Re: use of RADIUS

From: W. B. (civikminded@yahoo.com)
Date: 11/22/02 

From: "W. B." <civikminded@yahoo.com>
Date: Fri, 22 Nov 2002 14:35:53 -0600

This is all covered in Chapter 8 of the Netscreen Concepts & Examples
Fundamentals guide for ScreenOS4. Starting at page 276 is where it will get
interesting for you. Can be found at:

http://www.netscreen.com/support/manuals.html

5xp will support RADIUS as well as LDAP and RSA SecurID. It also can
maintain its own internal user database. The internal database would work
great for such a small set of users.

1. You would set up an IP for the Netscreen to respond to WebAuth requests
in the interface setup. Also, you would set up a local authentication user
and password in the Netscreen.
2. Create a policy for the server and/or services external users would be
trying to access with the authentication type set to WebAuth.
3. User would open a http connection to the WebAuth IP. Would then be
challenged for username and password. This can be made to run over SSL.
(Never tried it personally though)
4. User opens up application, Netscreen sees host has authenticated and
forwards the packets through the firewall. Voila! No RADIUS necessary.

"George" <George@nospam.invalid> wrote in message
news:mYrD9.414$kO5.362096@news1.news.adelphia.net...
> I am adding dedicated Internet access to a location. I am looking at a
> Netscreen 5XP. I need to offer remote access (mail files etc) to about 10
> users. I was planning on installing a dedicated Terminal server box. I
> understand the RDP traffic is encrypted but I am concerned about leaving
> port 3389 open and forwarding it to the TS mainly because of possible
> exploits against the TS.
>
> I think an authentication challenge at the firewall would offer extra
> security. I don't know if the 5XP can use RADIUS so I need to check that
> out. If it did and I installed a RADIUS server inside I am curious how the
> outside user would connect? Would they first need to authenticate against
> the RADIUS server (is this clear text?) and then start up the TS client or
> is it a variation?
>
> Thanks
>
>

Relevant Pages

  • Re: Cisco 1200 EAP setup
    ... I am unfamiliar with windows radius, unix uses a shared secret, does ... authenticate wireless users using EAP to our Windows RADIUS server. ... authentication request to the RADIUS server. ... AAA Authentication debugging is on ...
    (comp.dcom.sys.cisco)
  • Re: use of RADIUS
    ... > trying to access with the authentication type set to WebAuth. ... No RADIUS necessary. ... I tried looking for manuals before asking ... If it did and I installed a RADIUS server inside I am curious how ...
    (comp.security.firewalls)
  • http authentication against radius
    ... I am trying to make some catalyst switches talk to the Radius server available in MS Windows 2003; called the Internet Authentication Service. ... Via http to the switch, I get from the IOS debugging, "Authorization Rejected" ... All that is reported is that everything succeeds talking to the radius server and so on until the messages "HTTP Authentication failed", ...
    (comp.dcom.sys.cisco)
  • RE: Basic questions about RADIUS authentication
    ... A> Subject: Re: Basic questions about RADIUS authentication ... A> Provided the attacker pretends to be a valid RADIUS client, ... the RADIUS server normally responds only to clients listed ... So the attack should also come from a "valid" ...
    (Security-Basics)
  • Cisco Security Advisory: RADIUS Authentication Bypass
    ... Cisco Security Advisory: RADIUS Authentication Bypass ... Cisco has made free software available to address this vulnerability. ...
    (Bugtraq)
Loading