(RADIATOR) Cisco VPN clients trying to authenticate as "clientless"

Steve Hahn stevehahn at gospellight.com
Wed Apr 11 17:35:51 CDT 2007 

I¹ve been trying to get my Cisco ASA5510 to authenticate VPN users against
Radiator. The Cisco VPN Client software on users¹ machines is supposed to
establish the VPN tunnel using a shared secret, then challenge the user for
a username and password which it then presents to Radiator. What¹s been
happening instead is that the client just connects without challenging for
username/password.

Today I noticed that Radiator is getting periodic requests from the ASA
(every couple minutes) which seem to be originating from connected users¹
VPN clients. I figured it out because my home computer is currently
connected to VPN and some of the requests are originating from my home IP
address. Here¹s the debug log output:

_________________________________

Wed Apr 11 14:55:27 2007: DEBUG: Packet dump:
*** Received from <internal IP of ASA> port 1025 ....
Code:       Access-Request
Identifier: 84
Authentic:  <2><19>PINo|<5>Z<139>h<129>&g<20><189>
Attributes:
        User-Name = "clientless"
        User-Password =
<16><209><231>'<186><185><17>UK9<212><192><177><29><190>g
        NAS-Port = 440
        Called-Station-Id = "<public IP of the ASA>"
        Calling-Station-Id = "<public IP of my home network"
        Message-Authenticator = $<186>/I<164>o:N<200>f<155><177>e<161>I<203>
        cisco-avpair = "aaa:service=ip_admission"
        cisco-avpair = "aaa:event=supplicant-failure"
        NAS-IP-Address = <internal IP of ASA>
        cisco-avpair = "ip:source-ip=<public IP of my home network>"

Wed Apr 11 14:55:27 2007: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Apr 11 14:55:27 2007: DEBUG:  Deleting session for clientless,
,<internal IP of ASA>, 440
Wed Apr 11 14:55:27 2007: INFO: Access rejected for clientless:
Wed Apr 11 14:55:27 2007: DEBUG: Packet dump:
*** Sending to <internal IP of ASA> port 1025 ....
Code:       Access-Reject
Identifier: 84
Authentic:  <2><19>PINo|<5>Z<139>h<129>&g<20><189>
Attributes:
        Reply-Message = "Request Denied"

_________________________________

What's confusing to me are two things: 1) Why would the client software try
to authenticate as "clientless"? 2) Why is Radiator repeatedly receiving
these requests from already-connected users?



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list