[fw-wiz] SunScreen

• Previous message: Dennis Freise: "Re: [fw-wiz] Blocking IRC ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: FW-Wizards <firewall-wizards@honor.icsalabs.com>
Date: Fri, 23 Jan 2004 20:59:00 -0500

I'm having some trouble using RADIUS authentication with SunScreen 3.2.
I'm running SunScreen 3.2 on Solaris 9. I've all related docs about the
fw app and currently am unable to see one packet leave the fw destined
for the RADIUS server. Here are the config params I have that affect
this setup:

1. FW rule that allows screen --> radius_svr [1645/udp]
2. variable PRG=auth NAME=RADIUSServer VALUE=<radius_svr_ip>
3. variable PRG=auth NAME=RADIUSNodeSecret VALUE=<secret>
4. variable PRG=httpp NAME=TargetSvcs VALUES={ svc=www svc=ssl }
5. "radius_user1" ENABLED SIMPLE RADIUS
6. "http_proxy_grp" ENABLED GROUP MEMBER_NAME="radius_user1"
7. Rule allowing http access outbound with http-proxy & http_proxy_grp
included in ACTION DETAILS
8. confirmed that process httpp is listening on 80/tcp and rule allows
access from proxy clients

I've tried two things to test this config:

1. from sun documentation (Sunscreen Administrator's Overview) I used
this command to test RADIUS authentication:
# ssadm lib/user_authenticate -v /radius/radius_user1

This fails with error in the logs:

 33 XLOG 2004/01/21 23:26:37.925625 ? -> ? auth, LVL: auth, SEV: note, ?
("invalid proxyuser")
 34 XLOG 2004/01/21 23:26:37.926216 ? -> ? auth, LVL: auth, SEV: warn, ?
("authentication failed")

2. When connecting to a website via the proxy server I get the same
entries in the log.

On top of all this using a sniffer I see no packets leaving the Screen
destined for the RADIUS server. Anyone have any ideas on this problem?

Thanks.

-- 
_________________
John Ruff
john@dndlabs.net
"No one can see past a decision they don't understand." --Oracle

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Dennis Freise: "Re: [fw-wiz] Blocking IRC ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: ISA Server 2004 / Radius / Webproxy Benutzerauswertung ... ich habe heute die Radius Authentication zum Laufen gebracht. ... immer wenn ich den IE aufmachen mich anmelden muss? ... "Jens Baier" wrote: ... (microsoft.public.de.german.isaserver) =?Utf-8?Q?Re:_ISA_2006_=3E_Radius_=3E_OWA_=3E_Passwort_=C3=A4ndern?= ... Ich publishe OWA über ISA 2006 Std. ... und benutze die Radius Authentication. ... oder ist dieses Feature mit Radius Authentication einfach nicht ... (microsoft.public.de.german.isaserver) RE: ISA Server 2004 / Radius / Webproxy Benutzerauswertung ... > Radius Authentication installieren, damit die User ins Internet dürfen, die ... > die Berechtigung dazu haben. ... (microsoft.public.de.german.isaserver) ISA Server 2004 / Radius / Webproxy Benutzerauswertung ... Radius Authentication installieren, damit die User ins Internet dürfen, die ... Auswertung nach Usern im ISA machen. ... (microsoft.public.de.german.isaserver) Re: use of RADIUS ... trying to access with the authentication type set to WebAuth. ... User opens up application, Netscreen sees host has authenticated and ... No RADIUS necessary. ... If it did and I installed a RADIUS server inside I am curious how the ... (comp.security.firewalls)