[fw-wiz] SunScreen

From: John Ruff (john_at_dndlabs.net)
Date: 01/24/04

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Broken pipe on SSL connections"
    To: FW-Wizards <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 23 Jan 2004 20:59:00 -0500

    I'm having some trouble using RADIUS authentication with SunScreen 3.2.
    I'm running SunScreen 3.2 on Solaris 9. I've all related docs about the
    fw app and currently am unable to see one packet leave the fw destined
    for the RADIUS server. Here are the config params I have that affect
    this setup:

    1. FW rule that allows screen --> radius_svr [1645/udp]
    2. variable PRG=auth NAME=RADIUSServer VALUE=<radius_svr_ip>
    3. variable PRG=auth NAME=RADIUSNodeSecret VALUE=<secret>
    4. variable PRG=httpp NAME=TargetSvcs VALUES={ svc=www svc=ssl }
    5. "radius_user1" ENABLED SIMPLE RADIUS
    6. "http_proxy_grp" ENABLED GROUP MEMBER_NAME="radius_user1"
    7. Rule allowing http access outbound with http-proxy & http_proxy_grp
    included in ACTION DETAILS
    8. confirmed that process httpp is listening on 80/tcp and rule allows
    access from proxy clients

    I've tried two things to test this config:

    1. from sun documentation (Sunscreen Administrator's Overview) I used
    this command to test RADIUS authentication:
    # ssadm lib/user_authenticate -v /radius/radius_user1

    This fails with error in the logs:

     33 XLOG 2004/01/21 23:26:37.925625 ? -> ? auth, LVL: auth, SEV: note, ?
    ("invalid proxyuser")
     34 XLOG 2004/01/21 23:26:37.926216 ? -> ? auth, LVL: auth, SEV: warn, ?
    ("authentication failed")

    2. When connecting to a website via the proxy server I get the same
    entries in the log.

    On top of all this using a sniffer I see no packets leaving the Screen
    destined for the RADIUS server. Anyone have any ideas on this problem?


    John Ruff
    "No one can see past a decision they don't understand." --Oracle

    firewall-wizards mailing list

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Broken pipe on SSL connections"

    Relevant Pages