[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Andrew Hibl" <a underscore blue underscore knight at yahoo dot com>, "S W" <lordboink at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Captive portal with Microsoft IAS
 Date:  Wed, 29 Mar 2006 23:41:29 +0200
> -----Oorspronkelijk bericht-----
> Van: Andrew Hibl [mailto:a underscore blue underscore knight at yahoo dot com]
> Verzonden: woensdag 29 maart 2006 22:51
> Aan: S W
> CC: m0n0wall at lists dot m0n0 dot ch
> Onderwerp: Re: [m0n0wall] Captive portal with Microsoft IAS
> 
> Thanks, that was what I needed. I am now able to use
> IAS for both PPTP and captive portal authentications.
> 
> The two things I missed:
> 1: I did not know what authentication protocol
> m0n0wall was trying to use.
> 2: I had used the Remte access policy wizard to
> configure the remote access policy, so I had a rule
> 'NAS-Port-Type matches "Virtual (VPN)"' in my only
> policy. I created a second policy to allow PAP
> authentications.
> 
> Does anyone have a link to more info on the m0n0wall
> captive portal regarding RADIUS authentication?
> 
It uses PAP.

There isn't any specific documentation I think...

What do you want to know?

> 
> 
> Andrew
> 
> 
> 
> --- S W <lordboink at gmail dot com> wrote:
> 
> > Andrew,
> >
> > Here's what worked for me (I assume you're using
> > Win2k3 Server for this too,
> > and I am including all steps just for the record):
> >
> > 1. Ensure that CP works locally (ie, you get the
> > logon prompt and can
> > connect outwards with a username defined *on the
> > m0n0 itself*).  If you
> > don't get the logon page, check your DNS settings:
> > first, attempt to connect
> > to a numeric website eg google at
> > http://66.249.87.99/ - if this opens the
> > CP prompt dialog, but http://www.google.com does
> > not, then make sure the DNS
> > forwarder is properly configured (or set your DNS
> > server as an allowed
> > outbound IP while you're testing).
> > 2. Start sniffing on your IAS box
> > 3. Make sure your IAS box's security auditing will
> > log authentication events
> >
> > 4. On the m0n0, define the IAS box as your radius
> > server for the CP
> > 5. Attempt to connect via the CP; ensure you see
> > packets incoming on the IAS
> > from the m0n0 (have a look inside them, too)
> > 6. Assuming that the packets you see arriving on
> > your IAS box are from IP
> > 10.1.2.254 <http://10.2.3.4>, configure a Radius
> > client in IAS, where
> >     - friendly name is <FRIENDLY>
> >     - IP is 10.1.2.254 <http://10.2.3.4/>
> >     - Shared Secret is same as on the m0n0
> > (alphanumeric only IIRC)
> >     - Client-Vendor is 'RADIUS Standard'.
> >
> > 7. Next, configure a Remote Access Policy in IAS,
> > where
> >     - Under the Policy Conditions, Client-IP-Address
> > matches "
> > 10.1.2.254<http://10.2.3.4/>
> > "
> >     - Connection response is 'Grant remote access
> > permission'
> >
> > It sounds like you're already at this point, so if
> > authentication is
> > failing, it's probably due to the methods allowed
> > for the authentication
> > (see the Authentication tab in the Policy Profile).
> >
> > I did quite a few tests, and found that
> > authentication only worked with
> > *only one* of the options selected - IIRC correctly,
> > it was PAP, but looking
> > at the now inactive IAS (which I can't test),
> > MS-CHAP is ticked... doh!
> >
> > Sorry for that, but I'm sure that's where your
> > problem is. Try both, but one
> > at a time (and whenever you modify the
> > authentication settings, *restart the
> > IAS service*).
> >
> > An incorrect authentication method will give you
> > this in the IAS's System
> > Event Log:
> > Event Type:    Warning
> > Event Source:    IAS
> > Event Category:    None
> > Event ID:    2
> > Date:        02/02/2006
> > Time:        01:13:45
> > User:        N/A
> > Computer:    SERVER03
> > Description:
> > User server03\rad1 was denied access.
> >  Fully-Qualified-User-Name = SERVER03\rad1
> >  NAS-IP-Address = <not present>
> >  NAS-Identifier = <not present>
> >  Called-Station-Identifier = 00:0d:b9:11:3b:a4
> >  Calling-Station-Identifier = 00:0b:cd:6a:3d:18
> >  Client-Friendly-Name = FRIENDLY
> >  Client-IP-Address = 10.1.2.254
> >  NAS-Port-Type = Ethernet
> >  NAS-Port = 6
> >  Proxy-Policy-Name = Use Windows authentication for
> > all users
> >  Authentication-Provider = Windows
> >  Authentication-Server = <undetermined>
> >  Policy-Name = Connections to Microsoft Routing and
> > Remote Access server
> >  Authentication-Type = PAP
> >  EAP-Type = <undetermined>
> >  Reason-Code = 66
> >  Reason = The user attempted to use an
> > authentication method that is not
> > enabled on the matching remote access policy.
> >
> > A successful connection looks like this (note the
> > PAP in both - I think the
> > unsucessful one happens when another option is
> > selected):
> >
> > Event Type:    Information
> > Event Source:    IAS
> > Event Category:    None
> > Event ID:    1
> > Date:        02/02/2006
> > Time:        01:14:03
> > User:        N/A
> > Computer:    SERVER03
> > Description:
> > User server03\rad1 was granted access.
> >  Fully-Qualified-User-Name = SERVER03\rad1
> >  NAS-IP-Address = <not present>
> >  NAS-Identifier = <not present>
> >  Client-Friendly-Name = FRIENDLY
> >  Client-IP-Address = 10.1.2.254
> >  Calling-Station-Identifier = 00:0b:cd:6a:3d:18
> >  NAS-Port-Type = Ethernet
> >  NAS-Port = 6
> >  Proxy-Policy-Name = Use Windows authentication for
> > all users
> >  Authentication-Provider = Windows
> >  Authentication-Server = <undetermined>
> >  Policy-Name = Connections to Microsoft Routing and
> > Remote Access server
> >  Authentication-Type = PAP
> >  EAP-Type = <undetermined>
> >
> > Comments:
> > - Above, server03 is a member server, so the account
> > 'rad1' was local.  If
> > your IAS is also a domain controller, you may have
> > to check for domain\user
> > style prefixes and such.
> > - If this still fails, check that the IAS isn't
> > passing requests on to
> > another remote Radius group server
> > - Ethereal, and the event logs are your friends
> >
> > As far as I can fathom, the difference between the
> > PPTP and Radius
> > situations is that when a PPTP client is
> > authenticated via IAS, the client
> > itself is talking directly to IAS, whereas via the
> > CP, the m0n0 itself is
> > doing everything, and can't handle anything more
> > robust than PAP.  (This is
> > supposition based on experminent, if someone more
> > knowledgable can clarify,
> > please do so.)
> >
> > Hope this helps,
> > boink
> >
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>