(RADIATOR) Cisco VPN clients trying to authenticate as "clientless"

Hartmaier Alexander Alexander.Hartmaier at t-systems.at
Thu Apr 12 02:46:09 CDT 2007


Hi Steve!

That looks like you're doing Cisco NAC (802.1x)!
clientless means that your client didn't answer the dot1x request.

Try to disable NAC if you don't need it, afaik it will only work with Cisco ACS.

-Alex


> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Hugh Irvine
> Sent: Thursday, April 12, 2007 1:05 AM
> To: Steve Hahn
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Cisco VPN clients trying to authenticate as
> "clientless"
> 
> 
> Hello Steve -
> 
> Unfortunately I don't know the answer to either question - I think
> you will need to check with Cisco.
> 
> I would be interested in the answer though, so please let us know
> what you discover.
> 
> BTW - a Google search on "clientless radius request from cisco" gives
> some useful hits.
> 
> regards
> 
> Hugh
> 
> 
> On 12 Apr 2007, at 08:35, Steve Hahn wrote:
> 
> > I’ve been trying to get my Cisco ASA5510 to authenticate VPN users
> > against
> > Radiator. The Cisco VPN Client software on users’ machines is
> > supposed to
> > establish the VPN tunnel using a shared secret, then challenge the
> > user for
> > a username and password which it then presents to Radiator. What’s
> > been
> > happening instead is that the client just connects without
> > challenging for
> > username/password.
> >
> > Today I noticed that Radiator is getting periodic requests from the
> > ASA
> > (every couple minutes) which seem to be originating from connected
> > users’
> > VPN clients. I figured it out because my home computer is currently
> > connected to VPN and some of the requests are originating from my
> > home IP
> > address. Here’s the debug log output:
> >
> > _________________________________
> >
> > Wed Apr 11 14:55:27 2007: DEBUG: Packet dump:
> > *** Received from <internal IP of ASA> port 1025 ....
> > Code:       Access-Request
> > Identifier: 84
> > Authentic:  <2><19>PINo|<5>Z<139>h<129>&g<20><189>
> > Attributes:
> >         User-Name = "clientless"
> >         User-Password =
> > <16><209><231>'<186><185><17>UK9<212><192><177><29><190>g
> >         NAS-Port = 440
> >         Called-Station-Id = "<public IP of the ASA>"
> >         Calling-Station-Id = "<public IP of my home network"
> >         Message-Authenticator = $<186>/
> > I<164>o:N<200>f<155><177>e<161>I<203>
> >         cisco-avpair = "aaa:service=ip_admission"
> >         cisco-avpair = "aaa:event=supplicant-failure"
> >         NAS-IP-Address = <internal IP of ASA>
> >         cisco-avpair = "ip:source-ip=<public IP of my home network>"
> >
> > Wed Apr 11 14:55:27 2007: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Wed Apr 11 14:55:27 2007: DEBUG:  Deleting session for clientless,
> > ,<internal IP of ASA>, 440
> > Wed Apr 11 14:55:27 2007: INFO: Access rejected for clientless:
> > Wed Apr 11 14:55:27 2007: DEBUG: Packet dump:
> > *** Sending to <internal IP of ASA> port 1025 ....
> > Code:       Access-Reject
> > Identifier: 84
> > Authentic:  <2><19>PINo|<5>Z<139>h<129>&g<20><189>
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> > _________________________________
> >
> > What's confusing to me are two things: 1) Why would the client
> > software try
> > to authenticate as "clientless"? 2) Why is Radiator repeatedly
> > receiving
> > these requests from already-connected users?
> >
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list