(RADIATOR) custom access-denied messages and Cisco VPN
Wyman Miles
wm63 at cornell.edu
Fri Feb 9 15:24:46 CST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The scenario:
Radiator 3.13/Solaris/Perl 5.8.2
Cisco ASA 5520 VPN
Cisco VPN client 4.8 for Windows
I'm trying to generate custom access-denied messages from an <AuthBy
EXTERNAL> script (we've got a homegrown authorization solution).
That AuthBy clause is preceded by <AuthBy KRB5> and a ContinueWhileAccept
For all generic cases of authorization failure, I do:
# don't need to know; don't want people mining for NetIDs or
# groups
print "Reply-Message=\"Access-Denied\"";
exit 1;
For cases where the user is specifically sanctioned by quarantine:
# User is quarantined and needs to see the helpdesk
#
print "Reply-Message=\"Your access has been restricted. Please contact the
helpdesk.\"";
exit 1;
In either case, I get the generic "Request-Denied" message out of the Cisco
VPN client. The AAA flow is precisely what I want -- users get in when
they should and don't when they shouldn't. I just can't communicate with
them as to why.
What am I missing?
Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin
iQA/AwUBRczmnsRE6QfTb3V0EQKbKgCfc/exv7pWdDnpqOrtKU0rRqdHFbgAni1H
9Y8jkEjUBbWq2+F1zpvd1aFD
=MVWk
-----END PGP SIGNATURE-----
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list