1 2 Previous Next 13 Replies Latest reply: Sep 4, 2013 1:04 PM by dpbpc62 RSS

    RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

    dpbpc62

      Does any on have a setup step for ACS 5.4 and MFE 8.3.0, or is there a KB on this.

       

      We have a new ACS 5.4 and can't seem to get it to authentication correctly over RADIUS.

       

      Thanks

       

      Dana

        • 1. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
          dpbpc62

          We are trying to use RADIUS as the Authenticator to login to the Admin Console but using the ACS 5.4 users

          • 2. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
            PhilM

            Given how RADIUS behaves and the fact that integration of a RADIUS environment normally requires little more than configuring each device with the IP address of its peer (Firewall with the IP address of the ACS, and ACS with the IP Address of the Firewall) and a shared secret/password/pre-shared key, I would suggest you take a look at the logs on the ACS server to see if you can identify what may be causing the authentication requests to fail.

             

            Is it because the credentials are incorrect, or is it because the authentication request from the Firewall is being rejected?

             

            -Phil.

            • 3. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
              mtuma

              Also, you want to make sure that you have an Administrative user with the same name as the Radius/ACS user. If you do not then it will not let you log into the GUI/SSH/Console. This is a pretty common thing to forget. This is not a requirement for authenticating traffic through the firewall.

               

              -Matt

              • 4. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
                dpbpc62

                The ACS is getting the following errors

                 

                 

                We basically have two errors situations.

                 

                On the ACS if we set the Service Selection rules to drop Radius into the "Default Device Admin". This creates an error on the ACS and the Radius authentication fails and is dropped by the ACS due to error 11033, However the user session to the Sidewinder seems to eventually succeed albeit with a very slow connect. (11033 - Selected Service is not Network Access). I think what happens is we fail back to a local login.

                 

                The second situation is when the proper Serice type "Network Access" is set up the Radius request authenticates okay but the ACS issues a Parsing error reading the Radius packet and the access attempt is dropped by the ACS on error 11014. (11014 - Radius Packet contains invalid attribute(s)) . Again we seem to fail back to a local login.

                 

                Is there any configuration on the Sidewinder that may set the format of the Radius authentication request forward to the ACS?

                 

                ACS is running Ver 5.4 patch 5-4-0-46-4.

                 

                Could it be on the MFE that in the Authenticator... RADIUS... Group tab that the attributes are incorrect?

                 

                Dana

                • 5. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
                  sliedl

                  The firewall is talking to the ACS so we know that is working.  All you can do now is troubleshoot this via tcpdumps and the logs on the ACS.  The ACS does not like some attribute of course -- which one, is the question?  The firewall is not going to tell you which attribute the ACS does not like so you must use the ACS logs and the online help to determine which attributes the ACS is looking for (and not looking for).  All the configuration for the RADIUS warder is right there in the GUI.

                   

                  There is a way to put the radiusw process (RADIUS warder) in debug mode:

                  • First run 'pss radiusw' to see that the radius warder is running.  Notice the arguments (/usr/libexec/radiusw -c [filename]).
                  • To set it in debug mode you edit the file /secureos/etc/warder/authenticator.conf.
                  • Find the section pertaining to the 'name' of your RADIUS authenticator you created in the GUI (mine was call RAD).
                  • The line starts with 'authenticator(RAD /usr/libexec/radiusw...' in my setup.
                  • There is a part of this section (it's one long line) that says 'args[-c /etc/sidewinder/authenticator/RAD.conf]'.
                  • I did a 'man radiusw' to see how to set the debug flags for this warder.  What it says there is to add '-l #', where # is 1, 2 or 3.
                  • I edited this authenticator.conf file and added -l 3 (dash L space 3 space) before the -c /filename part and saved the file.
                  • To get the system to read this change you HUP (hangup) daemond (the daemon daemon) by finding its PID like this:
                    • pss daemond
                    • kill -HUP [PID from pss]
                  • Now if you do 'pss radiusw' you should see that the warder is now running in level 3 debug mode.  Now the audits from the warder will be MUCH more detailed and that may help you figure out what the firewall is sending that the ACS does not like.
                  • 6. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
                    dpbpc62

                    Well this gets stranger as I move on....

                     

                     

                    When I use the old ACS IP I can do the pss radiusw, but when I change to the new ACS IP it fails and I get "pss not found"

                     

                    do I have to restart the radiusw process when I change server IP's, or should I have a new Authenticator for the new ACS?

                     

                    Dana

                    • 7. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
                      sliedl

                      You get 'pss: Command not found', correct?  Did you type pss wrong?

                       

                      If you type 'alias' on the command-line you'll see that 'pss' is an alias command for 'ps  -aguxww | egrep -e "PID|!*" | grep -v "egrep -e PID" '.  When you type 'pss radiusw' it's doing a grep for the string radiusw.  If the string is not there it simply returns the header-line of the 'ps' command, it does not say 'not found.'

                       

                      You do not have to restart anything when you change the RADIUS server IP, no.

                      • 8. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
                        dpbpc62

                        My bad....

                         

                        I figured it out. We have another MFE that is running 8.3.0, when I did a which pss, I sawthat pss is an alias to "ps -auxww | egrep -e ..." so I was able toget the PIDs from ps and performed the steps

                         

                        Oops

                         

                        Dana

                        • 9. Re: RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0
                          dpbpc62

                          OK I have an audit log, but not sure where to look for the attribute, plus not sure if the debug level is verbose enough.

                           

                          See below

                           

                          2013-08-29 13:17:12 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: No new connection waiting on 'rsock'

                           

                          2013-08-29 13:18:54 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: No new connection waiting on 'rsock'

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Select() reports a new connection on rsock

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: New fd recvmsg()ed from new_socket

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Child process (0) starting up

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: add_cr:  Returning: (Username: )

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Successfully wrote message

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Captured username of user

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: add_cr:  Returning: (Password: )

                           

                          2013-08-29 13:19:25 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Successfully wrote message

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw:  Validating user user

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_major

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw: trying server x.x.x.x port 1812 secret 0000000

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: authenticated flag set to 0

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_major

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw:  user didn't get authenticated.  2 retries left

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: add_cr:  Returning: (Login incorrect Username: )

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Successfully wrote message

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Captured username of

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: add_cr:  Returning: (Password: )

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_error p_major

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: -54|Connection reset by peer

                          Error writing on proxy socket

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_error p_major

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw:  Error requesting password

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_error p_major

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: -39|Destination address required

                          Error writing on proxy socket

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw:  Sending shutdown command to the proxy

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_error p_major

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: -39|Destination address required

                          Error writing on proxy socket

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_error p_major

                          pid: 1954 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw:  Error sending SHUTDOWN message

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Select() reports a new connection on rsock

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1572 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: New fd recvmsg()ed from new_socket

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Child process (0) starting up

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: add_cr:  Returning: (Username: )

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Successfully wrote message

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Captured username of user

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: add_cr:  Returning: (Password: )

                           

                          2013-08-29 13:19:28 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Successfully wrote message

                           

                          2013-08-29 13:20:13 -0400 f_radius_warder a_proxywarderlib t_error p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Timed out waiting on TEXT_FROM_USER message

                           

                          2013-08-29 13:20:13 -0400 f_radius_warder a_server t_error p_major

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw:  Error reading password response

                           

                          2013-08-29 13:20:13 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Successfully wrote message

                           

                          2013-08-29 13:20:13 -0400 f_radius_warder a_server t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: /usr/libexec/radiusw:  Sending shutdown command to the proxy

                           

                          2013-08-29 13:20:13 -0400 f_radius_warder a_proxywarderlib t_debug p_minor

                          pid: 1956 logid: 0 cmd: 'radiusw' hostname: host.ca

                          information: Successfully wrote message

                          1 2 Previous Next