[ previous ] [ next ] [ threads ]
 
 From:  "Ryan Rothert" <ryan at rothert dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Radius Authentication
 Date:  Fri, 3 Sep 2004 13:01:24 -0400
I got it working by enabling PAP on the Win2k3 server's IAS. However,
once a second user authenticates via radius, the captive portal seems to
hang.  All all traffic stops.  Anyone else seen this?

Thanks,
Ryan

-----Original Message-----
From: James W. McKeand [mailto:james at mckeand dot biz] 
Sent: Friday, September 03, 2004 9:36 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Radius Authentication

I followed this: http://www.michael-i.com/files/projects/m0n0ad/ (which
I
found in Chapter 10 of the user guide:
http://www.m0n0.ch/wall/docbook/index.html) for setup up RADIUS for my
PPTP
VPN.

Make sure that the "ryan" user has dial-in privileges. You also may need
to
use <user>@<domain> as a login.

Hope this helps...

_________________________________
James W. McKeand


-----Original Message-----
From: Ryan Rothert [mailto:ryan at rothert dot com] 
Sent: Thursday, September 02, 2004 9:57 PM
To: Curt Shaffer; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Radius Authentication

Im trying to setup the Captive Portal to auth against Radius/Active
Directory.   I turned on IAS, but keep getting the following error in
the system event log when trying to auth with the monowall captive
portal...
: 

Event Type:	Warning
Event Source:	IAS
Event Category:	None
Event ID:	2
Date:		9/2/2004
Time:		9:41:26 PM
User:		N/A
Computer:	SOMENAME
Description:
User ryan was denied access.
 Fully-Qualified-User-Name = somedomain/Users/someuser  NAS-IP-Address =
<not present>  NAS-Identifier = m0n0wall.local
Called-Station-Identifier =
<not present>  Calling-Station-Identifier = <not present>
Client-Friendly-Name = monowall  Client-IP-Address = 10.99.0.254
NAS-Port-Type = Ethernet  NAS-Port = 0  Proxy-Policy-Name = Use Windows
authentication for all users  Authentication-Provider = Windows
Authentication-Server = <undetermined>  Policy-Name = Connections to
Microsoft Routing and Remote Access server  Authentication-Type = PAP
EAP-Type = <undetermined>  Reason-Code = 66  Reason = The user attempted
to
use an authentication method that is not enabled on the matching remote
access policy. 



Does monowall only use PAP for the Auth Type, I think I have PAP
enabled,
but still getting this error.  Can someone point me in the right
direction?

Thanks,
Ryan


-----Original Message-----
From: Curt Shaffer [mailto:cshaffer at gmail dot com]
Sent: Monday, August 23, 2004 8:03 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Radius Authentication

I enabled the RADIUS and connected successfully. The users do have
access
tokens to access domain resources that their RADIUS users have access
to. It
is working great! Just thought I would let you all know.
Thanks for all of you help and suggestions!

--
Curt Shaffer, MCP
Wireless/Network Specialist
Chilitech Internet Solutions
www.chilitech.net
866-678-6858
efax: 1-309-412-4809

On Mon, 23 Aug 2004 19:09:41 -0400, Chris Buechler <cbuechler at gmail dot com>
wrote:
> > -----Original Message-----
> > From: Curt Shaffer [mailto:cshaffer at gmail dot com]
> > Sent: Thursday, August 19, 2004 6:00 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] Radius Authentication
> >
> > I had a quick question for anyone out there running a windows 
> > network behind m0n0. I have a multi site ipsec VPN set up and it is 
> > working great! The DC's are talking happily, the SQL is replicating 
> > happily, and DFS is working like a dream. Now I have the need to let

> > some people in from home to run an application. Some are on dial up,

> > some on cable,dsl etc. All different OSes from 98 to Macintosh. I 
> > only have 10 people that need in, so I want to keep it as 
> > administratively simple as possible (Mostly meaning that I don't 
> > want to have to put m0n0's at everyone's homes). So I was going to 
> > have them log in with PPTP to the m0n0's. I don't want them to use 
> > the same UN's and passwords as they do in the office, but I don't 
> > want them to have to re authenticate to access drives and such. My 
> > question is: If I have the PPTP from the m0n0 authenticate against 
> > the Radius on the servers, are those users considered authenticated 
> > users in the eyes of windows so that I can set the permissions on
files/folders with the authenticated users group so they will not have
to
authenticate again?
> > Thanks for all of your help
> >
> 
> You can set up the PPTP VPN to authenticate off of RADIUS on one of 
> your DC's.  I'm using this setup in a couple different network 
> environments and it works great.  But to answer your question, 
> authenticating via RADIUS on the VPN connection is not going to 
> authenticate them to the domain to access network resources.  The 
> RADIUS auth is simply to establish the VPN connection.  From there, 
> the user would have to authenticate against the DC again to access 
> network resources.
> 
> As a previous poster suggested, Citrix is a great way to go, though 
> it'll cost you a bit.  Terminal Services isn't as nice, but will get 
> the job done.  It also isn't exactly cheap.  I generally set up most 
> clients on Citrix that want a full featured remote access environment.
>  That will work, for the most part, equally well no matter your 
> connection speed.  Depending on the application, it might not be 
> feasible to run it over VPN on dial up, or even on broadband.
> 
> Also keep in mind remote users connecting into your network via PPTP 
> have TCP/IP access to your network, so that could be a gateway into 
> your network for worms and viruses.  With the way Citrix works, it is 
> far less likely that it could bring that junk in.
> 
> -Chris
>

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch




---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch