[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Problems with Radius authentication



I'm running 4.1 on a Nokia IP330, and trying to set up remote VPN using
securemote with IKE encryption.  I've been successful this far -- from the
Internet, I can login using fw-/vpn-1 usrnames and passwords and can access
internal servers.  Now I would like to integrate with Radius.  I'm using an
evaluation copy of Steel Belted Radius, and have set up my rules according
to the FAQ on phoneboy.com.  I believe I've configured SBR correctly, but it
isn't working properly.

I've created a generic* user, using radius authentication, with a shared
secret that matches the radius server.  The radius server is running, and I
can validate the shared secret -- so I know its communicating with the
firwall.  From the end-user, the secure remote window pops up, I input
doman\username and domain password.  The error comes back saying
"Authentication with firewall at site ..xxx.xxx has failed.  Please
make sure you used the right credentials."

In my log files, there is a key install entry -- the info column says "IKE
Log: Received Notification from Peer: authentication failed"

The problem seems to be a communication issue between the firewall and the
radius server.  The server can ping the firewall, and with sniffer, I can
see that TCP traffic.  I can telnet to the firewall from the radius server,
and sniffer can see that UDP traffic.  The problem is, when my remote client
brings up Securemote and inputs a username and password, sniffer sees no
traffic at all.
The firewall doesn't drop the request, it just deny's authentication, but
doesn't seem to forward to the radius server.
Yes, my generic* user has the shared secret (and I've tried without, no
luck).  I've tried it both ways on the radius object (with and without
shared secret), same result either way.

I was forwarded a message with Windows 2000 considerations for SBR, and made
those changes with no luck as well.

Help!

Thanks,
martha

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================