SSL VPN
Reply
Contributor
spacyfreak
Posts: 70
Registered: ‎02-27-2009
0

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

"A RADIUS message was received from the invalid. RADIUS client IP address xxx.xxx.xxx.xxx"

 

Do you use the internal IP of the IVE System as Radius Client on IVE?

If you have a cluster, enter the physical IVE IPs as radius clients on IAS, as i remember IVE sends the physical IP of the active IvE node to the Radius Server as source IP.

 

Contributor
spacyfreak
Posts: 70
Registered: ‎02-27-2009

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

NAS Idenifier can be let at the defaults.

What about Encryption Tab on IAS Ras Policies .. Profile i think?

Unmark this all, as IVE does not support that.

 

But i think your actual problem is that IAS wont accept radius requests from you IVE ip address, as you configurd wrong IP on IAS client tab,  means check with which IP the radius request packets arrive at the IAS, with network monitor sniffing.

Trusted Contributor
rdit
Posts: 154
Registered: ‎07-04-2008
0

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Do you use the internal IP of the IVE System as Radius Client on IVE?

 

-> oh hell, how could I miss that??? surely, it needs to be entered the physical IP. after doing so, the eventlog message changed. thanks a lot for that tip!

now its not an error at the eventlog anymore, its the following warning now (translated into english):

 

access denied for user "bla"
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = IP of IVE-Master
NAS-Identifier = FQDN of IVE
Client-Friendly-Name = SA4000 Master
Client-IP-Address = IP of IVE-Master
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = 0
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>

 so it seems as the policy is just wrong. and the other problem is that i dont know how the IAS recognizes the local users.

 

  • i've disabled all encryption settings from the profile, as you said
  • well, the users are no local SAM, they are hold by an application. its just a little webinterface where you can create users and assign a PIN to them - thats it (it also sends SMS to the users mobile then, but that works already and has nothing todo with IAS).
  • proper secret was setup
  • I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?
  • userrealm and roles are configured correctly
  • log at IVE: "Login failed using auth server SMS-Passcode (Radius Server). Reason: Failed"
  • policy trace:
    InfoPTR233702010/03/25 10:21:16 - Tmaster - Root::hallo(SMS-Passcode)[] - Attempting to authenticate user "hallo" with auth server "SMS-Passcode"
    InfoPTR233342010/03/25 10:21:16 - Tmaster - [10.10.10.10] - Root::hallo(SMS-Passcode)[] - Sign-in rejected using auth server SMS-Passcode (Radius Server). Reason: Failed

So I think now my problem is about the RAS-Policy configuration and the connection to that local userstore.

 

thanks a lot for your time and support!!! you already helped alot!

New User
LarsNielsen
Posts: 1
Registered: ‎03-26-2010
0

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

I noticed the SMS PASSCODE server and wanted to make you aware of the support page for our product where you are welcome to get live support. http://www.smspasscode.com/support. We would be happy to assist.

 

Rgds

Lars Nielsen

 

 

Contributor
spacyfreak
Posts: 70
Registered: ‎02-27-2009
0

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Proxy-Policy-Name = NOne

 

Check your RAdius Proxy Policy, enter minimum the policy "allow authentication for windows users" or something like that. its the default policy when you instaled ias radius. maybe you deleted it?

Its under i think "connection request policies". When you dont have there any policy, radius requests will allways be denied.

Contributor
spacyfreak
Posts: 70
Registered: ‎02-27-2009
0

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

[ Edited ]

I now added "Ignore User Dial-in Properties - true" to the profile, but what else has to be added here?

 

Nothing. Here you confgiure "return attributes" which radius server will return to the requesting Radius Client (like IVE) when radius accept message is sent to IVE. You can use this for additional features.

Good idea to use Network Monitor (Sniffer) on the Windows Server, to see whats going on.

It will help you a lot to understand how this works together. Without sniffing for testing you work as "blind", cause you dont see which radius attributes and messages travel between IVE and IAS.

 

This are attributes and values, which could be used for some rolemapping rules on ive.

Means - it also works, if you dont configure at "advanced" tab ANY attributes.

 

But i use mostly attribute "class (25)" with any value, for example value "admin".

Then on IvE rolemapping you can configure rules with "user attributes".

 

Means for IVE...

 

 

IF

userattribute

class (25) with value "admin"

then assign userrole

admin

 

 

IF

userattribute

class (25) with value "user"

then assign userrole

vpnuser

 

 

So you can use these ias radiusattributes to configure rolemappingrules, isnt that fantastic`?

The other attributes on ias "advanced tab" are only for other purposes like dial-in callback number and stuff like that, as historically radius is a "dial-in" authentication service, but nowadays its a standard network authanticationmechanism which is supported by most network devices.

 

Contributor
spacyfreak
Posts: 70
Registered: ‎02-27-2009
0

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

Authentication-Type = <not determined>

 

What is configured at RAS Policy Authentication Type?`

Mark PAP.

Though PAP does not encrypt authentication, the user passwords will allways be encrypted through radius protocol between IVE and Radiusserver. The strenght of radius encryption depends of the compexity of the radius secret.

So use a long and complex Radius Secret, like AGhafdsa!$Q123TRZHsl$§!!!123adfjnvuda

Trusted Contributor
rdit
Posts: 154
Registered: ‎07-04-2008
0

Re: How do i configure a RADIUS Authentication Server (Microsoft IAS)?

thank you spacyfreak. I think something is still wrong with the policy, but I will get back to this later. thanks for your support so far.

 

@LarsNielsen: Thank you, but we decided not to purchase your product, cause the support wasn't good at all (actually there was no support for implementation), so we sent the test evironment back.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.