Use FreeRadius as Proxy for Cisco ACS
Hi everyone, I'm setting up for my company a new Freeradius server and i have to use it as a proxy for a CISCO ACS server. But i'm new at this and don't know how to do this. What type of auth i have to use for this configuration ? Are there any HOWTO that can help me in my process ? Thanks for yours help ! | CLIENT | --------------> | FR Server | -------------> | CISCO ACS DB | GDN -- View this message in context: http://freeradius.1045715.n5.nabble.com/Use-FreeRadius-as-Proxy-for-Cisco-AC... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
I'm setting up for my company a new Freeradius server and i have to use it as a proxy for a CISCO ACS server. But i'm new at this and don't know how to do this.
What type of auth i have to use for this configuration ? Are there any HOWTO that can help me in my process ?
Thanks for yours help !
| CLIENT | --------------> | FR Server | -------------> | CISCO ACS DB |
if this is ALL you have, then simply add your ACS details in proxy.conf as the target for DEFAULT and NULL etc and add the details of your FR server as a RADIUS client in the ACS configuration - you will need to ensure that the shared secret you have used is the same on both ends... alan
Thanks for your reply Alan, i'm going to try that ! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Use-FreeRadius-as-Proxy-for-Cisco-AC... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I add my proxy Radius as a client radius in ACS, but i'm not sure of the configuration of the proxy.conf. : home_server radiusACS { ipaddr = 10.215.25.100 port = 1812 type = auth+acct secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } Do I have to put my proxy on the same Active Directory domain ? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Use-FreeRadius-as-Proxy-for-Cisco-AC... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
home_server radiusACS { ipaddr = 10.215.25.100 port = 1812 type = auth+acct secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 }
ACS is basic. it doesnt support status-server or anything else. just treat it as a dumb RADIUS remote proxy - which means no, if you are proxying to it your box doesnt need to be in an AD or anything you can go REALLY basic realm NULL { authhost = 10.215.25.100:1812 accthost = 10.215.25.100:1813 secret = "testing123" } realm DEFAULT { authhost = 10.215.25.100:1812 accthost = 10.215.25.100:1813 secret = "testing123" } once you are familiar with the system, setup and FR, then you can go down the route of defining server pools and realms... alan
It works perfectly ! Thanks for your help Alan :) Just one more thing, my works is to implement a OTP by sms, the module is setup and works well in PAP. But i don't know how to implement it for that case (with ACS). My previous configuration was : (in the file users) cpires Cleartext-Password := "cpires", Auth-type := smsotp If i want to use "smsotp" for my authentification, do i have to put a new line in this file ? Thanks in advance :) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Use-FreeRadius-as-Proxy-for-Cisco-AC... Sent from the FreeRadius - User mailing list archive at Nabble.com.
When i do radiusd -X, i have this : rad_recv: Access-Request packet from host 10.215.30.81 port 1645, id=165, length=88 User-Name = "gdanobrega" User-Password = "Gdanobreg@1" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "10.215.25.80" NAS-IP-Address = 10.215.30.81 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "gdanobrega", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "gdanobrega" [suffix] Adding Realm = "NULL" [suffix] Proxying request from user gdanobrega to realm NULL [suffix] Preparing to proxy authentication request to realm "NULL" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry gdanobrega at line 3 ++[files] returns ok ++[smsotp] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop # Executing section pre-proxy from file /etc/raddb/sites-enabled/default +- entering group pre-proxy {...} [pre_proxy_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.215.30.81/pre-proxy-detail-20120228 [pre_proxy_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.215.30.81/pre-proxy-detail-20120228 [pre_proxy_log] expand: %t -> Tue Feb 28 11:10:14 2012 ++[pre_proxy_log] returns ok Sending Access-Request of id 226 to 10.215.25.100 port 1812 User-Name = "gdanobrega" User-Password = "Gdanobreg@1" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "10.215.25.80" NAS-IP-Address = 10.215.30.81 Proxy-State = 0x313635 Proxying request 0 to home server 10.215.25.100 port 1812 Sending Access-Request of id 226 to 10.215.25.100 port 1812 User-Name = "gdanobrega" User-Password = "Gdanobreg@1" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "10.215.25.80" NAS-IP-Address = 10.215.30.81 Proxy-State = 0x313635 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 10.215.25.100 port 1812, id=226, length=75 User-Name = "gdanobrega" Class = 0x434143533a454d45412d5041522d41435330312f3131383630363934322f333537373035 Proxy-State = 0x313635 # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [post_proxy_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.215.30.81/post-proxy-detail-20120228 [post_proxy_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.215.30.81/post-proxy-detail-20120228 [post_proxy_log] expand: %t -> Tue Feb 28 11:10:14 2012 ++[post_proxy_log] returns ok [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = smsotp Found Auth-Type = Accept Warning: Found 2 auth-types on request for user 'gdanobrega' Auth-Type = Accept, accepting the user Login OK: [gdanobrega] (from client swcisco port 1 cli 10.215.25.80) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 165 to 10.215.30.81 port 1645 User-Name = "gdanobrega" Class = 0x434143533a454d45412d5041522d41435330312f3131383630363934322f333537373035 Finished request 0. Going to the next request Waking up in 4.9 seconds. Can you help me to know what kind of Authentification type is used ? Thanks everyone -- View this message in context: http://freeradius.1045715.n5.nabble.com/Use-FreeRadius-as-Proxy-for-Cisco-AC... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
When i do radiusd -X, i have this :
rad_recv: Access-Request packet from host 10.215.30.81 port 1645, id=165, length=88 <snip> [suffix] Proxying request from user gdanobrega to realm NULL [suffix] Preparing to proxy authentication request to realm "NULL" <snip> Sending Access-Request of id 226 to 10.215.25.100 port 1812 rad_recv: Access-Accept packet from host 10.215.25.100 port 1812, id=226, <snip>
Can you help me to know what kind of Authentification type is used ?
there is no such word as Authentification. your request was proxied to a remote proxy. it wasnt EAP, check your remote authentication server logs to see what it was doing - looks like some plain PAP to me... alan
participants (2)
-
Alan Buxey -
Maz17