SunScreen

[John Ruff <john () dndlabs net>]

I'm having some trouble using RADIUS authentication with SunScreen 3.2. 
I'm running SunScreen 3.2 on Solaris 9. I've all related docs about the 
fw app and currently am unable to see one packet leave the fw destined 
for the RADIUS server. Here are the config params I have that affect 
this setup:

1. FW rule that allows screen --> radius_svr [1645/udp]
2. variable PRG=auth NAME=RADIUSServer VALUE=<radius_svr_ip>
3. variable PRG=auth NAME=RADIUSNodeSecret VALUE=<secret>
4. variable PRG=httpp NAME=TargetSvcs VALUES={ svc=www svc=ssl }
5. "radius_user1" ENABLED SIMPLE RADIUS
6. "http_proxy_grp" ENABLED GROUP MEMBER_NAME="radius_user1"
7. Rule allowing http access outbound with http-proxy & http_proxy_grp 
included in ACTION DETAILS
8. confirmed that process httpp is listening on 80/tcp and rule allows 
access from proxy clients

I've tried two things to test this config:

1. from sun documentation (Sunscreen Administrator's Overview) I used 
this command to test RADIUS authentication:
# ssadm lib/user_authenticate -v /radius/radius_user1

This fails with error in the logs:

33 XLOG 2004/01/21 23:26:37.925625 ? -> ? auth, LVL: auth, SEV: note, ? 
("invalid proxyuser")
34 XLOG 2004/01/21 23:26:37.926216 ? -> ? auth, LVL: auth, SEV: warn, ? 
("authentication failed")

2. When connecting to a website via the proxy server I get the same 
entries in the log.

On top of all this using a sniffer I see no packets leaving the Screen 
destined for the RADIUS server. Anyone have any ideas on this problem?

Thanks.

--
_________________
John Ruff
john () dndlabs net

"No one can see past a decision they don't understand." --Oracle

Attachment: john.vcf
Description: