Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1221 Views 13 Replies Latest reply: Sep 4, 2013 1:04 PM by dpbpc62 RSS 1 2 Previous Next
dpbpc62 Apprentice 82 posts since
Aug 29, 2011
Currently Being Moderated

Aug 16, 2013 6:11 AM

RADIUS Authentication Setup using ACS 5.4 and MFE v8.3.0

Does any on have a setup step for ACS 5.4 and MFE 8.3.0, or is there a KB on this.

 

We have a new ACS 5.4 and can't seem to get it to authentication correctly over RADIUS.

 

Thanks

 

Dana

  • PhilM Champion 528 posts since
    Jan 7, 2010

    Given how RADIUS behaves and the fact that integration of a RADIUS environment normally requires little more than configuring each device with the IP address of its peer (Firewall with the IP address of the ACS, and ACS with the IP Address of the Firewall) and a shared secret/password/pre-shared key, I would suggest you take a look at the logs on the ACS server to see if you can identify what may be causing the authentication requests to fail.

     

    Is it because the credentials are incorrect, or is it because the authentication request from the Firewall is being rejected?

     

    -Phil.

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009

    Also, you want to make sure that you have an Administrative user with the same name as the Radius/ACS user. If you do not then it will not let you log into the GUI/SSH/Console. This is a pretty common thing to forget. This is not a requirement for authenticating traffic through the firewall.

     

    -Matt

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009

    The firewall is talking to the ACS so we know that is working.  All you can do now is troubleshoot this via tcpdumps and the logs on the ACS.  The ACS does not like some attribute of course -- which one, is the question?  The firewall is not going to tell you which attribute the ACS does not like so you must use the ACS logs and the online help to determine which attributes the ACS is looking for (and not looking for).  All the configuration for the RADIUS warder is right there in the GUI.

     

    There is a way to put the radiusw process (RADIUS warder) in debug mode:

    • First run 'pss radiusw' to see that the radius warder is running.  Notice the arguments (/usr/libexec/radiusw -c [filename]).
    • To set it in debug mode you edit the file /secureos/etc/warder/authenticator.conf.
    • Find the section pertaining to the 'name' of your RADIUS authenticator you created in the GUI (mine was call RAD).
    • The line starts with 'authenticator(RAD /usr/libexec/radiusw...' in my setup.
    • There is a part of this section (it's one long line) that says 'args[-c /etc/sidewinder/authenticator/RAD.conf]'.
    • I did a 'man radiusw' to see how to set the debug flags for this warder.  What it says there is to add '-l #', where # is 1, 2 or 3.
    • I edited this authenticator.conf file and added -l 3 (dash L space 3 space) before the -c /filename part and saved the file.
    • To get the system to read this change you HUP (hangup) daemond (the daemon daemon) by finding its PID like this:
      • pss daemond
      • kill -HUP [PID from pss]
    • Now if you do 'pss radiusw' you should see that the warder is now running in level 3 debug mode.  Now the audits from the warder will be MUCH more detailed and that may help you figure out what the firewall is sending that the ACS does not like.
  • sliedl McAfee SME 535 posts since
    Nov 3, 2009

    You get 'pss: Command not found', correct?  Did you type pss wrong?

     

    If you type 'alias' on the command-line you'll see that 'pss' is an alias command for 'ps  -aguxww | egrep -e "PID|!*" | grep -v "egrep -e PID" '.  When you type 'pss radiusw' it's doing a grep for the string radiusw.  If the string is not there it simply returns the header-line of the 'ps' command, it does not say 'not found.'

     

    You do not have to restart anything when you change the RADIUS server IP, no.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points