Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 2511 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius Administrator Authentication

Powersquids

So I read through the other post to see if I could find some information on why RADIUS for web management isn't working. RADIUS is up, configured and working 100%.

 

HOWEVER... I have to make the local user first. For example if I want to use RADIUS for domain user user123, I have to make user123 locally on the firewall as an administrator. This kinda defeats the point of RADIUS. Switches have been doing this for years, and same with ASAs. Anyone figure this out?



This thread was automatically locked due to age.
Parents
  • 0

    Opened a ticket with support. We'll see what happens. I was looking at the access_server logs. With no user created in the local database, if an invalid username/password is entered i get a radius message:radiusauth_authenticate_user: Athentication Failed for User: user123.

     

    If the username and password is correct i get a message handle_pam_authorization: VPN/SSLVPN/MYACC Authorization Failed, result_code=1

     

    Taking a wild guess here, but I'm thinking the radius response isn't being handled properly and is being handed off. Maybe some sort of vendor specific option code or something to designate admin access maybe? I'm wire sharking from NPS right now.

Reply
  • 0

    Opened a ticket with support. We'll see what happens. I was looking at the access_server logs. With no user created in the local database, if an invalid username/password is entered i get a radius message:radiusauth_authenticate_user: Athentication Failed for User: user123.

     

    If the username and password is correct i get a message handle_pam_authorization: VPN/SSLVPN/MYACC Authorization Failed, result_code=1

     

    Taking a wild guess here, but I'm thinking the radius response isn't being handled properly and is being handed off. Maybe some sort of vendor specific option code or something to designate admin access maybe? I'm wire sharking from NPS right now.

Children
  • 0 in reply to Powersquids

    Do you have setup Radius Accounting properly for SSO? 

    XG is simply forwarding the Radius Authentication packets to Radius (you should see this in your Wireshark dump).

    Afterwards, to get a proper "Live User" in XG, you have to forward the Accounting Information back to XG. 

     

     

    Wireless uses the same technique.

    https://community.sophos.com/kb/en-us/122790

     

    Accounting is the important information. Does your NAC Solution or what ever you use to get the authentication done in Radius actually support accounting?