router it to use the
radius server for authentication:
-------------------------------
aaa new-model
aaa group server radius firewall
server 192.168.0.15 auth-port 1645 acct-port 1646
....
aaa authentication login default group firewall
..
radius-server host 192.168.0.15 auth-port 1645 acct-port 1646 key firewall
radius-server retransmit 3
---------------------------------
So when I telnet into the router (192.168.0.1), I get a username login prompt,
I enter the previously created user on the linux server my radius it running on
(chris) with its password (chris), but the authentication fails.
Following is the output of /var/log/radius.info:
--------------------------------
Dec 03 00:10:58 [2770]: (Access-Request 192.168.0.2 9 "chris"
CLID=192.168.0.1): Rejected [chris]
---------------------------
I hope that clearly shows the problem I am having at this stage. If anyone can
provide any help, suggestions or point me towards a site which contains sample
configuration for the type of setup I am trying to create, it would be highly
appreciated.
If you need further information to help me with the problem, please let me know.
Regards,
_______________________
Chris Partsenidis
Founder & Senior Editor
http://www.firewall.cx
_______________________
- [Help-gnu-radius] Configuring Radius for Cisco equipment,
Chris Partsenidis <=