(RADIATOR) custom access-denied messages and Cisco VPN

Wyman Miles wm63 at cornell.edu
Fri Feb 9 15:24:46 CST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The scenario:

Radiator 3.13/Solaris/Perl 5.8.2
Cisco ASA 5520 VPN
Cisco VPN client 4.8 for Windows

I'm trying to generate custom access-denied messages from an <AuthBy 
EXTERNAL> script (we've got a homegrown authorization solution).

That AuthBy clause is preceded by <AuthBy KRB5> and a ContinueWhileAccept

For all generic cases of authorization failure, I do:

# don't need to know; don't want people mining for NetIDs or
# groups
print "Reply-Message=\"Access-Denied\"";
exit 1;

For cases where the user is specifically sanctioned by quarantine:

# User is quarantined and needs to see the helpdesk
#
print "Reply-Message=\"Your access has been restricted.  Please contact the 
helpdesk.\"";
exit 1;

In either case, I get the generic "Request-Denied" message out of the Cisco 
VPN client.  The AAA flow is precisely what I want -- users get in when 
they should and don't when they shouldn't.  I just can't communicate with 
them as to why.

What am I missing?



Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBRczmnsRE6QfTb3V0EQKbKgCfc/exv7pWdDnpqOrtKU0rRqdHFbgAni1H
9Y8jkEjUBbWq2+F1zpvd1aFD
=MVWk
-----END PGP SIGNATURE-----

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list