cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4751
Views
0
Helpful
14
Replies

Ironport S170 and Microsoft RADIUS

MikeM-2468
Level 1
Level 1

I'm trying to setup management logins for the IronPort S170 using RADIUS.  I have the Windows server configured and the server information is in the S170, but I'm having trouble with the Group Mapping.  Under the RADIUS Class Attribute, what is an example of something that would go there?  Is it an AD group?  If not, is it some attribute number that I need to configure on the AD user object?  If so, where?  TAC has no idea how to do this. 

14 Replies 14

So the first question is, if you set up the user, and check the box to map everyone authed via radius as admins, does that work?

The Class Attribute is any string or strings you want to use.  When you set up the users in the WSA, you specify which string gets mapped to Admin roles, which gets mapped to ReadOnly role, etc.  (eg here, I set it as "WSAAdmin")

It may be that the ClassAttribute get MAPPED in the NAP server as a group name, but it can be anything... I use Steel Belted at the moment, and we just set it on the user, but you could have the NAP policy set it based on group memership, or whatever...

It doesn't work when I set it to "Map all externally authenticated users to the Administrator role". 

Ok... so you need to chase that down as its the simplest config.  Check the External Auth Logs on the WSA. Try looking at a packet capture and see what's going on between the WSA and the Radius box... 

Take a look at this:

http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/

It was a bad secret.  Evidently it didn't like the long and complex generated secret.  So now that works.  Next is how to narrow it down to a group.

That link I posted has info on how to set up the policy based on AD group too... its built for Cisco hardware, the WSA stuff is just an extension of what's there...(standard radius attribute instead of Cisco attribute, etc.)

That seems to go into more router/switch specific stuff.  I tried to put together what I thought was correct.  But what gets added to the RADIUS Class Attribute in the WSA?  The Windows Group name?

On the MS side, in the Settings tab for the policy you tell it to send a standard Radius attribute of "class" with a value of whatever you want... then that value gets set on the wsa and mapped to a role.

Sent from Cisco Technical Support Android App

That's what I thought.  I tried that and I get auth failures.  In the log on the Windows server, I see "The user attempted to use an authentication method that is not enabled on the matching network policy."  I then noticed that the policy was set for CHAP but the WSA was set for PAP.  Looks like only PAP will work.  Not ideal, but working. 

Hi Mike,

I was going through your last reply and wondering why we cannot use chap when we have an option on external authentication settings, so if you select CHAP under external authentication settings and on the microsoft side you enable CHAP as well under remote access policy > properties > authentication tab and select CHAP.

User guide:

The appliance can communicate with RADIUS directories using either the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP).

Let me know how it goes.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

I was a little brief in my last reply.  I should have included that CHAP does not work.  The following error is recorded in the log: 

"The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account."

This error occurs when the user’s account is not stored in reversible encryption.

CHAP requires that the secret be available in plaintext form. CHAP cannot use irreversibly encrypted password databases that are commonly available. If the RADIUS server does not have access to the plaintext password, it cannot perform the one-way hash to verify the user and the authentication will fail. By default, Microsoft Active Directory does not store user accounts with reversible encryption.

Reversible encryption is a user class attribute and is not enabled by default in the Active Directory. You must enable this setting manually on each account or through Group Policy Objects when dealing with multiple users.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

did you get a chance to try out last suggestion on CHAP authentication?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

According to TAC:

"the WSA does not support “chap” as of now.  There is a bug opened and developers are working on it.  Bug : CSCzv38428    Support RADIUS CHAP protocol for External Authentication"

Enabling reversible encryption in AD is not an option.

Yeah, there is a severity 6 enhancement request opened on it. Thanks for keep this thread updated.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin