17.03.2011 01:13:25
Jerry
Posts: 7
|
Hi,
I'm a newbe to RADIUS, with my goal to utilize it with a Watchguard firewall appliance. Spent much of the day trying to get that to work without any success so I simplified things, installing RadServ Client from tcpdata.com on another system and can't seem to get past the following:
3/16/2011 5:42:25 PM - TekRADIUS Service 4.1.0.0 is being started (Microsoft Windows NT 5.1.2600 Service Pack 3).
3/16/2011 5:42:27 PM - TekRADIUS Service is listening on : 10.0.7.99 (2 client(s))
3/16/2011 5:45:06 PM - Invalid Auth. packet received from : 10.0.7.100:58346
Although it's curious that the port I've set both ends to is 11812....
TekRADIUS is running on an XP-SP3 box...and the client is on a WIN-7 platform...
|
|
|
0
• permalink
|
17.03.2011 09:14:57
Admin
Administrator
Posts: 1833
|
Hi,
"Invalid Auth. packet received" message states that shared secret in RADIUS client does not match the one configured in TekRADIUS at Clients tab.
Best regards,
Yasin KAPLAN
|
|
|
0
• permalink
|
18.03.2011 00:24:07
Jerry
Posts: 7
|
Awesome! Turns-out that it appears that the client I was using may have been the problem. I downloaded another by IEA Software, and with it's debug info coupled with that from TekRADIUS, I was able to more clearly see what was going on and corrected some of the profile I had incorrectly setup and was off and running just grand!
Thank-you for you guidance and guick response!
Any experience/advice in setting-up a WatchGuard firebox to use TekRADIUS?
|
|
|
0
• permalink
|
18.03.2011 09:45:24
Admin
Administrator
Posts: 1833
|
Hi,
I do not have experience in WatchGuard but see following;
https://www.watchguard.com/help/docs/fireware/10/en-US/index_Left.html#CSHID=en-US%2Fruvpn%2Fruvpn_with_pptp_enable_f.html|StartTopic=Content%2Fen-US%2Fruvpn%2Fruvpn_with_pptp_enable_f.html|SkinName=Fireware (en-US)
|
|
|
0
• permalink
|
18.03.2011 13:04:36
Jerry
Posts: 7
|
Thank-YOU!
|
|
|
0
• permalink
|
18.03.2011 13:12:01
Admin
Administrator
Posts: 1833
|
You welcome
|
|
|
0
• permalink
|
19.04.2011 22:38:03
Jerry
Posts: 7
|
It seems I'm still having problems. When I attempt to validate from IEA Software's test client (Radlogin 4) not a problem. But when I attempt to do the same from the Watchguard box, it fails. THe following is the log showing both attempts...any suggestions?
RadAuth req. from : 10.0.7.100:53791 - 4/19/2011 2:29:24 PM
Size : 84 / 84
Identifier : 164
Attributes :
Acct-Session-Id = 1303241364U43xvv
User-Name = jerry
4/19/2011 2:29:24 PM - CHAP Authentication commencing for user 'jerry'
4/19/2011 2:29:24 PM - CHAP authentication commencing (Group : Week 1).
4/19/2011 2:29:24 PM - CHAP authentication successful (Group : Week 1).
4/19/2011 2:29:24 PM - Check items control - Start (Group : Week 1).
4/19/2011 2:29:24 PM - Check items control - Stop (Group : Week 1).
4/19/2011 2:29:24 PM - Authentication successfull for user 'jerry'
4/19/2011 2:29:24 PM - Fetching Success-Reply items - Start.
4/19/2011 2:29:24 PM - Fetching Success-Reply items - Stop.
RadAuth req. from : 10.0.7.65:1209 - 4/19/2011 2:29:39 PM
Size : 59 / 59
Identifier : 162
Attributes :
NAS-IP-Address = 10.0.7.65
NAS-Port = 0
User-Name = jerry
4/19/2011 2:29:39 PM - PAP Authentication commencing for user 'jerry'
4/19/2011 2:29:39 PM - Check items control - Start (Group : Week 1).
4/19/2011 2:29:39 PM - Check items control - Stop (Group : Week 1).
4/19/2011 2:29:39 PM - Authentication failed for user 'jerry'
The group 'Week 1' consists of a informational return value for 'filter-ID'...and the user attribute is simply the user-password check.
|
|
|
0
• permalink
|
20.04.2011 09:18:40
Admin
Administrator
Posts: 1833
|
Well, when you make a test using Radlogin you use CHAP authentication method. Is it possible you send me a wireshark
trace from TekRADIUS server for both cases? Please also check if shared secret configured for Watchguard matches with one
configured in TekRADIUS Manager clients tab.
|
|
|
0
• permalink
|
20.04.2011 15:57:03
Jerry
Posts: 7
|
Yasin,
After the above log post, I changed the Radlogin to use PAP and it continued to work fine. Given your ideas, I went and re-typed the shared secret in the Watchguard and it started working... so it would appear that while tinkering with the Watchguard the password got messed-up... :-(
After some additional tinkering, the older 10.1 software release isn't happy to see anything back from the RADIUS server other than 'FilterID'. I attempted to send back authorization for VPN/PPTP and it the WG box no longer saw the 'FilterID' which it expected to contain text matching a configured user group.
Thanks again, for your most excellent comments and questions which led me to find the cause of my difficulities.
--Jerry
|
|
|
0
• permalink
|
20.04.2011 17:18:02
Admin
Administrator
Posts: 1833
|
You welcome
|
|
|
0
• permalink
|
10.05.2011 13:47:07
jmls
Posts: 1
|
Jerry,
If you don't mind, could you tell me what protocols and information you needed to get the watchguard working ? I've got tekradius working just fine with the radlogin test client, but the watchguard is not allowing me to connect with vpn. Any clues ? thanks 
|
|
|
0
• permalink
|