Hello, My company has purchased several of the RSA Securid appliances to provide OTP for our environment. The architecture calls for proxying from a central freeRADIUS server (on RHEL 5) to the RSA Securid appliances. I am new to the RADIUS protocol (1 week now), but I have my freeRADIUS setup to proxy all requests to the RSA appliance. Using tethereal, I see the RADIUS (UDP) packets going to the RSA appliance, but I do not receive a response. Another Engineering group is responsible for the RSA appliance setup, so I have very little insight into the workings of the RADIUS server running on them. My question is do we setup the central freeRADIUS server as a client on the RSA appliance, and is there instructions out there (possible from RSA) on how to accomplish this? Thank you for your time, Chris
Yes. Your proxy need to be configured as a client on RSA radius server. Ivan Kalik Kalik Informatika ISP Dana 23/9/2008, "Chris Haskins" <chhaskins@caci.com> piše:
Hello,
My company has purchased several of the RSA Securid appliances to provide OTP for our environment. The architecture calls for proxying from a central freeRADIUS server (on RHEL 5) to the RSA Securid appliances.
I am new to the RADIUS protocol (1 week now), but I have my freeRADIUS setup to proxy all requests to the RSA appliance. Using tethereal, I see the RADIUS (UDP) packets going to the RSA appliance, but I do not receive a response.
Another Engineering group is responsible for the RSA appliance setup, so I have very little insight into the workings of the RADIUS server running on them. My question is do we setup the central freeRADIUS server as a client on the RSA appliance, and is there instructions out there (possible from RSA) on how to accomplish this?
Thank you for your time,
Chris
tnt@kalik.net wrote:
Yes. Your proxy need to be configured as a client on RSA radius server.
And I believe the RADIUS server is disabled on the appliances by default, at least it was on ours. Arran
Ivan Kalik Kalik Informatika ISP
Dana 23/9/2008, "Chris Haskins" <chhaskins@caci.com> piše:
Hello,
My company has purchased several of the RSA Securid appliances to provide OTP for our environment. The architecture calls for proxying from a central freeRADIUS server (on RHEL 5) to the RSA Securid appliances.
I am new to the RADIUS protocol (1 week now), but I have my freeRADIUS setup to proxy all requests to the RSA appliance. Using tethereal, I see the RADIUS (UDP) packets going to the RSA appliance, but I do not receive a response.
Another Engineering group is responsible for the RSA appliance setup, so I have very little insight into the workings of the RADIUS server running on them. My question is do we setup the central freeRADIUS server as a client on the RSA appliance, and is there instructions out there (possible from RSA) on how to accomplish this?
Thank you for your time,
Chris
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900
Hello, Thank you for the input. Would I setup my freeRADIUS server as a "UNIX/Linux client", or a "Communication Server", or other? Thank you, Chris Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> Sent by: freeradius-users-bounces+chhaskins=caci.com@lists.freeradius.org 09/23/2008 11:20 AM Please respond to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject Re: freeRADIUS proxy to RSA Securid tnt@kalik.net wrote:
Yes. Your proxy need to be configured as a client on RSA radius server.
And I believe the RADIUS server is disabled on the appliances by default, at least it was on ours. Arran
Ivan Kalik Kalik Informatika ISP
Dana 23/9/2008, "Chris Haskins" <chhaskins@caci.com> piše:
Hello,
My company has purchased several of the RSA Securid appliances to provide OTP for our environment. The architecture calls for proxying from a central freeRADIUS server (on RHEL 5) to the RSA Securid appliances.
I am new to the RADIUS protocol (1 week now), but I have my freeRADIUS setup to proxy all requests to the RSA appliance. Using tethereal, I see the RADIUS (UDP) packets going to the RSA appliance, but I do not receive a response.
Another Engineering group is responsible for the RSA appliance setup, so I have very little insight into the workings of the RADIUS server running on them. My question is do we setup the central freeRADIUS server as a client on the RSA appliance, and is there instructions out there (possible from RSA) on how to accomplish this?
Thank you for your time,
Chris
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Haskins wrote:
Thank you for the input. Would I setup my freeRADIUS server as a "UNIX/Linux client", or a "Communication Server", or other?
Perhaps the vendor you paid large sums of money to has "documentation"? Otherwise, it's not good to expect us (who haven't been paid for the RSA product) to explain how to use it. Alan DeKok.
Hi Alan, Your point is well taken. RSA does supply documentation on how to setup their device, but I do not find anything specifically for accepting a freeRADIUS proxy running on RHEL5. Since this forum supports freeRADIUS, I felt this was an appropriate question. Thank you, Chris Alan DeKok <aland@deployingradius.com> Sent by: freeradius-users-bounces+chhaskins=caci.com@lists.freeradius.org 09/23/2008 11:48 AM Please respond to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject Re: freeRADIUS proxy to RSA Securid Chris Haskins wrote:
Thank you for the input. Would I setup my freeRADIUS server as a "UNIX/Linux client", or a "Communication Server", or other?
Perhaps the vendor you paid large sums of money to has "documentation"? Otherwise, it's not good to expect us (who haven't been paid for the RSA product) to explain how to use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Haskins wrote:
RSA does supply documentation on how to setup their device, but I do not find anything specifically for accepting a freeRADIUS proxy running on RHEL5.
Then I suggest asking them to update their documentation.
Since this forum supports freeRADIUS, I felt this was an appropriate question.
Questions about "how do I configure X to do Y" usually belong with the vendor of X. In this case "how do I configure an RSA server to..." is a question for the RSA people. I'm sorry if you feel this is inadequate for your needs. Feel free to call RSA and ask them to fix their documentation so that it more closely matches your requirements. If you want to configure *FreeRADIUS* to send packets to the RSA box, that question is appropriate here. Because it involves editing FreeRADIUS configuration files. There are literally dozens of boxes that implement RADIUS servers, and thousands of devices that implement RADIUS clients. I hope you will understand that it is *impossible* for us to answer questions about all of those devices. We didn't write the code, we didn't write the documentation, we can't file bugs for the product, we can't fix the code, and we can't fix the documentation. So asking questions here is largely a waste of time. Occasional questions about third-party products are tolerated on this list. But the focus is *FreeRADIUS* configuration. Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok wrote:
Chris Haskins wrote:
Thank you for the input. Would I setup my freeRADIUS server as a "UNIX/Linux client", or a "Communication Server", or other?
Communication Server: But i'm not sure if you add it as an agent host or if you add it specifically using the RADIUS section of the authentication manager.
Perhaps the vendor you paid large sums of money to has "documentation"? Otherwise, it's not good to expect us (who haven't been paid for the RSA product) to explain how to use it.
Second that. The manuals are pretty comprehensive. Hopefully with the RSA appliances they'll have brought a SecureCare contract which gives them access to the online documentation and product updates. They're really the ones who need to be sorting out the RADIUS side on the appliances, else they need to give you administrative access to the appliance web interface (it includes a secure RDP client) so you can sort the appliances out yourself. It's nothing to do with your FreeRADIUS installation. All you need to do there is define the RSA appliance in proxy.conf following the examples. I came so close to throwing ours across the server room... worst black box we've ever brought (...and last). Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjZNlsACgkQcaklux5oVKKrjQCgij7ZyySlYz48dCZzyavrVFD2 Th4An0aFVeRCF0bm6eouXZp8q2Fi+T44 =H7H1 -----END PGP SIGNATURE-----
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Chris Haskins -
tnt@kalik.net