[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Radius Server Not Responding
Jim, Found the gui dbedit and it fixed my problem. Thank you very your help. --- "Brown, Jim" <[email protected]> wrote: > The RADIUS server (CiscoACS) is sending back an > attribute outside those > defined in the RFC. You need to configure the > firewall to ignore the > attribute. > > Here are the notes from my Repair Ticket: > > Some additional research over the weekend confirmed > the issue with > attribute 88. By design the firewall will reject any > RADIUS accept > packet if it contains an attribute outside those > listed in the RFC. It > will not simply ignore any "vendor specific" > attribute. > http://www.faqs.org/rfcs/rfc2138.html > > There are several knowledge base articles on the > CheckPoint site > referring to this issue. The articles were searched > on keywords of > "RADIUS and attributes". The articles were primarily > written using > information from version 4.1 and apply mostly in > concept to NG. There is > a log file in the log directory which will identify > the offending > attribute. The log file listed in the knowledge base > article is > incorrect. There is a configuration of the objects.C > file specify RADIUS > attributes to ignore. > > The change in behavior between version 3.1 and > version 3.0 of the ACS > server must include the transmission of attribute 88 > using our > configuration. > > I plan on making modifications to the objects.C file > today and updating > the ACS server to its original configuration in > version 3.1 prior to the > outage on Friday. > > 3/19/03 JBB > Downloaded a GUI DBEdit utility from CheckPoint and > made the > ignore_radius modification to the objects.c file. > This should fix the > radius problem. > > -----Original Message----- > From: Bitored [mailto:[email protected]] > Sent: Thursday, September 04, 2003 8:09 PM > To: [email protected] > Subject: [FW-1] Radius Server Not Responding > > > I have a problem with authenticating to Cisco Secure > 3.2. > > Even though i enter the correct username and > password > combination the firewall (NG AI) logs the request as > "Radius Server not responding". In the Cisco Secure > log i can see the auth attempt was successful. > > I have noticed that the group settings of my cisco > secure groups i have an "ip address assignment" of > "Assigned from AAA Client pool " when i try to > authenticate a user to the firewall (which passes > the > radius authentication request to Cisco Secure 3.2) > it > fails. When i set this setting to "No ip address > assignment iot works". > > Obviously i need this setting for my dialup users > who > get assigned an ip address. Because a user > can only belong to 1 group this setting must be set > for when he/she dials in a gets an ip address. > This worked fine in 3.0(1) Build 40. I have searched > cisco tac and cannot see a similiar problem > > Has anyone seen this or found a work around. > > > http://search.yahoo.com.au - Yahoo! Search > - Looking for more? Try the new Yahoo! Search > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= http://search.yahoo.com.au - Yahoo! Search - Looking for more? Try the new Yahoo! Search ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|