Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Authentication Fails to Novell BMAS 2.0 Radius Server

Status
Not open for further replies.
adamson67

adamson67

Technical User
Dec 7, 2001
10
US
My config of the PIX515 is attached. When I try to authenticate to the Novell BMAS Radius Server 2.0 It fails to authenticate. Am I missing something in the config? Will The PIX talk well with the Novell Radius Server or should I look into some other way to authenticate? If I was able to authenticate would I be able to browse the inside LAN based on this config? All help is appreciated.

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
!
hostname ctvpnfirewall
domain-name domain.com
!
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
!
names
name 192.168.101.5 webserver
!
access-list nonatinside permit ip 0.0.0.0 255.255.255.0 192.168.105.0 255.255.255.0
access-list localtovpnclient permit ip 0.0.0.0 255.255.255.0 192.168.105.0 255.255.255.0
!
pager lines 24
logging buffered debugging
!
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
!
ip address outside 192.168.100.1 255.255.255.0
ip address inside 10.10.1.225 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
!
ip local pool vpnpool 192.168.105.1-192.168.105.254
!
pdm history enable
arp timeout 14400
!
nat (inside) 0 access-list nonatinside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
route inside 10.0.0.0 255.0.0.0 10.10.1.225 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authinbound protocol radius
aaa-server authinbound (inside) host 10.12.76.10 password timeout 10
!
http server enable
http 10.10.68.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication authinbound
crypto map mymap interface outside
!
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!
vpngroup ctvpn address-pool vpnpool
vpngroup ctvpn dns-server 10.10.14.4 10.10.8.12
vpngroup ctvpn wins-server 10.12.44.5
vpngroup ctvpn default-domain domain.com
vpngroup ctvpn split-tunnel localtovpnclient
vpngroup ctvpn idle-time 3600
vpngroup ctvpn password password
!
telnet timeout 30
ssh timeout 5
terminal width 80
Cryptochecksum:a545c9953ff15156c91b8311375895d3
: end
 
Sort by date Sort by votes
Hmmm..

Here are some comments, not all related to authentication but still:

***
access-list nonatinside permit ip 0.0.0.0 255.255.255.0 192.168.105.0 255.255.255.0
access-list localtovpnclient permit ip 0.0.0.0 255.255.255.0 192.168.105.0 255.255.255.0

the 0.0.0.0 might be replaced with 10.10.0.0 or a more specific subnet. If you still use 0.0.0.0, then use 0.0.0.0 subnet as well.

***
Are you sure this is correct?
ip address inside 10.10.1.225 255.255.255.0
route inside 10.0.0.0 255.0.0.0 10.10.1.225 1

***
ip address outside 192.168.100.1 255.255.255.0
VPN endpoints must be accessible from the clients.
If your pix is behind another NAT device it can fail.

***
I suggest that you first try to establish VPN without authentication (only vpngroup and password). Then add the xauth.
Make sure that you use the newer VPN client (3.x) and not the old 1.1 client.

****

Are you using pixcript?
You'll find version 1.32 just updated here:
You should know that I haven't tested all the features in real time, so if you find problems please let me know.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I have used the pixcript. It is a great tool. You should look into selling it to Cisco. :)
1. I could be more specific on the access-lists.(I haven't specified the exact subnets yet)
2. The ip addresses are correct on the interfaces. (I am in a testing phase and have the outside interface attached to a hub where I have my laptop(and would be eventually connected to an isp) and the inside interface is connected to the network.
3. I have connected and authenticated without the xauth. The PIX also assigned the ip address, wins, dns, and domain settings.
4. When I looked at the console of the Novell Radius server it showed my authentication failed with an (nds error -627)
I can ping the PIX (10.10.1.225) ip address from the server, but I was wondering if I have to open something up on the PIX or if the version of Novell Radius (BMAS 2.03) is not compatible.

Once again I like the pixcript. Good work.
 
Upvote 0 Downvote
HI.

If you still have problems, I suggest this for next test:

Configure a test Win2k (or Winnt+IIS4) with IAS (MS radius server). This is known to be compatible with pix.

Place this server first on the same subnet as the pix, then try placing it in the same subnet as the BMAS.

My guess however, is that you have a configuration problem at your BMAS server, and you should find the Novell docs about radius.
The error message (nds error -627) might mean that the border manager server has a problem contacting the nds services. Seems like a misconfiguration at the server itself.

You can consider an option not to use BMAS as the auth server for VPN, but use a different dedicated server just for that, with IAS from MS or with CISCO or 3rd party RADIUS software.
This has additional costs ofcourse.
It might be easier to manage a separate name space only for vpn and not using the NDS. This has advantages and disadvantages - your choice.

Bye





Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
816
Johnkite
Johnkite
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
364
gkittelson
gkittelson
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
231
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
777
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top