03-18-2010 07:46 AM
has anyone managed to get the IVE working with a microsoft RADIUS server (IAS - Internetauthentication Service)?
I really dont get it working, i have a realm that should prompt for a pin first and after this one was entered correct, the user is getting sent an SMS on his mobile with another token he has to enter. on that microsoft server is another software installed, that sends the SMS and maintains the userdatabase and the PINs. we dont want to use activedirectory users for that!
i dont know what exactly has to be configured on that IAS server, i dont even get the ports open and i think thats the main problem right now. the RADIUS-service is running and OK, but when i nmap that machine, i cant see the open port 1812 or 1813, which the IVE connects to.
when connecting with a user, the user access log shows "destination 10.10.10.10:1812 not reachable" which is correct. the logfile at the IAS shows under systemlogs something like: "A RADIUS message was received from the invalid. RADIUS client IP address xxx.xxx.xxx.xxx"
i dont know which rules i have to setup, but not even the port is open, so there seem to be many problems. i also dont know how to connect the IAS with the user-database that holds all the users and PIN's...
maybe anyone has a suggestion or tipp that could help me!
thanks in advance!
03-18-2010 08:19 AM
Howdy - yes- the IVE and MS Radius (IAS) do work well together. The first step is to get Radius working properly under IAS. For Radius troubleshooting and setup at my customer sites I carry around a tool on my laptop called Radutils - http://www.radutils.com/ - It is not freeware but it just establishes Radius sessions and lets you test.
As you are not even getting to the ports do the following: Bring up IAS through the Admin Tools menu.
If you right click on THE IAS Service you will have TWO tabs where you can enable additional logging (quite helpful) and setup your ports that will be used. This is where you can validate that the box is indeed using 1812 or 1813. It does sound like the server may have been configured with different ports.
You also always keep an eye on the Windows Event log. This is very helpful in allowing you to see if the remote requester is even talking to the box, and then when it is what happens to the authentication request.
As you said you can't even see the ports I won't talk about the rest of the IAS setup for now. Feel free to post more questions and I can give you more information if you need it! You will need to setup a Radius client for each remote request machine, and a Remote Access Policy.
03-18-2010 08:56 AM
hi kevin, thanks a lot for your support!
i've already configured the service to log rejected and accepted authentication-requests, and i've also ensured that the ports tab shows 1812 for auth and 1813 for accounting. the windows eventlog shows only the following message:
"A RADIUS message was received from the invalid RADIUS client IP address xxx.xxx.xxx.xxx".
i can exclude the possibility that its listening on different ports. only the following ones are opened on this machine:
windows firewall is disabled, no other firewall running.
does routing and RAS service has to be started? does it have something to do with it?
when i netstat the IAS i can see for example:
UDP IAS-Server:1812 *:*
UDP IAS-Server:1813 *:*
but from another machine (without firewalls in between) i dont see it as open. i'm not sure if its listening or not but i dont think so.
03-18-2010 09:09 AM
Ok - the message you are receiving is because you have not defined the remote requestor in IAS. Go to Admin - IAS - Radius clients - setup an entry for the requestor there. IP address, shared secret - This is the first thing you must do to get connectivity between the remote Radius requestor and the IAS box. This will eliminate the error message you got about invalid client. You will also need to define a Remote Access Policy.
03-19-2010 01:59 AM - edited 03-19-2010 02:00 AM
I alreay setup a RADIUS-client with the following config:
Friendly Name: SSL VPN
Address: Tried IP and DNS-Name here
Client-Vendor: RADIUS Standard
"Request must contain..." -> Unchecked
shared secret added
So that one already exists. I've also defined a Policy but there are so much options (NAS-Identifier) where i have no clue which one to chose. I tried different combinations for the rule (eg: VPN, ethernet, then different NAS-Identifier, but i dont really get what IAS wants/needs to accept a connection by SSL VPN gateways.
i tried with multiple combinations of rulesets and get always the same message at the eventlog.
thanks in advance
03-19-2010 07:01 AM
I also had this issue and was badly stuck for several days. I was using dynamic vpn connecting to an SRX240. After calls to JTAC I finally got a hold of a guy there who sent me a step-by-step config for using Windows IAS as your RADIUS server. Once I took that and followed it, bam everything started working. I'm attaching it here for you to look at. It really should be available for all but apparently this was from a customer and not a Juniper approved doc but who cares? It works. Take a look and hope it helps.
03-19-2010 08:55 AM - edited 03-19-2010 08:58 AM
The document that was posted is very helpful for the specifics of the authorization policy setup. However the invalid client message that you posted is one that IAS returns when the 1st level communication between the IVE and IAS fails. If you had an incorrect shared password you would get a different message.
If your port was wrong you would not see anything in the event log as the request would never reach the server. You would see a bad packet error of some time on the sender machine but the IAS server would have no record of the request at all.
RAS / routing does NOT need to be enabled. Did you try using another tool or device against the IAS server to just verify basic Radius functionality. The tool I mentioned yesterday works really well.
03-22-2010 02:31 AM - edited 03-22-2010 02:34 AM
I followed the steps from the PDF, but not the step that says: "Under a VPN user account, set..." because I dont want to authenticate against LDAP / AD. Theres another software (SMS Passcode) on that RADIUS server installed and it holds its own userdatabase and passwords for the users. those users should be uses to authenticate. i also want to use the NetworkConnect IP Pool and dont want to assign static IP addresses. all the other steps were followed as documented.
now my problem is - i have no clue how to tell IAS, that it should use this local userdatabase, not LDAP or sth else. the documentation of SMS Passcode is really weak and we dont get any further support, seems to be "our problem".
well, back to topic...i was able to see that 1812 is listening (at the logs), as it should be (but why dont I see the open port when i run nmap from another machine?). so as you said before, that should be fine, otherwise i wouldnt see the logfile-entry - check.
i think it has sth to do with the policy...as mentioned before - I followed the steps of the PDF, but i dont know which policy-conditions to choose. i tried Client-IP-Adress equals "*" (as wildcard) and "grant remote access" but that doenst help. I always see the same errors at the eventlog.
some questions for clarification:
-at the IVE-Config: do i have to check: "Users authenticate using tokens or one-time passwords"?
-at the IVE-Config: do i have to add a "NAS-IP-Address"? (what is it about?)
-at the IVE-Config: do i have to add "Custom Radius Auth Rules"?
jepp i tried the tool you mentioned and got this:
--------------------22.03.2010 10:04:11 Test started [AcctTest(Start Alive Stop)]------------------------- Error: no response from server for ID 165 socket 1920 Sending Access-Request of id 165 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Start Acct-Session-Id = "0001" Sending Access-Request of id 165 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Start Acct-Session-Id = "0001" Sending Access-Request of id 165 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Start Acct-Session-Id = "0001" Sending Access-Request of id 60 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Interim-Update Error: no response from server for ID 60 socket 1920 Acct-Session-Id = "0001" Sending Access-Request of id 60 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Interim-Update Acct-Session-Id = "0001" Sending Access-Request of id 60 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Interim-Update Acct-Session-Id = "0001" Sending Access-Request of id 182 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Stop Acct-Session-Id = "0001" Sending Access-Request of id 182 to 10.10.2.10 port 1812 User-Name = "test1" Error: no response from server for ID 182 socket 1920 Acct-Status-Type = Stop Acct-Session-Id = "0001" Sending Access-Request of id 182 to 10.10.2.10 port 1812 User-Name = "test1" Acct-Status-Type = Stop Acct-Session-Id = "0001" Total approved auths: 0 Total denied auths: 0 Total lost auths: 3 Total time(secs): 27 --------------------22.03.2010 10:04:38 Test finished [AcctTest(Start Alive Stop)]-------------------------
thanks for your time&support muttbarker and thanks for the PDF Drozymandias
03-24-2010 07:27 PM
I find configuration of IVE and IAS for Radius Support dead easy, done in a snatch.
Try to understand how this two work together, and troubleshoot step by step the whole line till you got it.
03-24-2010 07:46 PM
It should also work with local SAM Users if IAS is not in a AD Domain.
But i never tried this out, i allways authenticate users from Active Directory via IAS.
03-24-2010 07:49 PM
"A RADIUS message was received from the invalid. RADIUS client IP address xxx.xxx.xxx.xxx"
Do you use the internal IP of the IVE System as Radius Client on IVE?
If you have a cluster, enter the physical IVE IPs as radius clients on IAS, as i remember IVE sends the physical IP of the active IvE node to the Radius Server as source IP.
03-24-2010 07:55 PM
NAS Idenifier can be let at the defaults.
What about Encryption Tab on IAS Ras Policies .. Profile i think?
Unmark this all, as IVE does not support that.
But i think your actual problem is that IAS wont accept radius requests from you IVE ip address, as you configurd wrong IP on IAS client tab, means check with which IP the radius request packets arrive at the IAS, with network monitor sniffing.
03-25-2010 02:23 AM
Do you use the internal IP of the IVE System as Radius Client on IVE?
-> oh hell, how could I miss that??? surely, it needs to be entered the physical IP. after doing so, the eventlog message changed. thanks a lot for that tip!
now its not an error at the eventlog anymore, its the following warning now (translated into english):
access denied for user "bla" Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = IP of IVE-Master
NAS-Identifier = FQDN of IVE
Client-Friendly-Name = SA4000 Master
Client-IP-Address = IP of IVE-Master
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = 0
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
so it seems as the policy is just wrong. and the other problem is that i dont know how the IAS recognizes the local users.
|Info||PTR23370||2010/03/25 10:21:16 - Tmaster - Root::hallo(SMS-Passcode) - Attempting to authenticate user "hallo" with auth server "SMS-Passcode"|
|Info||PTR23334||2010/03/25 10:21:16 - Tmaster - [10.10.10.10] - Root::hallo(SMS-Passcode) - Sign-in rejected using auth server SMS-Passcode (Radius Server). Reason: Failed|
So I think now my problem is about the RAS-Policy configuration and the connection to that local userstore.
thanks a lot for your time and support!!! you already helped alot!
03-26-2010 03:41 AM
I noticed the SMS PASSCODE server and wanted to make you aware of the support page for our product where you are welcome to get live support. http://www.smspasscode.com/support. We would be happy to assist.
03-28-2010 12:09 AM
Proxy-Policy-Name = NOne
Check your RAdius Proxy Policy, enter minimum the policy "allow authentication for windows users" or something like that. its the default policy when you instaled ias radius. maybe you deleted it?
Its under i think "connection request policies". When you dont have there any policy, radius requests will allways be denied.
03-28-2010 12:16 AM - edited 03-28-2010 02:55 AM
I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?
Nothing. Here you confgiure "return attributes" which radius server will return to the requesting Radius Client (like IVE) when radius accept message is sent to IVE. You can use this for additional features.
Good idea to use Network Monitor (Sniffer) on the Windows Server, to see whats going on.
It will help you a lot to understand how this works together. Without sniffing for testing you work as "blind", cause you dont see which radius attributes and messages travel between IVE and IAS.
This are attributes and values, which could be used for some rolemapping rules on ive.
Means - it also works, if you dont configure at "advanced" tab ANY attributes.
But i use mostly attribute "class (25)" with any value, for example value "admin".
Then on IvE rolemapping you can configure rules with "user attributes".
Means for IVE...
class (25) with value "admin"
then assign userrole
class (25) with value "user"
then assign userrole
So you can use these ias radiusattributes to configure rolemappingrules, isnt that fantastic`?
The other attributes on ias "advanced tab" are only for other purposes like dial-in callback number and stuff like that, as historically radius is a "dial-in" authentication service, but nowadays its a standard network authanticationmechanism which is supported by most network devices.
03-28-2010 02:51 AM
Authentication-Type = <not determined>
What is configured at RAS Policy Authentication Type?`
Though PAP does not encrypt authentication, the user passwords will allways be encrypted through radius protocol between IVE and Radiusserver. The strenght of radius encryption depends of the compexity of the radius secret.
So use a long and complex Radius Secret, like AGhafdsa!$Q123TRZHsl$§!!!123adfjnvuda
04-01-2010 04:11 AM
thank you spacyfreak. I think something is still wrong with the policy, but I will get back to this later. thanks for your support so far.
@LarsNielsen: Thank you, but we decided not to purchase your product, cause the support wasn't good at all (actually there was no support for implementation), so we sent the test evironment back.