Mac OS X Server 10.5 Radius authentication for non airport devices

Similar Messages

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• Radius authentication for the browser-based webtop

  Hiya all,
  With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
  SSGD version:
  Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
  Architecture code: i3so0510
  This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
  I have the radius-module running for authentication of a single directory with the apache-config-lines:
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch "/secure">
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthName "Radius authentication for SGD"
  Authtype Basic
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 540
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
  When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
  The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
  Changing the JkLogLevel to debug gives the following info in the JkLogFile:
  Radius authentication:
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
  With the password-authentication file:
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
  It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
  Any help will be usefull since I am allready stuck on this problem for a couple of days :(
  Thanks,
  Remold | Everett

  I got response from the Fat Bloke on the mailing list.
  Adding the following line in the apache httpd.conf seams to help and resolved my problem:
  Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  Thanks The Fat Bloke !!
  - Remold
  These instructions are for a 4.2 SGD installation using SGD's third
  party web authentication with mod_auth_radius.so (www.freeradius.org).
  With 4.2 Sun didn't distribute enough of the Apache configured tree
  to enable the use of axps to build the mod_auth_radius module, 4.3 is
  better - Sun now install a modified axps and include files, I haven't
  tried this with 4.3 yet though.
  I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
  So, this is how we got this working with Radius (tested with SBR
  server and freeradius.org server.)
  Install SGD in the usual way.
  Enable 3rd party authentication:
  According to:
  http://docs.sun.com/source/819-4309-10/en-us/base/standard/
  webauth_config_browser.html
  Configure the Tomcat component of the Secure Global Desktop Web
  Server to
  trust the web server authentication. On each array member, edit the
  /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
  following attribute to the connector element (<Connector>) for the
  Coyote/JK2 AJP 1.3 Connector:
  tomcatAuthentication="false"
  # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
  conf/server.xml
  <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" minProcessors="5" maxProcessors="75"
  tomcatAuthentication="false"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="0"
  useURIValidationHack="false"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
  "By default, for security reasons, Secure Global Desktop
  Administrators can't
  log in to the browser-based webtop with web server authentication.
  The standard
  login page always displays for these users even if they have been
  authenticated
  by the web server. To change this behavior, run the following command:"
  # tarantella config edit --tarantella-config-login-thirdparty-
  allowadmins 1
  Without this, after authenticating via webauth, the user will be
  prompted for a
  second username and password combination.
  # /opt/tarantella/bin/tarantella objectmanager &
  # /opt/tarantella/bin/tarantella arraymanager &
  In Array Manager:
  Select "Secure Global Desktop Login" on left side and click
  "Properites" at bottom
  Under "Secure Global Desktop Login Properties"
  cd /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
  edit httpd.conf:
  ### For SGD Apache based authentication
  Include conf/httpd4radius.conf
  at the end of httpd.conf add:
  Alias /sgd "/opt/tarantella/webserver/tomcat/
  5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  # cat httpd4radius.conf
  LoadModule radius_auth_module libexec/mod_auth_radius.so
  AddModule mod_auth_radius.c
  # Add to the BOTTOM of httpd.conf
  # If we're using mod_auth_radius, then add it's specific
  # configuration options.
  <IfModule mod_auth_radius.c>
  # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
  # Use localhost, the old RADIUS port, secret 'testing123',
  # time out after 5 seconds, and retry 3 times.
  AddRadiusAuth radiusserver:1812 testing123 5:3
  # AuthRadiusBindAddress <hostname/ip-address>
  # Bind client (local) socket to this local IP address.
  # The server will then see RADIUS client requests will come from
  # the given IP address.
  # By default, the module does not bind to any particular address,
  # and the operating system chooses the address to use.
  # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
  # the special value of 0 (zero) means the cookie is valid forever.
  AddRadiusCookieValid 5
  </IfModule>
  <LocationMatch /radius >
  Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch /sgd >
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  Put appropriate mod_auth_radius.so into
  /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
  # mkdir /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
  # cat /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
  <HTML>
  <HEAD>
  <TITLE> Test Page for RADIUS authentication </TITLE>
  </HEAD>
  <BODY>
  <B> You have reached the test page for RADIUS authentication.
  </BODY>
  </HTML>
  I hope this helps!
  -FB

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

• 2 factor authentication for third party devices

  Can anyone recommend a 2factor authentication service that will query a OD user database and process authentication for third part devices ie firewall/vpn via RADIUS?

  Yes it is and you have the following options:
  OTP using external RADIUS server and RSA tokens
  EAP-Chaining using the AnyConnect Agent and Cisco ISE
  MAR (machine access restrictions).  If the machine had not performed authentication the user will not be authorized
  Layer 3 security on the Wireless LAN Controller

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Radius Authentication for FWSM

  Hello, this is my first posting so I apologize if I accidentally disobeyed any posting rules.
  Thank you to any and all that respond.
  My problem is setting up Authentication to my FWSM through my Radius server.
  My Radius server is set up by the ASDM, and I can run it's test successfully. However, when I tell my FWSM to use Radius as it's primary Authentication, my username and password no longer work. I have to remove the FWSM entry in my Radius database so the FWSM reverts back to it's local database in order for me to regain access to it.
  I do not think this is a problem with ACLs or the FWSM itself, once again my FWSM does pass an initial test of my Radius configuration before I apply it.
  Is there something I am missing here?
  FWSM Firewall Version 4.1(5)
  Device Manager Version 6.2(2)F
  Radius server - Windows Server 2003 (IAS - Radius standard)

  Hi,
  What do you want your radius server to used as for authentication?
  could you please paste the output of:
  sh run | in aaa
  sh run aaa-server
  Regards,
  Anisha

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• Radius authentication for wifi users

  Hi all,
  I have a aeronet 1250 access point and i have a windows 2003  radius server configured to authenticate users.
  I need to configure the access point for radius authentication .
  Can anyone please help me to configure the access point .
  thanks in advance ,
  Selva

  See here for configuration examples, look for the autonomous examples:
  http://www.cisco.com/en/US/products/ps6087/prod_configuration_examples_list.html
  Thanks
  Chris

• RADIUS authentication for SGE2010 switch

  I am trying to configure a SGE2010 switch to use RADIUS authentication. At the moment, the NPS (Windows Server 2008r2 RADIUS) server is receiving the access request and is returning an access accept.
  The switch does not let us log in.
  Cisco-sw1(config)# 09-Nov-2009 21:10:35 %AAA-W-REJECT: New telnet connection for
  user P@ssw0rd, source 192.168.10.213 destination   REJECTED
  Note: It is printing the user's password instead of the username.
  I suspect it is something to do with the cisco-AV-pair attribute. I have tried the following values but nothing works:
  Shell:priv-lvl=15
  Shell = 15
  Level = 15
  Relevant lines from switch configuration:
  radius-server host 192.168.1.23 key P@llssw0rd88
  aaa authentication enable default none
  aaa authentication login default radius
  Any help would be more than greatly appreciated.

  The problem isn't that it is rejecting me. Using network monitor I can see it is accepting the request but for some reason just won't log me in.
  A link was sent to me to another website where it show that you have to go into the settings tab of the policy and change the radius attribute
  to Service-Type Administrative.
  After doing that, I was able to log into the switch with any of the windows domain users I had specified.
  This is the link that gave me the answer
  http://wiki.freeradius.org/Linksys

• RADIUS authentication for IDS admin

  Hi,
  We've decided to centralize our accounts and are using ACS to authenticate admin access to switches, firewalls and to the CS-MARS by RADIUS. I'd like to extend that authentication also to the IDSMs running on our switches and to our CSS1100 boxes. Can this be done? how about network sensor appliances (i.e. 4200)? I've looked into the documentation but haven't found what I'm looking for. Any help is appreciated.
  Thanks, Joe

  The current released versions of IPS does not support RADIUS authentication. However the support is being introduced in later versions like 7.1.x
  Madhu

• RADIUS authentication for VPDN

  I'm using RADIUS to authenticate PPP sessions coming into a 7200 router over L2TP (using BT's 21C WBMC product). However for every connection for an example user of user@domain the RADIUS server sees one Access-Request for the domain only and then another for user@domain. Is there a way to configure the 7200 to only send the user@domain Access-Request and not the one for just the domain?

  Hi Jon,
  Try using the below commands,
  Step 1 Router(config)# vpdn-group group-number
  Step 2 Router(config-vpdn)# authen before-forward
  Step 2 specifies that the entire structured username be sent to the radius server the first time the router contacts the radius server.

• RADIUS Authentication for Enable PW

  Hi Everyone,
  I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
  aaa new-model
  aaa authentication login default group radius local
  aaa accounting network default start-stop group radius
  When I add the command;
  aaa authentication enable default group radius enable
  I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
  Any help would be great,
  Thanks,
  Dan

  Thanks for your reply Rick,
  The debug output is below;
  L2-SW01>
  00:03:02: RADIUS: Authenticating using $enab15$
  00:03:02: RADIUS: ustruct sharecount=1
  00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
  len 72
  00:03:02: Attribute 4 6 AC14024F
  00:03:02: Attribute 5 6 00000000
  00:03:02: Attribute 61 6 00000000
  00:03:02: Attribute 1 10 24656E61
  00:03:02: Attribute 2 18 524FB069
  00:03:02: Attribute 6 6 00000006
  00:03:02: RADIUS: Received from id 3
  x.x.x.x:1812, Access-Reject, len 20
  00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
  L2-SW01>
  L2-SW01>
  I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
  Any ideas?
  Cheers,
  Dan

• Updating OpenSSL for Mac OS X Server 10.6.7 -- looking for a good walkthrough

  Currently running version 0.9.8l... would like to update to the latest version.
  There are a lot of tutorials on the net, can someone recommend one that works with Mac OS X Server 10.6.7? (Since many assume the desktop version, and I've noticed occasionally there are some differences.) I've downloaded Xcode 4.0.2, which I assume is required to build it.
  Thanks.
  ...Rene

  OK, so I followed the tutorial http://foodpicky.com/?p=99 and it compiled fine. Added /usr/local/ssl/bin to PATH. And now reports version 1.0.0.d.
  But... Apache or at least phpinfo() reports that it's still using the old version.
  How do I make Apache, and the OS in general, to use the new version?
  Thanks!
  ...Rene

• Does Mac OS X Server 10.6 Auto Configure a Connected Airport Basestation?

  I just finished an install of Snow Leopard Server on a new Mac Mini. A 1TB Airport Time Capsule is directly connected to the Mini via Ethernet (and our cable internet modem is also directly connected via Ethernet to the Time Capsule).
  I have a static IP address.
  During the installation of the server onto the Mini there seemed to be a period during which the server took control of the Airport device and auto-configured it then reset it. At first, it seemed that all services were available externally (i.e. web) from the internet.
  However, I may have been wrong as now none of the services respond from outside the network.
  I thought that Mac OS X Server would automatically configure an attached Airport device. Is that correct? Or must I work through the Airport device and manually configure all of the port settings to enable external access?

  First off I would check the console and see what it says when you try to log in with the admin account. It will give a message saying what the issue is.
  Also is this a local admin or a network admin account?