(RADIATOR) Cisco VPN clients trying to authenticate as "clientless"
Hugh Irvine
hugh at open.com.au
Wed Apr 11 18:04:58 CDT 2007
Hello Steve -
Unfortunately I don't know the answer to either question - I think
you will need to check with Cisco.
I would be interested in the answer though, so please let us know
what you discover.
BTW - a Google search on "clientless radius request from cisco" gives
some useful hits.
regards
Hugh
On 12 Apr 2007, at 08:35, Steve Hahn wrote:
> I’ve been trying to get my Cisco ASA5510 to authenticate VPN users
> against
> Radiator. The Cisco VPN Client software on users’ machines is
> supposed to
> establish the VPN tunnel using a shared secret, then challenge the
> user for
> a username and password which it then presents to Radiator. What’s
> been
> happening instead is that the client just connects without
> challenging for
> username/password.
>
> Today I noticed that Radiator is getting periodic requests from the
> ASA
> (every couple minutes) which seem to be originating from connected
> users’
> VPN clients. I figured it out because my home computer is currently
> connected to VPN and some of the requests are originating from my
> home IP
> address. Here’s the debug log output:
>
> _________________________________
>
> Wed Apr 11 14:55:27 2007: DEBUG: Packet dump:
> *** Received from <internal IP of ASA> port 1025 ....
> Code: Access-Request
> Identifier: 84
> Authentic: <2><19>PINo|<5>Z<139>h<129>&g<20><189>
> Attributes:
> User-Name = "clientless"
> User-Password =
> <16><209><231>'<186><185><17>UK9<212><192><177><29><190>g
> NAS-Port = 440
> Called-Station-Id = "<public IP of the ASA>"
> Calling-Station-Id = "<public IP of my home network"
> Message-Authenticator = $<186>/
> I<164>o:N<200>f<155><177>e<161>I<203>
> cisco-avpair = "aaa:service=ip_admission"
> cisco-avpair = "aaa:event=supplicant-failure"
> NAS-IP-Address = <internal IP of ASA>
> cisco-avpair = "ip:source-ip=<public IP of my home network>"
>
> Wed Apr 11 14:55:27 2007: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Apr 11 14:55:27 2007: DEBUG: Deleting session for clientless,
> ,<internal IP of ASA>, 440
> Wed Apr 11 14:55:27 2007: INFO: Access rejected for clientless:
> Wed Apr 11 14:55:27 2007: DEBUG: Packet dump:
> *** Sending to <internal IP of ASA> port 1025 ....
> Code: Access-Reject
> Identifier: 84
> Authentic: <2><19>PINo|<5>Z<139>h<129>&g<20><189>
> Attributes:
> Reply-Message = "Request Denied"
>
> _________________________________
>
> What's confusing to me are two things: 1) Why would the client
> software try
> to authenticate as "clientless"? 2) Why is Radiator repeatedly
> receiving
> these requests from already-connected users?
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list