|
|
This section configures the concentrator to communicate with a RADIUS server. You can use a RADIUS server for client authentication using PAP, CHAP, or a token challenge and for remote access accounting.
configure RadiusThe VPN 5000 concentrator series conforms to the following IETF RADIUS RFC drafts: draft-ietf-radius-radius-02.txt and draft-ietf-radius-accounting-02.txt. Any server used with a concentrator must also conform to these RFC drafts. Companies who make RADIUS servers include Cisco, Livingston, Ascend, Funk, and Merit.
The RADIUS server uses attribute numbers and names to identify the type of information sent or received. Authentication and accounting values in the RADIUS database, such as the user name and password, are assigned particular attributes. Thus, when the concentrator sends a client's PAP password to the RADIUS server, for example, it identifies the data with attribute number 2 so the RADIUS server can compare the data with the matching attribute in its database.
This section lists the RADIUS attributes used by the VPN 5000 concentrator. Some attribute numbers are configurable with keywords in this section. If your RADIUS server supports vendor specific attributes (VSAs) in a separate dictionary file, see the "Vendor Specific Attributes" section.
Table 3 lists the RADIUS attributes for authenticating each user:
| Attribute Number | Attribute Name | Value Description |
|---|---|---|
1 | User-Name | The VPN user name. |
2 | User-Password | (For Challengetype = PAP) The user's RADIUS password. For Challengetype = Challenge, the concentrator sends a null password to the RADIUS server instead of requiring the client to enter a password. For a token-based system like Axent Defender, the RADIUS server then prompts the client with the text in attrinut 18 for the token password, which is also passed by this attribute. |
3 | CHAP-Password | For Challengetype = CHAP, the user's RADIUS password. |
18 | Reply-Message | A message or prompt sent to the client, such as the token string to enter into a token to produce the password. |
60 | CHAP-Challenge | The CHAP hash sent from the concentrator to the RADIUS server to authenticate the CHAP-Password. |
77 | Connect-Info1 | The name of the user's VPN group. If this attribute number is not available, use an available number, and change it on the concentrator using the VPNGroupInfo keyword. This value must be a String. |
69 | Tunnel-Password1 | (If you are not using a server certificate) The VPN password, also known as a shared secret. The shared secret is required to create the tunnel between the client and the concentrator. If this attribute number is not available, use an available number, and change it on the concentrator using the VPNPassword keyword. See the Certificates section for information about server certificates. This value must be a String. |
8 | Framed-IP-Address | |
23 | Framed-IPX-Network |
| 1You can use a vendor specific attribute instead of this one if your RADIUS server supports vendor specific attributes. |
Table 4 lists the RADIUS attributes supplied to the RADIUS server from the VPN 5000 concentrator for accounting:
| Attribute Number | Attribute Name | Description |
|---|---|---|
4 | NAS-IP-Address | The concentrator IP address equal to the BindTo IP address. |
5 | NAS-Port | Indicates the port number on which the client connected to the concentrator, in this case, a virtual port number. |
49 | Terminate-Cause | Reports details on why the client connection was terminated. |
40 | Acct-Status-Type | Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop). |
41 | Acct-Delay-Time | Indicates how many seconds the client has been trying to send a particular record. |
42 | Acct-Input-Octets | Indicates how many octets have been received from the client over the course of this service being provided. |
43 | Acct-Output-Octets | Indicates how many octets have been sent to the client in the course of delivering this service. |
44 | Acct-Session-Id | A unique accounting identifier that makes it easy to match start and stop records in a log file. |
45 | Acct-Authentic | Indicates how the user was authenticated, whether by RADIUS, the concentrator itself, or another remote authentication protocol. |
46 | Acct-Session-Time | Indicates how long (in seconds) the user has received service. |
47 | Acct-Input-Packets | Indicates how many packets have been received from the client over the course of this service being provided to a framed user. |
48 | Acct-Output-Packets | Indicates how many packets have been sent to the client in the course of delivering this service to a framed user. |
61 | NAS-Port-Type | Shows the connection type, in this case Virtual. |
66 | Tunnel-Client-Endpoint1 | The real IP address of the client. If this attribute number is not available, use an available number, and change it on the concentrator using the VPNRealIP keyword. This value must be a String. |
67 | Tunnel-Server-Endpoint1 | The IP address the concentrator assigns to the client. If this attribute number is not available, use an available number, and change it on the concentrator using the VPNAssignedIP keyword. This value must be a String. |
| 1You can use a vendor specific attribute instead of this one if your RADIUS server supports vendor specific attributes. |
Many RADIUS servers support VSAs in a separate dictionary file. All VSAs use attribute number 26 plus the company identifier, in the VPN 5000 concentrator's case, 255. Table 5 lists the VSAs you can define.
| Attribute Number | Attribute Name | Description | Format |
|---|---|---|---|
0 | Tunnel-Delay | For future use. |
|
1 | Tunnel-Throughput | For future use. |
|
2 | Client-Assigned-IP | The IP address assigned to the client reported by the concentrator to the RADIUS server. | String |
3 | Client-Real-IP | The real IP address of the client reported by the concentrator to the RADIUS server. | String |
4 | VPN-GroupInfo | The name of the user's VPN group. | String |
5 | VPN-Password | (If you are not using a server certificate) The VPN password, also known as a shared secret. The shared secret is required to create the tunnel between the client and the concentrator. See the Certificates section for information about server certificates. | String |
6 | Echo | For future use. |
|
7 | Client-Assigned-IPX | The real IPX number of the client reported by the concentrator to the RADIUS server. | Hex4 Integer |
After entering the configure command for the section, enter one or more of the following keywords.
Authentication = {On | Off} | Allows the concentrator to use a RADIUS server for authentication. If On, the concentrator uses RADIUS authentication automatically if the concentrator cannot find a remote user in the internal VPN User list. |
Accounting = {On | Off} | Allows the concentrator to send accounting information to the RADIUS server. Each time a user connects to or disconnects from the concentrator, the concentrator sends a record of their connection to the RADIUS server. |
PrimAddress = String | Sets the IP address or fully qualified domain name of the primary RADIUS server. Be sure to set a DNS in the Domain Name Server section if using a domain name. |
PrimRetries = Number | Sets the number of times the concentrator attempts to contact the primary RADIUS server. The value can be 1 to 10. The default is 5. The concentrator uses a back-off algorithm when retrying. The time period between packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5. |
Secret = String | A shared secret used by the concentrator and RADIUS server to validate packets exchanged between them. This secret must match the secret configured in the RADIUS server. The string can be from 1 to 31 ASCII characters long. When you set the UseChap16 keyword to On, the Secret cannot be more than 16 characters. |
BindTo = {Ethernet | WAN} slot:port[.sub-interface] | Specifies which interface's IP address the concentrator uses as a source address for all packets sent to the RADIUS server. |
Challengetype = {CHAP | PAP | Challenge} | Specifies the challenge type the RADIUS server uses to validate the client.
|
PAPAuthSecret = String | A secret used by a VPN 5000 concentrator and a client to authenticate and encrypt packets exchanged between them before they are passed on to the RADIUS server. The concentrator and client only use this password when you specify PAP for the Challengetype keyword. Client software users are prompted for both this secret and their regular RADIUS password. The string can be from 1 to 255 ASCII characters in length. |
UseChap16 = {On | Off} | When you set the UseChap16 keyword to On, CHAP challenges to the RADIUS server, including the concentrator Secret and the RADIUS CHAP-Password, are limited to 16 bytes. Older RADIUS servers cannot handle longer challenges. |
PrimUseSecret = {On | Off} | When you set the PrimUseSecret keyword to On, the concentrator includes the secret in the hash it uses to encrypt packets sent to the primary RADIUS server. Since older RADIUS servers did not include the secret in their hash, this feature is a configurable option. |
SecAddress = String | Sets the IP address or fully qualified domain name of the secondary RADIUS server. If the concentrator receives no response from the primary RADIUS server after the number of retries specified by PrimRetries, then the concentrator uses this secondary. If the concentrator receives no response from the secondary server after the number of retries specified by SecRetries, the concentrator returns a failure packet to the client and drops the link. |
SecRetries = Number | Sets the number of times the concentrator attempts to contact the secondary RADIUS server. The value can be 1 to 10. The default is 5. The concentrator uses a back-off algorithm when retrying. The time period between packets 1 through 10 is (in seconds): 1, 1, 2, 2, 3, 3, 4, 4, 5, 5. |
SecUseSecret = {On | Off} | When you set the SecUseSecret keyword to On, the concentrator includes the secret in the hash it uses to encrypt packets sent to the secondary RADIUS server. Since older RADIUS servers did not include the secret in their hash, this feature is a configurable option. |
AcctPort = Number | Defines which UDP port the concentrator uses to send RADIUS accounting information to the RADIUS server. The default is 1646. You can change the port number in certain situations for security reasons. |
AuthPort = Number | Defines which UDP port the concentrator uses to exchange RADIUS authentication information with the RADIUS server. The default is 1645. You can change the port number in certain situations for security reasons. |
VPNPassword = Number1 | Sets the attribute number that the RADIUS server assigns to the Tunnel-Password attribute. The default is 69. The Tunnel-Password is required to create the tunnel between the client and the concentrator. The value can be between 64 and 191. |
VPNGroupInfo = Number1 | Sets the attribute number that the RADIUS server assigns to the Connect-Info attribute. The default is 77. Connect-Info attribute specifies the VPN Group name. The value can be between 64 and 191. |
Sets the attribute number for the reporting of the client's real IP address. The default is 66. If you set this number both here and in the RADIUS server's dictionary file, then the concentrator reports the real IP address to the RADIUS accounting server. The value can be between 64 and 191. | |
VPNAssignedIP = Number1 | Sets the attribute number for the reporting of the client's assigned IP address. The default is 67. If you set this number both here and in the RADIUS server's dictionary file, then the concentrator reports the assigned IP address to the RADIUS accounting server. The value can be between 64 and 191. |
| 1You can use a vendor specific attribute instead of this one if your RADIUS server supports vendor specific attributes. |
Enable RADIUS accounting and authentication using both a primary and secondary server. The shared secret is "Homer Simpson."
[ Radius ] BindTo = Ethernet 0 PrimAddress = 192.168.12.9 SecAddress = 192.168.12.8 Secret = "Homer Simpson" Authentication = On Accounting = On
| Command | Description |
|---|---|
edit config VPN Users | Creates a user list for VPN authentication |
Posted: Wed Sep 27 10:29:11 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.