1 2 Previous Next 19 Replies Latest reply on Jul 9, 2012 8:56 AM by mtuma

    authen with Radius

      Hi all,

      I using firewall S2008, at now i want to authen user config device by Radius (user when logon by console is user of Radius).

      Can you help me, please???

        • 1. Re: authen with Radius

          Can you help me, please ????

          thanks

          • 2. Re: authen with Radius
            PhilM

            I don't have a RADIUS server at my disposal, but have just achieved it easily enough using LDAP.

             

            Step 1 - Create an 'Authenticator' entry on the Firewall for the RADIUS server.

            Policy -> Rule Elements -> Authenticators

            Create a new RADIUS authenticator entry. Give it a name (e.g. RADIUS) and enter the IP address, port and shared secret for your RADIUS server

             

            Step 2 - Add the Firewall as a client to your RADIUS server with the same shared secret

             

            Step 3 - In the Firewall Access Control Rules screen, locate your Admin Console rule and duplicate it. Open the duplicated rule and change the Authenticator value from "Password" to the name of the authenticator created in step 1.

             

            That should be it.

             

            Now when you connect to the Firewall Admin Console, when you receive the login box you can change the Authenticator type from "Password" to your chosen RADIUS authenticator name and the Firewall will authenticate you using these credentials.

             

            I've just replicated this successfully. The only difference being that I created an LDAP authenticator entry instead of a RADIUS one, but the principle of the process should be the same.

             

            -Phil.

            • 3. Re: authen with Radius

              Phil is absolutely correct, it is just as easy as that. The only extra step necessary is to add a local Administrative user on the firewall with the same name as the Radius user. This step is only necessary when logging directly into the Firewall (Admin Console, SSH, etc).

               

              -Matt

              • 4. Re: authen with Radius

                Hi all

                thanks PhiLM and mtuma.

                I use Radius but no successfull. I will use ldap authen with firewall.

                thank you very much.

                • 5. Re: authen with Radius

                  Hi PhiLM and mtuma,

                  I try but not successfull

                  -ip firewall: 10.56.0.1/24

                  -ip ldap: 192.168.1.1/24 with domain is ldap.com.vn

                  on ldap server ping 10.56.0.1 successfull.

                   

                  My config on firewall

                  -Policy\Rule Elements\Authenticators\New open ldap

                       name: AuthenLdap

                       open ldap server: 192.168.1.1 port 389

                       search in defined containers only \ new \ dc=ldap,dc=com,dc=vn

                       all default

                  -policy\Access Control Rules

                       Duplicate Admin Console \ change Authenticator is AuthenLdap

                       all default

                   

                  after that disconnect firewall and connect  firewall with user root and Authenticator: AuthenLdap --> Login incorrect

                   

                  Can you help me, please ???

                  thanks

                  • 6. Re: authen with Radius
                    PhilM

                    Do you have an administrator account (in Maintenance -> Administrator Accounts) called "root".

                     

                    As Matt said - if you are using an external authentication environment to log into the Firewall Console, Admin Console or SSH, you must have a matching account present in the Administrator Accounts section.

                     

                    Have you configured the Firewall to connect to the LDAP server anonymously or not? If not have you entered the correct username and password (and the username is in LDAP format, not just "administrator" or which ever account you have chosen to use).

                     

                    I have to admit I did not know this myself and it was only by luck that I already had an Administrator Account for the user I was trying to log in as using my Active Directory credentials (LDAP).

                     

                    If you are still having problems and need more urgent help, I would suggest that you open a support request directly with McAfee support.

                     

                    -Phil

                    • 7. Re: authen with Radius

                      Hi PhiLM

                      thanks for your support.

                      I have administrator account (in Maintenance -> Administrator Accounts) call admin

                      user on ldap is root,

                      - I try two but not successfull

                           1.anonymously

                           2.user and pass of ldap server (is root)

                      -i don't know create open a support request directly with McAfee support.

                       

                      Can you help me, please???

                      thanks

                      • 8. Re: authen with Radius

                        Hi all,

                        can you help me, please ???

                        thanks

                        • 9. Re: authen with Radius
                          dlepage

                          The RADIUS protocol is UDP and based on timers - you should easily be able to see the packets transmitted to the RADIUS server by doing a tcpdump on the FW.

                           

                          I have worked with RADIUS extensively in the past and my suggestion would be to check several things:

                           

                          - Verify the shared secret that you've configured on the FW matches the RADIUS servers 'clients' file

                          - RADIUS encodes the password based on the shared secret - see above. You need to look at your RADIUS server logs to see if you are getting auth failed or garbage in the password field

                          - If the FW is not directly connected to the network that the RADIUS server resides, ensure that the inbound packets are not NAT'd otherwise the IP/shared secret will not match

                          - SSH to firewall and do a tcpdump on the interface that routes to the RADIUS server. For example: tcpdump -npXi em0 -s0 port 1645 and port 1812  

                          - Look again at your RADIUS server logs

                          1 2 Previous Next