Authentication type PAP or CHAP for RADIUS?
Following on from my epic headache a little while back:
http://www.techexams.net/forums/viewtopic.php?t=21983
I have been trying to set this up in a real world environment. I am half way there currently, I just have one problem. When I try to test a user on the internet, i have this error returned from IAS system logs:
Fully-Qualified-User-Name = sceuvisinet.biz/Users/test NAS-IP-Address = 10.128.34.254 NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Client-Friendly-Name = radius client 2 Client-IP-Address = 10.128.34.253 NAS-Port-Type = <not present> NAS-Port = <not present> Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Connections to other access servers Authentication-Type = PAP EAP-Type = <undetermined> Reason-Code = 66 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
Now, in my test environment I used a 5xp juniper netscreen model, but in the real world setup it is a ssg5 model. Here is a link on the juniper knowledge base I have found regarding authentication types:
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c190677c
Notice, on the seemingly older firewall models it is recconmmended to switch to PAP rather than CHAP.
Now I think this should be the fix for it, I will test it today when I go onsite, but if not could it be the actual end client's authentication type on the wireless LAN? Even though im fairly sure no wireless authentication is being used for now.
Anyway, if anyone can shed some light on this from experience you will get many tank you's
http://www.techexams.net/forums/viewtopic.php?t=21983
I have been trying to set this up in a real world environment. I am half way there currently, I just have one problem. When I try to test a user on the internet, i have this error returned from IAS system logs:
Fully-Qualified-User-Name = sceuvisinet.biz/Users/test NAS-IP-Address = 10.128.34.254 NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Client-Friendly-Name = radius client 2 Client-IP-Address = 10.128.34.253 NAS-Port-Type = <not present> NAS-Port = <not present> Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Connections to other access servers Authentication-Type = PAP EAP-Type = <undetermined> Reason-Code = 66 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
Now, in my test environment I used a 5xp juniper netscreen model, but in the real world setup it is a ssg5 model. Here is a link on the juniper knowledge base I have found regarding authentication types:
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c190677c
Notice, on the seemingly older firewall models it is recconmmended to switch to PAP rather than CHAP.
Now I think this should be the fix for it, I will test it today when I go onsite, but if not could it be the actual end client's authentication type on the wireless LAN? Even though im fairly sure no wireless authentication is being used for now.
Anyway, if anyone can shed some light on this from experience you will get many tank you's
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
-
Pash Member Posts: 1,600 ■■■■■□□□□□For anyone interested, PAP is still the authentication method used between RADIUS server and ssg5 juniper netscreen. The fix?....well a restart of the server did it......baffling.
Btw if anyone wants documentation on how to achieve this, let me know.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
MikeMurphey Member Posts: 1 ■□□□□□□□□□I would love to see some documentation on how to do this. I've got a site-to-site VPN using 2 Juniper SSG 5's working, but now I need to setup dialup vpn, with Radius for auth.