[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Radius Server Not Responding
The RADIUS server (CiscoACS) is sending back an attribute outside those defined in the RFC. You need to configure the firewall to ignore the attribute. Here are the notes from my Repair Ticket: Some additional research over the weekend confirmed the issue with attribute 88. By design the firewall will reject any RADIUS accept packet if it contains an attribute outside those listed in the RFC. It will not simply ignore any "vendor specific" attribute. http://www.faqs.org/rfcs/rfc2138.html There are several knowledge base articles on the CheckPoint site referring to this issue. The articles were searched on keywords of "RADIUS and attributes". The articles were primarily written using information from version 4.1 and apply mostly in concept to NG. There is a log file in the log directory which will identify the offending attribute. The log file listed in the knowledge base article is incorrect. There is a configuration of the objects.C file specify RADIUS attributes to ignore. The change in behavior between version 3.1 and version 3.0 of the ACS server must include the transmission of attribute 88 using our configuration. I plan on making modifications to the objects.C file today and updating the ACS server to its original configuration in version 3.1 prior to the outage on Friday. 3/19/03 JBB Downloaded a GUI DBEdit utility from CheckPoint and made the ignore_radius modification to the objects.c file. This should fix the radius problem. -----Original Message----- From: Bitored [mailto:[email protected]] Sent: Thursday, September 04, 2003 8:09 PM To: [email protected] Subject: [FW-1] Radius Server Not Responding I have a problem with authenticating to Cisco Secure 3.2. Even though i enter the correct username and password combination the firewall (NG AI) logs the request as "Radius Server not responding". In the Cisco Secure log i can see the auth attempt was successful. I have noticed that the group settings of my cisco secure groups i have an "ip address assignment" of "Assigned from AAA Client pool " when i try to authenticate a user to the firewall (which passes the radius authentication request to Cisco Secure 3.2) it fails. When i set this setting to "No ip address assignment iot works". Obviously i need this setting for my dialup users who get assigned an ip address. Because a user can only belong to 1 group this setting must be set for when he/she dials in a gets an ip address. This worked fine in 3.0(1) Build 40. I have searched cisco tac and cannot see a similiar problem Has anyone seen this or found a work around. http://search.yahoo.com.au - Yahoo! Search - Looking for more? Try the new Yahoo! Search ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|