[ previous ] [ next ] [ threads ]
 From:  "Ryan Rothert" <ryan at rothert dot com>
 To:  "Curt Shaffer" <cshaffer at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Radius Authentication
 Date:  Thu, 2 Sep 2004 21:56:30 -0400
Im trying to setup the Captive Portal to auth against Radius/Active
Directory.   I turned on IAS, but keep getting the following error in
the system event log when trying to auth with the monowall captive
portal... : 

Event Type:	Warning
Event Source:	IAS
Event Category:	None
Event ID:	2
Date:		9/2/2004
Time:		9:41:26 PM
User:		N/A
Computer:	SOMENAME
User ryan was denied access.
 Fully-Qualified-User-Name = somedomain/Users/someuser
 NAS-IP-Address = <not present> 
 NAS-Identifier = m0n0wall.local
 Called-Station-Identifier = <not present> 
 Calling-Station-Identifier = <not present> 
 Client-Friendly-Name = monowall
 Client-IP-Address =
 NAS-Port-Type = Ethernet
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows 
 Authentication-Server = <undetermined> 
 Policy-Name = Connections to Microsoft Routing and Remote Access server
 Authentication-Type = PAP
 EAP-Type = <undetermined> 
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy. 

Does monowall only use PAP for the Auth Type, I think I have PAP
enabled, but still getting this error.  Can someone point me in the
right direction?


-----Original Message-----
From: Curt Shaffer [mailto:cshaffer at gmail dot com] 
Sent: Monday, August 23, 2004 8:03 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Radius Authentication

I enabled the RADIUS and connected successfully. The users do have
access tokens to access domain resources that their RADIUS users have
access to. It is working great! Just thought I would let you all know.
Thanks for all of you help and suggestions!

Curt Shaffer, MCP
Wireless/Network Specialist
Chilitech Internet Solutions
efax: 1-309-412-4809

On Mon, 23 Aug 2004 19:09:41 -0400, Chris Buechler <cbuechler at gmail dot com>
> > -----Original Message-----
> > From: Curt Shaffer [mailto:cshaffer at gmail dot com]
> > Sent: Thursday, August 19, 2004 6:00 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] Radius Authentication
> >
> > I had a quick question for anyone out there running a windows 
> > network behind m0n0. I have a multi site ipsec VPN set up and it is 
> > working great! The DC's are talking happily, the SQL is replicating 
> > happily, and DFS is working like a dream. Now I have the need to let

> > some people in from home to run an application. Some are on dial up,

> > some on cable,dsl etc. All different OSes from 98 to Macintosh. I 
> > only have 10 people that need in, so I want to keep it as 
> > administratively simple as possible (Mostly meaning that I don't 
> > want to have to put m0n0's at everyone's homes). So I was going to 
> > have them log in with PPTP to the m0n0's. I don't want them to use 
> > the same UN's and passwords as they do in the office, but I don't 
> > want them to have to re authenticate to access drives and such. My 
> > question is: If I have the PPTP from the m0n0 authenticate against 
> > the Radius on the servers, are those users considered authenticated 
> > users in the eyes of windows so that I can set the permissions on
files/folders with the authenticated users group so they will not have
to authenticate again?
> > Thanks for all of your help
> >
> You can set up the PPTP VPN to authenticate off of RADIUS on one of 
> your DC's.  I'm using this setup in a couple different network 
> environments and it works great.  But to answer your question, 
> authenticating via RADIUS on the VPN connection is not going to 
> authenticate them to the domain to access network resources.  The 
> RADIUS auth is simply to establish the VPN connection.  From there, 
> the user would have to authenticate against the DC again to access 
> network resources.
> As a previous poster suggested, Citrix is a great way to go, though 
> it'll cost you a bit.  Terminal Services isn't as nice, but will get 
> the job done.  It also isn't exactly cheap.  I generally set up most 
> clients on Citrix that want a full featured remote access environment.
>  That will work, for the most part, equally well no matter your 
> connection speed.  Depending on the application, it might not be 
> feasible to run it over VPN on dial up, or even on broadband.
> Also keep in mind remote users connecting into your network via PPTP 
> have TCP/IP access to your network, so that could be a gateway into 
> your network for worms and viruses.  With the way Citrix works, it is 
> far less likely that it could bring that junk in.
> -Chris

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch