Security and Access Configuration

[paypa]

Having problems with AAA configuration in NOKIA.

Using this document instructions: http://www.etsec.com/PDFs/nokia/Whit...ing_RADIUS.pdf

I already have Client Authentication setup on this firewall works perfectly. What else do I need to do to enable ACE to respond:

Receving these errors:
firewall[admin]# Nov 8 19:53:25 firewall [LOG_ERR] httpd: rad_send_request failed: No valid RADIUS responses received
Nov 8 19:53:25 firewall [LOG_ALERT] httpd: PAM_httpd: check pass; user unknown
Nov 8 19:53:25 firewall [LOG_NOTICE] httpd: PAM_httpd: authentication failure; root(uid=65534) -> <username> for httpd service

[northlandboy]

You're mixing things up a bit by the looks of it.

Client Authentication and Nokia AAA are handled by separate processes, and the configuration for them is different.

Are you using Native SecurID for the Client Authentication?

If you want to get the Nokia box to use RADIUS auth, and you're using your ACE server for it, you'll need to enable RADIUS on the ACE server if you haven't already done so.

Are you seeing traffic generated from the firewall towards your RADIUS server? Are you seeing responses? What do your logs on the RADIUS server say?

Which IPSO version are you using?

[paypa]

Are you using Native SecurID for the Client Authentication? Yes, I'm using Native SecurID with ACE Agent type being configured as a UNIX.

If you want to get the Nokia box to use RADIUS auth, and you're using your ACE server for it, you'll need to enable RADIUS on the ACE server if you haven't already done so.

I have both Radius and TACACS daemons running and have tried 1 or the other. From what I've been told, I can only setup the Agent Type in ACE to accept 1 or the other UNIX (Client Authentication) or Communication for TACACS or Radius.

Are you seeing traffic generated from the firewall towards your RADIUS server? Since I have suffient configured, I am seeing NEW-RADIUS traffic generated but then HTTP picks up since it is sufficient.

Are you seeing responses? What do your logs on the RADIUS server say? ACE is not seeing the request from the firewall.

Which IPSO version are you using?
Reply With Quote

[paypa]

Quote:

Originally Posted by paypa

Are you using Native SecurID for the Client Authentication? Yes, I'm using Native SecurID with ACE Agent type being configured as a UNIX.

If you want to get the Nokia box to use RADIUS auth, and you're using your ACE server for it, you'll need to enable RADIUS on the ACE server if you haven't already done so.

I have both Radius and TACACS daemons running and have tried 1 or the other. From what I've been told, I can only setup the Agent Type in ACE to accept 1 or the other UNIX (Client Authentication) or Communication for TACACS or Radius.

Are you seeing traffic generated from the firewall towards your RADIUS server? Since I have suffient configured, I am seeing NEW-RADIUS traffic generated but then HTTP picks up since it is sufficient.

Are you seeing responses? What do your logs on the RADIUS server say? ACE is not seeing the request from the firewall.

Which IPSO version are you using?
Reply With Quote

I'm using 3.7 IPSO

[northlandboy]

So if the firewall is generating the RADIUS packets, but the ACE server is not logging it, does that indicate that RADIUS is possibly blocked along the way?

Run tcpdump or fw monitor on the firewall, and look for responses, as well as requests.

[paypa]

Quote:

Originally Posted by northlandboy

So if the firewall is generating the RADIUS packets, but the ACE server is not logging it, does that indicate that RADIUS is possibly blocked along the way?

Run tcpdump or fw monitor on the firewall, and look for responses, as well as requests.

I get error NO RESPONSE FROM RADIUS SERVER. But I am able to communicate between both systems...even opened ACLs to the VLANS. But in what mode should I have the agent configured so that it will allow both client and nokia authentication?

[northlandboy]

Yes, you get an error saying no response from radius server, but if you actually look at the traffic on the wire, with tcpdump or fw monitor, do you see packets leaving your firewall and/or packets returning? Do you see packets reach your ACE server?

I'm not an ACE server expert, but can't you have it setup for both RADIUS and SecurID? Multiple agents if necessary