Can you help me, please ????
I don't have a RADIUS server at my disposal, but have just achieved it easily enough using LDAP.
Step 1 - Create an 'Authenticator' entry on the Firewall for the RADIUS server.
Policy -> Rule Elements -> Authenticators
Create a new RADIUS authenticator entry. Give it a name (e.g. RADIUS) and enter the IP address, port and shared secret for your RADIUS server
Step 2 - Add the Firewall as a client to your RADIUS server with the same shared secret
Step 3 - In the Firewall Access Control Rules screen, locate your Admin Console rule and duplicate it. Open the duplicated rule and change the Authenticator value from "Password" to the name of the authenticator created in step 1.
That should be it.
Now when you connect to the Firewall Admin Console, when you receive the login box you can change the Authenticator type from "Password" to your chosen RADIUS authenticator name and the Firewall will authenticate you using these credentials.
I've just replicated this successfully. The only difference being that I created an LDAP authenticator entry instead of a RADIUS one, but the principle of the process should be the same.
Phil is absolutely correct, it is just as easy as that. The only extra step necessary is to add a local Administrative user on the firewall with the same name as the Radius user. This step is only necessary when logging directly into the Firewall (Admin Console, SSH, etc).
thanks PhiLM and mtuma.
I use Radius but no successfull. I will use ldap authen with firewall.
thank you very much.
Hi PhiLM and mtuma,
I try but not successfull
-ip firewall: 10.56.0.1/24
-ip ldap: 192.168.1.1/24 with domain is ldap.com.vn
on ldap server ping 10.56.0.1 successfull.
My config on firewall
-Policy\Rule Elements\Authenticators\New open ldap
open ldap server: 192.168.1.1 port 389
search in defined containers only \ new \ dc=ldap,dc=com,dc=vn
-policy\Access Control Rules
Duplicate Admin Console \ change Authenticator is AuthenLdap
after that disconnect firewall and connect firewall with user root and Authenticator: AuthenLdap --> Login incorrect
Can you help me, please ???
Do you have an administrator account (in Maintenance -> Administrator Accounts) called "root".
As Matt said - if you are using an external authentication environment to log into the Firewall Console, Admin Console or SSH, you must have a matching account present in the Administrator Accounts section.
Have you configured the Firewall to connect to the LDAP server anonymously or not? If not have you entered the correct username and password (and the username is in LDAP format, not just "administrator" or which ever account you have chosen to use).
I have to admit I did not know this myself and it was only by luck that I already had an Administrator Account for the user I was trying to log in as using my Active Directory credentials (LDAP).
If you are still having problems and need more urgent help, I would suggest that you open a support request directly with McAfee support.
thanks for your support.
I have administrator account (in Maintenance -> Administrator Accounts) call admin
user on ldap is root,
- I try two but not successfull
2.user and pass of ldap server (is root)
-i don't know create open a support request directly with McAfee support.
Can you help me, please???
can you help me, please ???
The RADIUS protocol is UDP and based on timers - you should easily be able to see the packets transmitted to the RADIUS server by doing a tcpdump on the FW.
I have worked with RADIUS extensively in the past and my suggestion would be to check several things:
- Verify the shared secret that you've configured on the FW matches the RADIUS servers 'clients' file
- RADIUS encodes the password based on the shared secret - see above. You need to look at your RADIUS server logs to see if you are getting auth failed or garbage in the password field
- If the FW is not directly connected to the network that the RADIUS server resides, ensure that the inbound packets are not NAT'd otherwise the IP/shared secret will not match
- SSH to firewall and do a tcpdump on the interface that routes to the RADIUS server. For example: tcpdump -npXi em0 -s0 port 1645 and port 1812
- Look again at your RADIUS server logs