Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Radius authentication over VPN on NG w/ AI

Status
Not open for further replies.
johnsims

johnsims

Vendor
Sep 6, 2002
1
US
I am trying to use Radius authentication for my SR/SC users. If the Radius server is on the same network, everything works fine, but I have a need to authenticate to a Radius server on the opposite end of our VPN.

Here's the problem: The firewall chooses to send the Radius traffic cleartext rather than encrypt it (based on implied rules). Other traffic (ssh, icmp, etc.) is encrypted, but Radius is not.

Short of replacing all of my implied rules with manual rules, does anyone know of a way to make the firewall encrypt the Radius traffic (ie. a hack to say that Radius is NOT included in VPN-1/FW-1 control connections)?

I appreciate the help.

John Sims
jasims@cornerstones.com
 
Sort by date Sort by votes
i dont know if this is any help but recently we had the same problem with session authentication for us the fix was a parameter that was needing manualy set in the objects file (best method to change with is guidbedit downloadable from

what we needed to set was
Global properties - Properties - firewall properties - snauth_protocol =ssl

i know this is foe session authentication but there may be a similar value for radius authentication.

i will have a look later and see what i can find

if you are making any changes in this file be careful and it would be a good idea for someone else to confirm this method (for me it is only an idea)
 
Upvote 0 Downvote
Hi,
The problem is that radius connection travels unencrypted.
To solve this problem, you should carefully do the following steps:
1. Both on the Main VPN server and the VPN server that the placed Radius behind:
1.1. Backup the file base.def. (do not skip this...)
1.2. Find out the string: enable_radius_queries
Remove all the lines beteen the brackets (that follows the script), including the brackets:
{ eitherbound all@all accept udp ... }
2. Add the following rules (in that order, before the encrypt rules) on main VPN site, to make sure that Radius connections are encrypted:
2.1. (s) Main-Server (d) Radius-Server-object (srv) Radius (a) Accept
2.2. (s) Radius-Server-object (d) Radius-Site (srv) Radius (a) Encrypt
(*note that Radius-Server-object is the object that defines the radius server and Radius-Site is the object of the VPN site placed before the radius server)
3. Add the following rule on Radius Site:
a. (s) Radius-Site (d) Radius-Server-object (srv) Radius (a) Encrypt

Be careful and Good luck,
-Alon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
577
Sameer258
Sameer258
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
181
gkittelson
gkittelson
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
517
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
623
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
126
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top