PIX RADIUS Authentication on NT 4? 3

[sebastianganson]

I am looking for a simple, preferably free, solution to do RADIUS Authentcation on NT 4.0. I know that the NT 4 Option Pack offers a RADIUS solution, but it looks like that is used to talk to a RADIUS server and not do actual authentication. Is this correct? Can someone please point me in the direction of a good RADIUS product?

Thanks in advance,
Sebastian

 

[ScottJHall]

The RADIUS server that is packaged with the NT 4 option pack does do authentication and I am using it to authenticate PIX users without any problems.

 

[sebastianganson]

Scott,
Thanks for your reply. I found some documentation on configuring NT Radius, but was there anything special you needed to do to get it to work with the PIX? Do you know if it is possible to assign access lists from the NT Radius Server?

Sebastian

 

[ScottJHall]

Nothing real special to confige, just make sure the password you choose for the two are the same. Here is a couple lines that are needed in the PIX config:

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.1.4 password timeout 5

192.168.1.4 <- NT Radius server
password <- secret shared between Radius server and PIX.

As far as assigning dynamic access lists, I don't believe you can have it do that. But, I am just using it for authentication and nothing else at the moment.

Hope this helps,
Scott

 

[Bluecrack]

I was able to setup one of my Cisco routers running Auth-Proxy to use the access-list generated by the RADIUS server (Windows 2000 IAS in this case). The link below may be able to help you out in defining the dynamic access-list.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/peruser.htm

Let us all know if how this works out.

Bluecrack

 

[sebastianganson]

Hi again,
Sorry, I am a bit slow on this. I am still working on just getting authenticated. Now that I have the PIX configured to look to the RADIUS server for authentication I do get the login window, however, the only user I can successfully authenticate as is the Domain Admin?!? I tried a couple of settings in another user account, including allow dial-in access, but with no success. Am I missing some configuration option?
Thanks,
Sebastian

 

[yizhar]

HI!

I have no experience with that, but try to give a test user the Log On Localy special right.

In NT 4 It is done from &quot;User Manager&quot; - Policy - User Rights.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Bluecrack]

On my Windows 2000 IAS server I setup my policy to allow only users in a group called &quot;VPNAllowed&quot; to connect to the VPN. Then I created a group called &quot;VPNAllowed&quot; on my Domain Controller and added the users I wanted to be allowed to use the VPN to the group.

I have not used the NT 4.0 RADIUS server but I would expect it could do the same.

Hope this helps.

Bluecrack

 

[emdi]

Bluecrack,

Could you please be more specific on how to set up/configure it? I got the tunnel going, but not with RADIUS (IAS). I did create a policy that allows VPNUsers to get in. Is there anything else I should be aware of?

Thanks.

 

[davidwu]

i set pix as client and IAS as server.

following logging message is from IAS server.
who can give me some suggestion,

thank you


&quot;

http://WWW&quot;,&quot;IAS&quot;,12...1&quot;,&quot;IAS&quot;,,,,,,,1,,48,&quot;311

1 192.168.1.12 12/08/2001 11:52:37 22&quot;,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
&quot;

http://WWW&quot;,&quot;IAS&quot;,12...1.1&quot;,&quot;IAS&quot;,,,,,,,,,0,&quot;311

1 192.168.1.12 12/08/2001 11:52:37 23&quot;,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
&quot;

http://WWW&quot;,&quot;IAS&quot;,12....1&quot;,&quot;IAS&quot;,,,,,,,,,16,&quot;311

1 192.168.1.12 12/08/2001 11:52:37 23&quot;,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
&quot;

http://WWW&quot;