Wireless LAN RADIUS Authentication - Need a RADIUS nut

PashPash Member Posts: 1,600 ■■■■■□□□□□
Basically our customer requires a secure Wireless LAN for visitors to use. We have a juniper SSG-5 firewall sitting between the dedicated ADSL line and the WAP's. This RADIUS server will sit in a DMZ within this LAN for AAA.

Now I know for a fact RADIUS can only work with an AD domain or NT 4.0 domain or SAM. Im not sure in this scenario that we want a domain specifically for the customer visitors, so that leaves using a SAM for authentication. So this is the first hurdle because im unsure how to configure this and test it, even after reading pages upon pages from the internet.

I have a box here that im testing on, where I do have a AD domain on and I have this sitting on a network behind a juniper 5xp firewall for testing purposes only. I have setup IAS and i have configured the radius client to be the trust port on the juniper firewall for the purpose of this test lab. I have setup a remote access policy and selected ethernet as the access method...again purely for the test lab (our ultimate goal is wireless authentication). I have selected domain users and computers for user/group access on the AD domain and run throguh the relevant security authentication. Where to go from here is a mystery for me. I have tried logging my laptop onto the domain and checked the IAS logs and server event viewer and found nothing...zilch. My first question is how do i check if its working? Second question is have i missed anything?

If anyone can help me it would be much apprechiated, im on MSN at markpashby@hotmail.com
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.

Comments

  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Required Solution: Customer has a wireless LAN that requires users to be authenticated using a RADIUS server rather than using the basic and limited authentication service provided on the firewall itself. Its requested that the users do not need to join a domain and just need to provide login username and password when they wan't to surf the web and the company guest intranet.

    Test LAB:

    1x 2003 server install with AD, IAS and DNS service installed.
    Juniper 5xp firewall
    Laptop client

    I have configured the juniper 5xp firewall to point towards my preset IAS RADIUS server. I have setup a firewall policy on the firewall that allows users of my trusted zone to have http,https and dns outgoing traffic to my untrust zone. This policy is setup to use authentication and points towards my IAS RADIUS server, I have also set it up to authenticate for an external user group which I have named Domain Computers (im not sure if this step is required).

    Ok, onto my IAS setup. I have configured my RADIUS client as my firewall and set the Client Vendor as RADIUS Standard. I have set the shared secret the same as the shared secret on the 5xp firewall. I then setup a remote access policy and set the "type" as VPN and then placed the domain users and domain computers into the group match for the policy. I set the policy up to use PAP authentication because after reading juniper knowledge base documentation apparently only PAP is supported when configuring an IAS RADIUS auth setup. I set the EAP type as Smart Card or certificate. I have already issued a certificate using a 3rd party application for the IAS server to use.

    I have created a few test AD accounts and also I have raised the domain native level to 2003. And selected use the remote access policy for the three test users.

    Ok, thats my setup, to my limited knowledge regarding IAS and RADIUS I think I have thought of every step. Now, as a test i connect my laptop to trust network and open up internet explorer and to my joy I get a window asking for authentication. So I put in the login details of one of the AD users that I had created. So for example username: test password: test. Now, if i check the event viewer i get IAS logs, which to me so far is a good thing...the error returned is reason code=48 Reason= The connection attempt did not match any remote access policy. So I double check the remote access policy to make sure that domain users and computers are selected. To my understanding any computer thats connected to the network is part of the domain computers group, whether or not the client is logged into the domain.

    Now after hours and hours of testing and rebuilding everything and reading link after link after link, im well stuck. Because now I have no other methods of troubleshooting, im pretty much out of ideas.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    To my understanding any computer thats connected to the network is part of the domain computers group, whether or not the client is logged into the domain.

    Did you join the laptop to the domain? You don't need to b logged in with a domain user account for the computer to be a member, but the computer itself must be joined to the domain.

    The only other thing I ran into was a bug with the shared secret. I thought the bug was with the firewall vendor, but maybe it was in IAS. I had to use a 7 character shared secret, anything longer and authetication failed.
    All things are possible, only believe.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    When you specified the remote access policy, what exactly did you specify? If you can be as specific and as detailed as possible it would help.
    All things are possible, only believe.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Hi Sprkymrk,

    Thanks for your response dude. Yes I have joined the laptop to the domain (without logging into the domain) for the test environment but I didnt know this would be a requirement for using IAS on a AD environment...something I shall have to report back to my colleague. And im using a 8 character shared secret currently. Ill try a 7 char secret and amend on the firewall and IAS server to see if this helps.

    In the remote access policy i specified it as a VPN type and added the domain users and computer groups to the policy from my domain. I selected MS-CHAPv2 first of all for authentification because for some reason on the initial setup wizard you cant select PAP (probably because its **** :p). I havent bothered with the EAP auth setting because under the real world scenario I won't be authenticating any WAP's or anything, just for trust to untrust traffic through our juniper ssg5 firewall (yes for my test im using a different model, but the principal remains the same). Anyway, after i have created the policy I go back in and edit the profile for the policy and change the authentication type to PAP and unchecked MS-CHAPv2. I will take a screenshot when im back at the main office later mate of my policy syntax (the AND operators).

    Really apprechiate your post's fella. Please ask if i can specify anything further.

    Cheers
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Okay, screenshots or the exact policy wording might help. I don't think you must use an AD computer account, I thought you specified it in the policy.



    Also, remember the RADIUS client is not the laptop, but your firewall. Try adding this policy first:

    "Client IP Address Matches" and enter the ip address of your firewall interface facing the IAS server. Then add the "Windows Group matches" followed by domain\group. And then make sure the little radio button below is set to "Grant remote access permission". I have seen people forget this. Okay, it was me. icon_redface.gif

    When the login prompt appears, you don't need to specify domain\user. Just the user name alone should be all that's required.
    All things are possible, only believe.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Oh and finally, you may have to check with your firewall vendor for any advanced settings to apply on the "Edit Profile". I had to set:

    "Framed Protocol" - Radius Standard - PPP and
    "Service-Type" - Radius Standard - Framed
    All things are possible, only believe.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Brilliant cheers dude, ill try those things tommorow. Im fairly sure i have the correct vendor settings installed, but ill double check.

    Thanks again.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Hmmm still none of the above seems to work. My remote policy as follows:

    NAS-Port-Type matches "Virtual [VPN]" AND
    Windows-Groups matches "WIFITEST\Domain Computers;WIFITEST\Domain Users" AND
    Client-IP-Address matches "192.168.1.1"

    I have enabled "grant remote access permission". Im using PAP as my authentication type. I have selected basic, strong and strongest encryption. Although to be fair im not sure what encryption is supported by the juniper netscreen and i can't seem to find an answer to this. I have enabled my vendor specific attributes as instructed from the juniper knowledge base and left the two default attributes in there:

    Vendor-Specific RADIUS STANDARD Domain Computers
    Framed-Protocol RADIUS STANDARD PPP
    Service-Type RADIUS STANDARD Framed

    I havent touched the rest of the settings in the edit profile, left them all as default which I think is ok? Of course in the AD user profiles i have enabled "Control Access through Remote Access Policy".

    Now, when trying to access the internet through my laptop again im still getting a reason code: 48 reason: The connection attempt did not match any remote access policy. I know for a fact that the AD user details are being processed because if i type in a wrong password or username it returns a reason code: 16 reason: Authentication was not successful because an unknown user name or incorrect password was used. So im really not sure why its not passing this stage, I mean it looks like its actually pulling the user details from the AD database but its not matching my policy.....which is strange?

    Well lost...gonna go bash my head against a wall :p

    Cheers.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    In what order are your policies? and what are they allowing/not allowing?

    I think sprkymrk suggested screenshots....those would be great.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    I have a feeling the reason its not meeting my policy is because it doesnt see a VPN connection because I don't have a VPN server or routing and remote access running. Going to look at that.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Silver Bullet: The policies are in the order I have typed above. I would provide screenshots but i dont have any image software on the server and i cant rdp into the server and do them from my pc because i cant route traffic to my test lab atm (cant login to our company firewall and add a static route).

    Cheers fella.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Hey Pash, try two things please:

    Remove the policy requiring the Windows group "Domain Computers", since your firewall is not a domain computer.

    Second, make sure the user account has dial-in access allowed.
    All things are possible, only believe.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Tried both mate just now. But the way i understand it is the remote access policy is for the users who are trying to authenticate right...so having the user account control access be controlled via the remote access policy should be correct? And also for remote access policy to work correctly with the AD database doesnt the domain computers need to be added? I mean i really am not sure myself, these are only things I have read from guides.....but there seems to be a lack of documentation for this type of arrangement anywhere.

    On a layer 3 perspective my firewall picks up the authentication requests by my laptop to the RADIUS server.

    http://www.digitalempathy.pwp.blueyonder.co.uk/RADIUSIAS/junipereventlog.JPG

    However why it drops the request i just canny find out captain. icon_sad.gif

    And its particulary **** me off because i have to have this figured out before next monday, and id actually like to rest this weekend as its my first two day weekend in a few weeks icon_sad.gif

    Thanks for your help guys. Much apprechiated.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Pash wrote:
    Tried both mate just now. But the way i understand it is the remote access policy is for the users who are trying to authenticate right...so having the user account control access be controlled via the remote access policy should be correct?

    Correct.
    Pash wrote:
    And also for remote access policy to work correctly with the AD database doesnt the domain computers need to be added?

    No. Think about remote users on a home computer using the VPN to work from home.

    Just so we're on the same page, let me clarify in case I wasn't clear in my last post. I just wanted you to remove the policy that requires the "Domain Computers" group. Leave the requirement for the "WIFITEST\Domain Users" group. Is that what you did, or did you also remove the Domain Users?

    Sorry about the deadline. I had a heck of a time getting RADIUS to work with our firewall too, but it ended up being that shared secret bug.
    All things are possible, only believe.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Hi Sprkymrk,

    Yes I left the Domain Users group when i tried again, I also selected "Allow Access" in the dial up section for the test AD user. Its still returnign the same IAS error. I mean am I correct in saying if the firewall is seeing a RADIUS authentication fail that the configuration there is fine and it's still down to my remote access policy?

    Thanks again.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Yes, I think it's a policy issue too. If you don't mind, can you remove the policy:
    NAS-Port-Type matches "Virtual [VPN]"

    And then change the order of your other two policies so the IP Address matches is first and the Windows Group matches is second, and don't include the Domain Computers. So it would just look like this:

    Client-IP-Address matches "192.168.1.1" AND
    Windows-Groups matches "WIFITEST\Domain Users"


    Also leave the "Grant Dial-In Access" allowed in ADUC as that is necessary to my understanding.

    If we can get the policies down to a bare minimum and still utilize radius maybe we can figure out what is causing the problem and work from there.
    All things are possible, only believe.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Mate your a star. Changing the policy order has done the trick. Im now testing various different changes in the setup to see what happens. I seriously got up outta my chair in the office ran into a clear space and did a running circle on the floor whooping a lot (like homer simpson).

    BIG THANKS! :D
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Ok the solution is all but complete. However, as a side request would it be possible to have redirection after the RADIUS has authenticated? I have already had a look around but information is sparse.

    Anyone have any ideas. much apprechiated.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Well, a demo is being provided to the customer hopefully tommorow morning by myself and my colleague. One of the huge issues with our proposed solution is of cause the fact that active directory allows multiple login instances using the same account credentials (the workaround suggested by microsoft is the biggest load of crap you will ever read, espcially when you know a netware backbone can provide a simple option as required). This is a real pain in the arse unless the customers administration is very organised. However, things like logon hours and account expiration are still nice functionality's which work as intended.

    If they don't like it??? Ill bash my head on a wall if they don't but ive started looking at other backup's failing this. Maybe some kind of captive portal solution or opensource solution such as chillispot and freeradius on a linux server. Ive started having a go at this and im getting there considering i havent even used linux pria to this week proeprly.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Hi Pash, sorry I don't know why I hadn't seen your updated posts until now. Glad you got it working! icon_cool.gif
    All things are possible, only believe.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Mr Webmaster I have sent you a PM about maybe hosting documentation regarding RADIUS authentication using AD with a firewall setup. Have a read and if you think it's good to host please let me know :)
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Sign In or Register to comment.