[ previous ] [ next ] [ threads ]
 
 From:  Andrew Hibl <a underscore blue underscore knight at yahoo dot com>
 To:  S W <lordboink at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Captive portal with Microsoft IAS
 Date:  Wed, 29 Mar 2006 12:50:49 -0800 (PST)
Thanks, that was what I needed. I am now able to use
IAS for both PPTP and captive portal authentications.

The two things I missed:
1: I did not know what authentication protocol
m0n0wall was trying to use.
2: I had used the Remte access policy wizard to
configure the remote access policy, so I had a rule
'NAS-Port-Type matches "Virtual (VPN)"' in my only
policy. I created a second policy to allow PAP
authentications. 

Does anyone have a link to more info on the m0n0wall
captive portal regarding RADIUS authentication? 

Thanks again, 


Andrew



--- S W <lordboink at gmail dot com> wrote:

> Andrew,
> 
> Here's what worked for me (I assume you're using
> Win2k3 Server for this too,
> and I am including all steps just for the record):
> 
> 1. Ensure that CP works locally (ie, you get the
> logon prompt and can
> connect outwards with a username defined *on the
> m0n0 itself*).  If you
> don't get the logon page, check your DNS settings:
> first, attempt to connect
> to a numeric website eg google at
> http://66.249.87.99/ - if this opens the
> CP prompt dialog, but http://www.google.com does
> not, then make sure the DNS
> forwarder is properly configured (or set your DNS
> server as an allowed
> outbound IP while you're testing).
> 2. Start sniffing on your IAS box
> 3. Make sure your IAS box's security auditing will
> log authentication events
> 
> 4. On the m0n0, define the IAS box as your radius
> server for the CP
> 5. Attempt to connect via the CP; ensure you see
> packets incoming on the IAS
> from the m0n0 (have a look inside them, too)
> 6. Assuming that the packets you see arriving on
> your IAS box are from IP
> 10.1.2.254 <http://10.2.3.4>, configure a Radius
> client in IAS, where
>     - friendly name is <FRIENDLY>
>     - IP is 10.1.2.254 <http://10.2.3.4/>
>     - Shared Secret is same as on the m0n0
> (alphanumeric only IIRC)
>     - Client-Vendor is 'RADIUS Standard'.
> 
> 7. Next, configure a Remote Access Policy in IAS,
> where
>     - Under the Policy Conditions, Client-IP-Address
> matches "
> 10.1.2.254<http://10.2.3.4/>
> "
>     - Connection response is 'Grant remote access
> permission'
> 
> It sounds like you're already at this point, so if
> authentication is
> failing, it's probably due to the methods allowed
> for the authentication
> (see the Authentication tab in the Policy Profile).
> 
> I did quite a few tests, and found that
> authentication only worked with
> *only one* of the options selected - IIRC correctly,
> it was PAP, but looking
> at the now inactive IAS (which I can't test),
> MS-CHAP is ticked... doh!
> 
> Sorry for that, but I'm sure that's where your
> problem is. Try both, but one
> at a time (and whenever you modify the
> authentication settings, *restart the
> IAS service*).
> 
> An incorrect authentication method will give you
> this in the IAS's System
> Event Log:
> Event Type:    Warning
> Event Source:    IAS
> Event Category:    None
> Event ID:    2
> Date:        02/02/2006
> Time:        01:13:45
> User:        N/A
> Computer:    SERVER03
> Description:
> User server03\rad1 was denied access.
>  Fully-Qualified-User-Name = SERVER03\rad1
>  NAS-IP-Address = <not present>
>  NAS-Identifier = <not present>
>  Called-Station-Identifier = 00:0d:b9:11:3b:a4
>  Calling-Station-Identifier = 00:0b:cd:6a:3d:18
>  Client-Friendly-Name = FRIENDLY
>  Client-IP-Address = 10.1.2.254
>  NAS-Port-Type = Ethernet
>  NAS-Port = 6
>  Proxy-Policy-Name = Use Windows authentication for
> all users
>  Authentication-Provider = Windows
>  Authentication-Server = <undetermined>
>  Policy-Name = Connections to Microsoft Routing and
> Remote Access server
>  Authentication-Type = PAP
>  EAP-Type = <undetermined>
>  Reason-Code = 66
>  Reason = The user attempted to use an
> authentication method that is not
> enabled on the matching remote access policy.
> 
> A successful connection looks like this (note the
> PAP in both - I think the
> unsucessful one happens when another option is
> selected):
> 
> Event Type:    Information
> Event Source:    IAS
> Event Category:    None
> Event ID:    1
> Date:        02/02/2006
> Time:        01:14:03
> User:        N/A
> Computer:    SERVER03
> Description:
> User server03\rad1 was granted access.
>  Fully-Qualified-User-Name = SERVER03\rad1
>  NAS-IP-Address = <not present>
>  NAS-Identifier = <not present>
>  Client-Friendly-Name = FRIENDLY
>  Client-IP-Address = 10.1.2.254
>  Calling-Station-Identifier = 00:0b:cd:6a:3d:18
>  NAS-Port-Type = Ethernet
>  NAS-Port = 6
>  Proxy-Policy-Name = Use Windows authentication for
> all users
>  Authentication-Provider = Windows
>  Authentication-Server = <undetermined>
>  Policy-Name = Connections to Microsoft Routing and
> Remote Access server
>  Authentication-Type = PAP
>  EAP-Type = <undetermined>
> 
> Comments:
> - Above, server03 is a member server, so the account
> 'rad1' was local.  If
> your IAS is also a domain controller, you may have
> to check for domain\user
> style prefixes and such.
> - If this still fails, check that the IAS isn't
> passing requests on to
> another remote Radius group server
> - Ethereal, and the event logs are your friends
> 
> As far as I can fathom, the difference between the
> PPTP and Radius
> situations is that when a PPTP client is
> authenticated via IAS, the client
> itself is talking directly to IAS, whereas via the
> CP, the m0n0 itself is
> doing everything, and can't handle anything more
> robust than PAP.  (This is
> supposition based on experminent, if someone more
> knowledgable can clarify,
> please do so.)
> 
> Hope this helps,
> boink
> 



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com