dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2978
share rss forum feed


Angralitux

join:2004-05-20
DO

[Info] anyone used MS IAS as a RADIUS for cisco devices?

I'm trying to get the integrated Microsoft Internet Authenticacion Service to work with my router and I can't get it to work...

can some tell me if this can be used to authenticate users to VPN, etc??? thanks

Angelo
--
All Is possible...


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
I dont think IAS can be used to authenticate anything, I found it utterly useless.

Have a look at FreeRADIUS or something similar.

You might need a Unix box to run it on, but Im pretty sure I read somewhere it can be compiled on Windows. Im currently running it on FreeBSD quite well.

FreeRADIUS is a "proper, full featured" RADIUS server, and can interface an SQL database (e.g. MySQL, not sure about MSSQL) for easy management of users etc.

One other note on RADIUS, Ive been having a prick of a time getting it working from a 2509 and Im about to pull my hair out, so please dont ask me any RADIUS related questions

Phraxos
Premium
join:2004-06-12
UK

Re: [Info] anyone used MS IAS as a RADIUS for cisc

I've had IAS setup to authenticate 802.1x wireless connections. I don't remember having any particular problems but it was about a year ago I did it.

When I have a bit more time I may be able to dig out some documentation I saved at the time if that would be of any help?


wyked
Premium
join:2001-11-01
Cibolo, TX
reply to Angralitux

Re: [Info] anyone used MS IAS as a RADIUS for cisco devices?

I have setup IAS to authenticate 802.1x wireless and wired clients as well as VPN connections terminating on a 3005 concentrator. It works great....

What type of issues are you experiencing and what kind of hardware is involved from the cisco standpoint (ie..if a router what model and IOS revision)

-Wyked
--
What is a Juggalo? I don't know, but I'm down with the clown and down for life yo!


Angralitux

join:2004-05-20
DO

1 edit
reply to Angralitux
ok. first, thanks for your replies. next, what I'm trying to do, is to have a router to terminate simple PPTP VPN clients. I tested a few free radius servers for windows, but due to my apparent lack of knowledge about the topic, I coudn't get them to work with the router.

Next, browsing in MS Knowledge base I learn there's a RADIUS server built into windows server 2000, and that's seems to be the way to go because it's an ideal option, to authenticate users to the device, via their usual windows logon. now, every time I try to authenticate user, the windows PPTP client just ends with error 742.

if I use local authentication it works fine. I'm going to try this config this afternoon and post results here.

»www.cisco.com/en/US/tech/tk801/t···5e.shtml


Angralitux

join:2004-05-20
DO
reply to Angralitux
well, after a few tries and config changes, I did it now I can use my router to terminate the tunnels, and still be auth by my DC! I'm going to post my config in a while
--
All Is possible...


wyked
Premium
join:2001-11-01
Cibolo, TX
reply to Angralitux
Told you it worked


Angralitux

join:2004-05-20
DO
reply to Angralitux
well... now, I have a situation here, seems like some lines in the new config locked me from reaching the router, can someone help me???? this is what I added to the router config:

aaa new-model
aaa authentication login default group radius local
aaa authentication login console none
aaa authentication ppp default group radius local
aaa authorization network default group radius local

I suspect the problem lies in those lines... can some one enlight me up????
--
All Is possible...

Phraxos
Premium
join:2004-06-12
UK

1 edit

Re: [Info] anyone used MS IAS as a RADIUS for cisc

aaa authentication login console none

LOL well there goes your console login

[Edit] You haven't said how you are trying to login or whether you changed anything else in your config. Did you had any radius server details? In a working config if your radius is down it will default to the next specified login (in your case local - apart from console ) but I'm not sure what happens if you don't specify radius server details but you specify radius as the authentication method.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to Angralitux

Re: [Info] anyone used MS IAS as a RADIUS for cisco devices?

You'll have to reboot the router and set the config register to 0x2102 so you can clean up your config

The next thing I was going to say was make sure you add a username to the router so you can get into the device:

"username x password y"

If you want some info on what commands to use for RADIUS authentication, check out this thread which I started a month or two ago.

»Radius giving me the .......

That should give you some ideas.


Angralitux

join:2004-05-20
DO

Re: [Info] anyone used MS IAS as a RADIUS for cisc

bootsector_, I have the RADIUS Auth. working nicely. Now I can control all auth. in my active directory instead of the router itself.

I have only one problem, and is the access to the router itself :S, but thinking a bit in what phraxos said, I did a experiment: I got the radius server down, and finally I coud reach my router, with local auth. via telnet or console . I'm able now to fix things, but I don't know how to do this

can someone tell me how I limit the RADIUS auth. to just VPN users?? or more specific, how can I bypass telnet and console access to local auth.??
--
All Is possible...

Phraxos
Premium
join:2004-06-12
UK
aaa authentication login mylogin group local

line con 0
login authentication mylogin

line vty 0 4
login authentication mylogin


Basically you can set up authentications that are different to the "default" and use them where you specify.


Angralitux

join:2004-05-20
DO
Phraxos, the first command didn't stay in the config... look below:

Enter configuration commands, one per line. End with CNTL/Z.
SCD-ROUTER(config)#aaa authentication login mylogin group local
SCD-ROUTER(config)#line con 0
SCD-ROUTER(config-line)#login authentication mylogin
AAA: Warning authentication list "mylogin" is not defined for LOGIN.

if I replace MYLOGIN for a local username, it fails too.

sorry to bug you so much :S
--
All Is possible...


Angralitux

join:2004-05-20
DO
reply to wyked
What type of issues are you experiencing and what kind of hardware is involved from the cisco standpoint (ie..if a router what model and IOS revision)

Wyked, I'm working on a 2800 with (C2800NM-ADVIPSERVICESK9-M), Version 12.4(5)
--
All Is possible...


wyked
Premium
join:2001-11-01
Cibolo, TX
What about trying

line con 0
login local

That "should" eliminate the need for AAA on your console port. unforuntately I have no available non production routers setup to test this at this time. I say try it on the console port and then try to login to the console port and see if you can just use the local console password and see what happens...

-Wyked
--
What is a Juggalo? I don't know, but I'm down with the clown and down for life yo!

Phraxos
Premium
join:2004-06-12
UK

1 edit
reply to Angralitux
OK got it sussed....you can't use "local" logins on the console or vty ports, either directly or as a group.

On my router I actually use "enable" rather than "local" for console access and it works fine. I didn't think there would be a problem just changing it to refer to "local" but I've tried it on my router to confirm and it isn't allowed as a valid login for console or vty access under new model aaa authentication.

You could do as I have done and use the enable password.

BTW you aren't buggin me at all, I am happy to help you if I can - nobody made me answer your question

[Edit] From a secutiry point of view I would be tempted to set yourself up with a radius account rather than use the enable password for vty access. A username / password combo is always going to be harder to brute force break than a single password. I personally just use the enable password for console access as described above. Unlike vty access, I rarely use it and someone needs physical access to try it. Also it gives you a backdoor if you screw your authentication config and lock yourself - not that you would do that........again


Angralitux

join:2004-05-20
DO
reply to wyked
wyked, it doesn't work I think all con lines will default to Radius auth. regardless what is in the config of the line.
--
All Is possible...


Angralitux

join:2004-05-20
DO

1 edit
reply to Phraxos
ok, I understand that I can use the enable password to access vty, but more specific, how I tell the router to do so look how my config looks so far:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SCD-ROUTER
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-5.bin
boot-end-marker
!
enable secret 5 *******
enable password *******
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login console line
aaa authentication ppp default group radius local
aaa authorization network default group radius local
!
aaa session-id common
!
resource policy
!
clock timezone Caracas -4
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip name-server 192.168.50.10
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
async-bootp dns-server 192.168.50.10
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ******* privilege 15 secret 5 *******
username ******* password 0 *******
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ******** address ***.***.***.***
crypto isakmp key ******** address ***.***.***.***
!
!
crypto ipsec transform-set SCD-STGO esp-3des esp-md5-hmac
crypto ipsec transform-set SCD-SFM esp-3des esp-md5-hmac
!
crypto map tunnel 1 ipsec-isakmp
set peer ***.***.***.***
set transform-set SCD-STGO
match address 100
crypto map tunnel 2 ipsec-isakmp
set peer ***.***.***.***
set transform-set SCD-SFM
match address 101
!
!
!
!
interface FastEthernet0/0
ip address ***.***.***.*** 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map tunnel
!
interface FastEthernet0/1
ip address 10.0.0.2 255.0.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Virtual-Template1
ip unnumbered Vlan1
ip mroute-cache
peer default ip address pool SCD
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2 pap
!
interface Vlan1
ip address 192.168.50.1 255.255.255.0
ip access-group 120 in
ip nat inside
ip virtual-reassembly
!
ip local pool SCD 192.168.50.180 192.168.50.190
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
ip route 192.168.51.0 255.255.255.0 ***.***.***.***
ip route 192.168.52.0 255.255.255.0 ***.***.***.***
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.50.12 8888 interface FastEthernet0/0 8888
ip nat inside source static tcp 192.168.50.12 4087 interface FastEthernet0/0 4087
ip nat inside source static tcp 192.168.50.12 4086 interface FastEthernet0/0 4086
ip nat inside source static tcp 192.168.50.12 4088 interface FastEthernet0/0 4088
ip nat inside source static tcp 192.168.50.170 23 interface FastEthernet0/0 23
ip nat inside source static tcp 192.168.50.10 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.50.20 25 interface FastEthernet0/0 25
ip nat inside source static udp 192.168.50.11 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.50.160 6972 interface FastEthernet0/0 6972
ip nat inside source static udp 192.168.50.160 7001 interface FastEthernet0/0 7001
ip nat inside source static tcp 192.168.50.160 21 interface FastEthernet0/0 21
ip nat inside source static tcp 192.168.50.160 20 interface FastEthernet0/0 20
!
access-list 23 permit 192.168.50.0 0.0.0.255
access-list 100 permit ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 110 permit ip 192.168.50.0 0.0.0.255 any
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 64.4.15.6
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 64.74.134.14
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 65.54.134.190
access-list 120 deny ip 192.168.50.32 0.0.0.31 65.54.239.0 0.0.0.255
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 66.98.64.252
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 66.250.84.31
access-list 120 deny ip 192.168.50.32 0.0.0.31 82.98.250.0 0.0.1.255
access-list 120 deny ip 192.168.50.32 0.0.0.31 207.46.0.0 0.0.255.255
access-list 120 deny ip 192.168.50.32 0.0.0.31 212.26.220.0 0.0.1.255
access-list 120 permit ip any any
!
!
!
radius-server host 192.168.50.10 auth-port 1645 acct-port 1646
radius-server key ********
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication test
line aux 0
line vty 0 4
access-class 23 in
password ********
transport input telnet
!
scheduler allocate 20000 1000
!
end
--
All Is possible...

Phraxos
Premium
join:2004-06-12
UK

3 edits
Hm......need to test something out....I'll bbs

[Edit] For what it is worth, the syntax I posted earlier was wrong, it should be:

aaa authentication login mylogin local

line con 0
login authentication mylogin

line vty 0 4
login authentication mylogin


This allows authentication but fails authorization. Setting privilage level on the user or vty / console doesn't help so I'm looking for an answer.


Angralitux

join:2004-05-20
DO
reply to Angralitux
Phraxos, and if I attempt to connect using a domain account??...... didn't work :S at least I know I can login just stopping IAS service, and using a local account on the router
--
All Is possible...

Phraxos
Premium
join:2004-06-12
UK
I will get you an answer but it might not be for a day or two as I'm pretty busy with work atm.

I'm learning something too

Phraxos
Premium
join:2004-06-12
UK
reply to Angralitux
OK I've got it working

aaa authentication login mylogin local
aaa authorization console
aaa authorization exec default local

line con 0
login authentication mylogin

line vty 0 4
login authentication mylogin


Get rid of the password on vty 0 4 and get rid of "aaa authentication login console line"


Angralitux

join:2004-05-20
DO
reply to Angralitux
Phraxos, you are the one kudos to Phraxos !!! now, the wining config:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SCD-ROUTER
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-5.bin
boot-end-marker
!
enable secret 5 *******
enable password *******
!
aaa new-model
!
!
aaa authentication login ****** local
aaa authorization console
aaa authorization exec default local
aaa authentication login default group radius local
aaa authentication ppp default group radius local
aaa authorization network default group radius local
!
aaa session-id common
!
resource policy
!
clock timezone Caracas -4
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip name-server 192.168.50.10
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
async-bootp dns-server 192.168.50.10
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ******* privilege 15 secret 5 *******
username ******* password 0 *******
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ******** address ***.***.***.***
crypto isakmp key ******** address ***.***.***.***
!
!
crypto ipsec transform-set SCD-STGO esp-3des esp-md5-hmac
crypto ipsec transform-set SCD-SFM esp-3des esp-md5-hmac
!
crypto map tunnel 1 ipsec-isakmp
set peer ***.***.***.***
set transform-set SCD-STGO
match address 100
crypto map tunnel 2 ipsec-isakmp
set peer ***.***.***.***
set transform-set SCD-SFM
match address 101
!
!
!
!
interface FastEthernet0/0
ip address ***.***.***.*** 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map tunnel
!
interface FastEthernet0/1
ip address 10.0.0.2 255.0.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Virtual-Template1
ip unnumbered Vlan1
ip mroute-cache
peer default ip address pool SCD
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2 pap
!
interface Vlan1
ip address 192.168.50.1 255.255.255.0
ip access-group 120 in
ip nat inside
ip virtual-reassembly
!
ip local pool SCD 192.168.50.180 192.168.50.190
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
ip route 192.168.51.0 255.255.255.0 ***.***.***.***
ip route 192.168.52.0 255.255.255.0 ***.***.***.***
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.50.12 8888 interface FastEthernet0/0 8888
ip nat inside source static tcp 192.168.50.12 4087 interface FastEthernet0/0 4087
ip nat inside source static tcp 192.168.50.12 4086 interface FastEthernet0/0 4086
ip nat inside source static tcp 192.168.50.12 4088 interface FastEthernet0/0 4088
ip nat inside source static tcp 192.168.50.170 23 interface FastEthernet0/0 23
ip nat inside source static tcp 192.168.50.10 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.50.20 25 interface FastEthernet0/0 25
ip nat inside source static udp 192.168.50.11 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.50.160 6972 interface FastEthernet0/0 6972
ip nat inside source static udp 192.168.50.160 7001 interface FastEthernet0/0 7001
ip nat inside source static tcp 192.168.50.160 21 interface FastEthernet0/0 21
ip nat inside source static tcp 192.168.50.160 20 interface FastEthernet0/0 20
!
access-list 23 permit 192.168.50.0 0.0.0.255
access-list 100 permit ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 110 permit ip 192.168.50.0 0.0.0.255 any
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 64.4.15.6
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 64.74.134.14
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 65.54.134.190
access-list 120 deny ip 192.168.50.32 0.0.0.31 65.54.239.0 0.0.0.255
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 66.98.64.252
access-list 120 deny ip 192.168.50.32 0.0.0.31 host 66.250.84.31
access-list 120 deny ip 192.168.50.32 0.0.0.31 82.98.250.0 0.0.1.255
access-list 120 deny ip 192.168.50.32 0.0.0.31 207.46.0.0 0.0.255.255
access-list 120 deny ip 192.168.50.32 0.0.0.31 212.26.220.0 0.0.1.255
access-list 120 permit ip any any
!
!
!
radius-server host 192.168.50.10 auth-port 1645 acct-port 1646
radius-server key ********
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication ********
line aux 0
line vty 0 4
access-class 23 in
transport input telnet
login authentication ********
!
scheduler allocate 20000 1000
!
end
--
All Is possible...

Phraxos
Premium
join:2004-06-12
UK
LOL.....cool Angratilux - we have both learn't something