• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3881
  • Last Modified:

Having trouble configuring Firebox x750e for VPN with RADIUS

I am trying to configure a new watchguard firebox and having trouble configure it to use Radius for my VPN users. I had a x1000 before working just fine and I am trying to replicate the settings but it doesn't seem to be working.

I used the same shared key as I used before for both the windows 2003 radius server and the radius server on the firebox.

When I try to connect to the firebox I get this error:


Registering your computer on the network...
Error 734: Theh PPP link control protocol was terminated.

When I do this while checking the traffic monitor nothing comes up except a line like this:

pppd[12508] pptp connection down for nichiai msg_id="1401-2004"

Then I check the ISA log file for Radius and I see something like this:

127.0.0.1,nichiai,02/20/2009,22:38:10,IAS,GLOBESVR,6,2,7,1,4,127.0.0.1,5,0,4108,10.169.0.1,4116,0,4128,Firebox,4155,1,4154,Windows <’Yyfnæü¶ük(Y‹,4129,NEBJINC\nichiai,4127,4,25,311 1 10.169.0.12 01/16/2009 06:13:32 53,4130,nebjinc.local/Users/KK Nichiai,4149,VPN¥š,4136,1,4142,0
127.0.0.1,nichiai,02/20/2009,22:38:10,IAS,GLOBESVR,25,311 1 10.169.0.12 01/16/2009 06:13:32 53,4130,nebjinc.local/Users/KK Nichiai,11,PPTP-Users,11,domainusers,4108,10.169.0.1,4116,0,4128,Firebox,11,pptp_users,4155,1,4154,Windows <’Yyfnæü¶ük(Y‹,4129,NEBJINC\nichiai,4127,4,4120,0x104E45424A494E43,4149,VPN¥š,4136,2,4142,0
127.0.0.1,nichiai,02/20/2009,22:41:22,IAS,GLOBESVR,6,2,7,1,4,127.0.0.1,5,0,4108,10.169.0.1,4116,0,4128,Firebox,4155,1,4154,Windows <’Yyfnæü¶ük(Y‹,4129,NEBJINC\nichiai,4127,4,25,311 1 10.169.0.12 01/16/2009 06:13:32 54,4130,nebjinc.local/Users/KK Nichiai,4149,VPN¥š,4136,1,4142,0
127.0.0.1,nichiai,02/20/2009,22:41:22,IAS,GLOBESVR,25,311 1 10.169.0.12 01/16/2009 06:13:32 54,4130,nebjinc.local/Users/KK Nichiai,11,PPTP-Users,11,domainusers,4108,10.169.0.1,4116,0,4128,Firebox,11,pptp_users,4155,1,4154,Windows <’Yyfnæü¶ük(Y‹,4129,NEBJINC\nichiai,4127,4,4120,0xAC4E45424A494E43,4149,VPN¥š,4136,2,4142,0

So I am guessing the communication is getting through because it's coming up in the log files. I don't exactly know whats going wrong here.

Just some additional information, if I uncheck the radius server settings in the VPN -> Mobile VPN -> PPTP settings, and then just create a firebox user and give it a password, I can connect just fine to the VPN and establish connection and then ping the networked servers behind the firewall.

I would really appreciate any help someone can offer.

Thanks!
0
nichiaiinc
Asked:
nichiaiinc
  • 10
  • 9
1 Solution
 
dpk_walCommented:
First thing I would like to see is if you are able to authenticate to RADIUS server at all. From the internal network, if you go to: http://internal-ip-of-firebox:4100
You should get prompted for username/password and on putting the credentials as configured on RADIUS Server you should successfully get authenticated.
If not then the RADIUS server configuration needs some tweaking [I would  not be able to assist you with RADIUS configuration]

Please check and update.

Thank you.
0
 
nichiaiincAuthor Commented:
Hello Again dpkwal,

I am not physically local to the site to check from a internal PC. Can you tell me how I can get both the firebox user authentication and the radius authentication to work at the same time?

I cant get the radius PPTP to work but I can get the PPTP with the firebox user to work, and connect to the firebox and gain access to a local machine to run that test, BUT, radius would be disabled. So hence, I couldnt perform the test.

Why when I check  the box for radius server on the mobile VPN PPTP it disables the firebox internal user authentication?

I greatly appreciate your help

Josh
0
 
dpk_walCommented:
Hello Josh,

Which version of Wathcguard management software are you using; with newer versions it is possible to have upto 5 authentication servers enabled at the same time. Unlike the 7.x version we would not set one single authentication mechanism like firebox/RADIUS/NT etc.

So we can have say RADIUS server for user authentication for internet purposes and at the same time firebox internal authentication for PPTP users.

In Policy Manager, we would enable PPTP but would not check the box for RADIUS users. We would configure both firebox users and RADIUS Server configuration. Also, in one policy we would configure as:
Enabled and Allowed; from RADIUS-user/group; to some-test-website

To be able to access above test-website you must need to authenticate through the java applet I listed above.

Thank you.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
nichiaiincAuthor Commented:
I am using WSM version 10.2.7. And yes, I can setup 5 authentication servers at a time. But I'm confused by your example. I am just trying to configure the firebox to allow a user from outside the office to connect to the firewall so that they get a local IP address and  then can access the file server and other devices on the network. So I don't understand the meaning of this "e can have say RADIUS server for user authentication for internet purposes and at the same time firebox internal authentication for PPTP users"

Is there a guide or could you give me a step by step list of what I need to do in the WSM to configure the firebox to allow VPN connection using PPTP with radius users?

This configuration and the radius server on windwos 2003 was already working prior with the Firebox X1000. I just purchased a 750e and installed it and everythign is working except allowing VPN connections to the firebox. But nothing seems strait forward on the firebox system. IE, when I enable the mobile VPN PPTP option, that is not enough to get it working. There are always some other policy or rule I must modify and I am just guessing at what policy to modify and it's not working.

So a complete list from a to z would be extremely helpful.

THank you!

Josh
0
 
dpk_walCommented:
What I meant was to check if RADIUS authentication is working at all; and as you are remote to the site; we can have you logged in to firebox using PPTP [without RADIUS authentication enabled yet].
After this we can try access some specific website for which we would have enabled user authentication using RADIUS as auth server.

If the RADIUS auth works we can then troubleshoot why it is not working for PPTP.

WG website seems to have some trouble; they have an article to configure win2003 for RADIUS authentication but the link does not open:
http://watchguard.custhelp.com/cgi-bin/watchguard.cfg/php/enduser/std_adp.php?p_faqid=1690&p_created=1226635590&p_sid=nyVv72rj&p_accessibility=0&p_redirect=&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTAsMTAmcF9wcm9kcz0wJnBfY2F0cz0mcF9wdj0mcF9jdj0mcF9wYWdlPTEmcF9zZWFyY2hfdGV4dD0yMDAz&p_li=&p_topview=1

Thank you.
0
 
nichiaiincAuthor Commented:
Yeah, I cant believe they have a deadlink to their article. But I found this page through your link'
http://www.watchguard.com/help/docs/fireware/10/en-US/index_Left.html#StartTopic=en-US/authentication/usermanagement/radius_server_auth_about_f.html|SkinName=Fireware%20(en-US)

This is a really good link actually with loads of information. So this has helped me understand this box much better. So I understand how the thing authenticates now and understand that you can only use Mobile PPTP with the internal users OR the Radius server but not both at the same time.

So now I just set it up to allow internal firebox users and I am connected to one of the servers on the local network.

DPK, can you help me with this part you asked me to do "After this we can try access some specific website for which we would have enabled user authentication using RADIUS as auth server"

I dont know how to do this or what you mean. But I still have the firebox with radius server activated, so I would like to check it as you are stating I should do.
0
 
dpk_walCommented:
Sorry to have not provided the details earlier.

Let's say the filter-id on RADIUS is radusr; this is the RADIUS user/group on Firebox.

Now if we open the WG authentication page:
http://interna;-ip-of-firebox:4110
from an internal machine we should get prompted for username/password; after we specify the details the user should get authenticated.

However, you would get a response like user authenticated but no resources are granted; so I was suggesting that we create a test service any custom or predefined service so after we authenticate the access to website would guarantee that everything is configured properly.

We can use service for eg, HTTP, and configure it to access some website [let's take, www.giveawayoftheday.com as example], we would configure service as below:
Enabled and Allowed; from radusr; to public-ip-of-www.giveawayoftheday.com-as-obtained-from-nslookup

Now if we try to access www.giveawayoftheday.com from an internal machine we should not be able to access the website; but after we authenticate through the Java applet and then try to access, the website should open.

Please check and update.

Thank you.
0
 
nichiaiincAuthor Commented:
OKay, I connected (through windows RDC)  to one of the windows servers located behind the firewall after I established a PPTP connection with a firebox internal user.

When I open IE and type in
http://10.169.0.1:4110

I get a page could not load response.

What does this mean?
0
 
nichiaiincAuthor Commented:
OKay, I connected (through windows RDC)  to one of the windows servers located behind the firewall after I established a PPTP connection with a firebox internal user.

When I open IE and type in
http://10.169.0.1:4110

I get a page could not load response.

What does this mean?
0
 
dpk_walCommented:
My bad, I had the port mistyped; it should be 4100 and not 4110.

I had specified the correct port number in my first post on this thread.

It should be:

http://10.169.0.1:4100
0
 
nichiaiincAuthor Commented:
Actually, I got the same result. page could not be loaded.
0
 
dpk_walCommented:
There is a system defined service Watchguard Authentication which is system generated and is responsible for enabling connections on port 4100.
Can you check if the policy is present in policy manager; also once try with https and port 4100.

Thank you.
0
 
nichiaiincAuthor Commented:
Okay, https works. When I try http it just says page cannot load.

When the page loads, its a white page with a red framed box with the watchguard logo and login and password.

When I select Radius from the dropdown and input the windows domain username and password and click Login the page reloads and states:

Authentication Failed: Specified  username or password is not correct, please try again  

If I change the dropdown and select firebox-DB and input the username I connect with for PPTP it works just fine as expected.

So I am guessing the radius server is not working. Any ideas?
0
 
nichiaiincAuthor Commented:
Okay, https works. When I try http it just says page cannot load.

When the page loads, its a white page with a red framed box with the watchguard logo and login and password.

When I select Radius from the dropdown and input the windows domain username and password and click Login the page reloads and states:

Authentication Failed: Specified  username or password is not correct, please try again  

If I change the dropdown and select firebox-DB and input the username I connect with for PPTP it works just fine as expected.

So I am guessing the radius server is not working. Any ideas?
0
 
dpk_walCommented:
Yes, this is what I wanted to check; it appears that the RADIUS configuration is not correct; remember filter-id is very important.
Once the RADIUS configuration is upto speed; you should be able to authenticate using RADIUS; and then even PPTP should go through fine.

Thank you.
0
 
nichiaiincAuthor Commented:
I see, I didn't change the filter ID settings in the radius policy, so would the new Firebox 750e have a different filterID for the PPTP radius users? How would I go about finding out what the filterID needs to be set to?

THanks!
0
 
dpk_walCommented:
filter-id is set on RADIUS server only; on FB we only add user/group which I think you already have configured.

If you can paste some sanitized logs from traffic monitor when the user authentication fails; it might give some clue as to which setting is misconfigured.

Thank you.
0
 
nichiaiincAuthor Commented:
Actually I solved the problem. The reason was that i had to create a group from scratch and give it a title. then after creating that group I added that group name as the filter-id in the radius server. Also even though the radius authentication was disabled on the PPTP VPN settings but the radius authentication server was enabled and i had firebox authentication turned on, when I connected via vpn and tested port 4100 it still showed that the user would not match up.

I cant believe watchguard's tutorials never bother to mention the step to actually create the group and set it to a firewall authentication. It seems like a vital step and something an intelligent person would add to a tutorial for someone that is trying to configure this for the first time. Instead they just point out to add "radiusgroup" to the filterid tag in the radius server.

So the steps I did, was 1.) create a firebox authentication group and give it a name. Then open up the radius server on windows 2003 and add that authentication group's name to the filterid and delete all other names that were set as the filter ID. Then add this group that I created to the ANY rule in the policy manager. Then I enabled use radius server with VPN PPTP. reflashed firewall and viola. I could connect, after connecting then I tried the 4100 port test page with other users and worked like a charm.

Thanks for all your help that lead up to solving this problem. I truely appreciate it!
0
 
dpk_walCommented:
Thank you for the update; it would be helpful for everyone configuring RADIUS auth.

Regards.
0
 
phrea84Commented:
thanks for the detailed notes.  i had the same issue and although the links were broke, i was able to get radius working with my firebox.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now