cancel
Showing results for 
Search instead for 
Did you mean: 
dpbpc62
Level 7
Report Inappropriate Content
Message 1 of 14

RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

Does any on have a setup step for ACS 5.4 and MFE 8.3.0, or is there a KB on this.

We have a new ACS 5.4 and can't seem to get it to authentication correctly over RADIUS.

Thanks

Dana

13 Replies
dpbpc62
Level 7
Report Inappropriate Content
Message 2 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

We are trying to use RADIUS as the Authenticator to login to the Admin Console but using the ACS 5.4 users

PhilM
Level 14
Report Inappropriate Content
Message 3 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

Given how RADIUS behaves and the fact that integration of a RADIUS environment normally requires little more than configuring each device with the IP address of its peer (Firewall with the IP address of the ACS, and ACS with the IP Address of the Firewall) and a shared secret/password/pre-shared key, I would suggest you take a look at the logs on the ACS server to see if you can identify what may be causing the authentication requests to fail.

Is it because the credentials are incorrect, or is it because the authentication request from the Firewall is being rejected?

-Phil.

mtuma
Level 13
Report Inappropriate Content
Message 4 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

Also, you want to make sure that you have an Administrative user with the same name as the Radius/ACS user. If you do not then it will not let you log into the GUI/SSH/Console. This is a pretty common thing to forget. This is not a requirement for authenticating traffic through the firewall.

-Matt

dpbpc62
Level 7
Report Inappropriate Content
Message 5 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

The ACS is getting the following errors

We basically have two errors situations.

On the ACS if we set the Service Selection rules to drop Radius into the "Default Device Admin". This creates an error on the ACS and the Radius authentication fails and is dropped by the ACS due to error 11033, However the user session to the Sidewinder seems to eventually succeed albeit with a very slow connect. (11033 - Selected Service is not Network Access). I think what happens is we fail back to a local login.

The second situation is when the proper Serice type "Network Access" is set up the Radius request authenticates okay but the ACS issues a Parsing error reading the Radius packet and the access attempt is dropped by the ACS on error 11014. (11014 - Radius Packet contains invalid attribute(s)) . Again we seem to fail back to a local login.

Is there any configuration on the Sidewinder that may set the format of the Radius authentication request forward to the ACS?

ACS is running Ver 5.4 patch 5-4-0-46-4.

Could it be on the MFE that in the Authenticator... RADIUS... Group tab that the attributes are incorrect?

Dana

sliedl
Level 14
Report Inappropriate Content
Message 6 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

The firewall is talking to the ACS so we know that is working.  All you can do now is troubleshoot this via tcpdumps and the logs on the ACS.  The ACS does not like some attribute of course -- which one, is the question?  The firewall is not going to tell you which attribute the ACS does not like so you must use the ACS logs and the online help to determine which attributes the ACS is looking for (and not looking for).  All the configuration for the RADIUS warder is right there in the GUI.

There is a way to put the radiusw process (RADIUS warder) in debug mode:

  • First run 'pss radiusw' to see that the radius warder is running.  Notice the arguments (/usr/libexec/radiusw -c [filename]).
  • To set it in debug mode you edit the file /secureos/etc/warder/authenticator.conf.
  • Find the section pertaining to the 'name' of your RADIUS authenticator you created in the GUI (mine was call RAD).
  • The line starts with 'authenticator(RAD /usr/libexec/radiusw...' in my setup.
  • There is a part of this section (it's one long line) that says 'args[-c /etc/sidewinder/authenticator/RAD.conf]'.
  • I did a 'man radiusw' to see how to set the debug flags for this warder.  What it says there is to add '-l #', where # is 1, 2 or 3.
  • I edited this authenticator.conf file and added -l 3 (dash L space 3 space) before the -c /filename part and saved the file.
  • To get the system to read this change you HUP (hangup) daemond (the daemon daemon) by finding its PID like this:
    • pss daemond
    • kill -HUP [PID from pss]
  • Now if you do 'pss radiusw' you should see that the warder is now running in level 3 debug mode.  Now the audits from the warder will be MUCH more detailed and that may help you figure out what the firewall is sending that the ACS does not like.
dpbpc62
Level 7
Report Inappropriate Content
Message 7 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

Well this gets stranger as I move on....

When I use the old ACS IP I can do the pss radiusw, but when I change to the new ACS IP it fails and I get "pss not found"

do I have to restart the radiusw process when I change server IP's, or should I have a new Authenticator for the new ACS?

Dana

sliedl
Level 14
Report Inappropriate Content
Message 8 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

You get 'pss: Command not found', correct?  Did you type pss wrong?

If you type 'alias' on the command-line you'll see that 'pss' is an alias command for 'ps  -aguxww | egrep -e "PID|!*" | grep -v "egrep -e PID" '.  When you type 'pss radiusw' it's doing a grep for the string radiusw.  If the string is not there it simply returns the header-line of the 'ps' command, it does not say 'not found.'

You do not have to restart anything when you change the RADIUS server IP, no.

dpbpc62
Level 7
Report Inappropriate Content
Message 9 of 14

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

My bad....

I figured it out. We have another MFE that is running 8.3.0, when I did a which pss, I sawthat pss is an alias to "ps -auxww | egrep -e ..." so I was able toget the PIDs from ps and performed the steps

Oops

Dana

Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

OK I have an audit log, but not sure where to look for the attribute, plus not sure if the debug level is verbose enough.

See below

2013-08-29 13:17:12 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

information: No new connection waiting on 'rsock'

2013-08-29 13:18:54 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

information: No new connection waiting on 'rsock'

2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Select() reports a new connection on rsock

2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

information: New fd recvmsg()ed from new_socket

2013-08-29 13:19:25 -0400 f_radius_warder a_server t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Child process (0) starting up

2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: add_cr:  Returning: (Username: )

2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Successfully wrote message

2013-08-29 13:19:25 -0400 f_radius_warder a_server t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Captured username of user

2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: add_cr:  Returning: (Password: )

2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Successfully wrote message

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw:  Validating user user

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_major

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw: trying server x.x.x.x port 1812 secret 0000000

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: authenticated flag set to 0

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_major

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw:  user didn't get authenticated.  2 retries left

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: add_cr:  Returning: (Login incorrect Username: )

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Successfully wrote message

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Captured username of

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: add_cr:  Returning: (Password: )

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_error p_major

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: -54|Connection reset by peer

Error writing on proxy socket

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_error p_major

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw:  Error requesting password

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_error p_major

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: -39|Destination address required

Error writing on proxy socket

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw:  Sending shutdown command to the proxy

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_error p_major

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: -39|Destination address required

Error writing on proxy socket

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_error p_major

pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw:  Error sending SHUTDOWN message

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Select() reports a new connection on rsock

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

information: New fd recvmsg()ed from new_socket

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Child process (0) starting up

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: add_cr:  Returning: (Username: )

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Successfully wrote message

2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Captured username of user

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: add_cr:  Returning: (Password: )

2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Successfully wrote message

2013-08-29 13:20:13 -0400 f_radius_warder a_proxywarderlib t_error p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Timed out waiting on TEXT_FROM_USER message

2013-08-29 13:20:13 -0400 f_radius_warder a_server t_error p_major

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw:  Error reading password response

2013-08-29 13:20:13 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Successfully wrote message

2013-08-29 13:20:13 -0400 f_radius_warder a_server t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: /usr/libexec/radiusw:  Sending shutdown command to the proxy

2013-08-29 13:20:13 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

information: Successfully wrote message

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community