(RADIATOR) reject then accept
Roy Badami
roy.badami at globalgraphics.com
Mon Feb 28 12:26:05 CST 2005
Cisco VPNs will send a RADIUS request with User-Name, set to the
group, Password set to 'cisco' and Service-Type set to Outbound-User
during the authorization phase. This isn't a real authentication
request; it's just used to retrieve various attributes associated with
the user prior to authentication (eg the group preshared key). This
is certainly true of IOS (I think it's true on a VPN 3000, too).
You'll want to have separate handlers for the authorization requests
and the real authentication requests. You also want to test it
carefully to make sure you can't just log in with the pasword 'cisco'
:-)
Haven't seen this behaviour from Cisco access points, but it may
depend on how they're configured.
-roy
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list