(RADIATOR) custom access-denied messages and Cisco VPN

Hugh Irvine hugh at open.com.au
Fri Feb 9 16:03:45 CST 2007


Hello Wyman -

The first thing to do is to check that Radiator is returning the  
Reply-Message in the Access-Reject.

To do that you will need to look at a trace 4 debug from Radiator.

The next thing to do is to see whether or not the Client software  
displays the Reply-Message that is returned in the Access-Reject.

You will need to check the Cisco VPN concentrator to see what is  
happening there (using the IOS debugging), then check the Client  
software configuration.

It is entirely possible that the Reply-Message is never displayed by  
the Client software.

Please let us know what you discover.

regards

Hugh


On 10 Feb 2007, at 08:24, Wyman Miles wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The scenario:
>
> Radiator 3.13/Solaris/Perl 5.8.2
> Cisco ASA 5520 VPN
> Cisco VPN client 4.8 for Windows
>
> I'm trying to generate custom access-denied messages from an <AuthBy
> EXTERNAL> script (we've got a homegrown authorization solution).
>
> That AuthBy clause is preceded by <AuthBy KRB5> and a  
> ContinueWhileAccept
>
> For all generic cases of authorization failure, I do:
>
> # don't need to know; don't want people mining for NetIDs or
> # groups
> print "Reply-Message=\"Access-Denied\"";
> exit 1;
>
> For cases where the user is specifically sanctioned by quarantine:
>
> # User is quarantined and needs to see the helpdesk
> #
> print "Reply-Message=\"Your access has been restricted.  Please  
> contact the
> helpdesk.\"";
> exit 1;
>
> In either case, I get the generic "Request-Denied" message out of  
> the Cisco
> VPN client.  The AAA flow is precisely what I want -- users get in  
> when
> they should and don't when they shouldn't.  I just can't  
> communicate with
> them as to why.
>
> What am I missing?
>
>
>
> Wyman Miles
> Senior Security Engineer
> Cornell University, Ithaca, NY
> (607) 255-8421
> -----BEGIN PGP SIGNATURE-----
> Version: Mulberry PGP Plugin v3.0
> Comment: processed by Mulberry PGP Plugin
>
> iQA/AwUBRczmnsRE6QfTb3V0EQKbKgCfc/exv7pWdDnpqOrtKU0rRqdHFbgAni1H
> 9Y8jkEjUBbWq2+F1zpvd1aFD
> =MVWk
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list