(RADIATOR) custom access-denied messages and Cisco VPN
Wyman Miles
wm63 at cornell.edu
Mon Feb 12 07:30:31 CST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a dev Radiator instance, so we're always in Trace 4. What I have
there is "Reply-Message="Request Denied""
That's consistent with what the client shows. I'll have to dig through the
ASA logs for more detail...
... I see nothing more than "remote peer has failed user authentication -
check configured username and password"
- --On Saturday, February 10, 2007 9:03 AM +1100 Hugh Irvine
<hugh at open.com.au> wrote:
>
> Hello Wyman -
>
> The first thing to do is to check that Radiator is returning the
> Reply-Message in the Access-Reject.
>
> To do that you will need to look at a trace 4 debug from Radiator.
>
> The next thing to do is to see whether or not the Client software
> displays the Reply-Message that is returned in the Access-Reject.
>
> You will need to check the Cisco VPN concentrator to see what is
> happening there (using the IOS debugging), then check the Client
> software configuration.
>
> It is entirely possible that the Reply-Message is never displayed by the
> Client software.
>
> Please let us know what you discover.
>
> regards
>
> Hugh
>
>
> On 10 Feb 2007, at 08:24, Wyman Miles wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> The scenario:
>>
>> Radiator 3.13/Solaris/Perl 5.8.2
>> Cisco ASA 5520 VPN
>> Cisco VPN client 4.8 for Windows
>>
>> I'm trying to generate custom access-denied messages from an <AuthBy
>> EXTERNAL> script (we've got a homegrown authorization solution).
>>
>> That AuthBy clause is preceded by <AuthBy KRB5> and a
>> ContinueWhileAccept
>>
>> For all generic cases of authorization failure, I do:
>>
>> # don't need to know; don't want people mining for NetIDs or
>> # groups
>> print "Reply-Message=\"Access-Denied\"";
>> exit 1;
>>
>> For cases where the user is specifically sanctioned by quarantine:
>>
>> # User is quarantined and needs to see the helpdesk
>> #
>> print "Reply-Message=\"Your access has been restricted. Please
>> contact the
>> helpdesk.\"";
>> exit 1;
>>
>> In either case, I get the generic "Request-Denied" message out of
>> the Cisco
>> VPN client. The AAA flow is precisely what I want -- users get in
>> when
>> they should and don't when they shouldn't. I just can't
>> communicate with
>> them as to why.
>>
>> What am I missing?
>>
>>
>>
>> Wyman Miles
>> Senior Security Engineer
>> Cornell University, Ithaca, NY
>> (607) 255-8421
>> -----BEGIN PGP SIGNATURE-----
>> Version: Mulberry PGP Plugin v3.0
>> Comment: processed by Mulberry PGP Plugin
>>
>> iQA/AwUBRczmnsRE6QfTb3V0EQKbKgCfc/exv7pWdDnpqOrtKU0rRqdHFbgAni1H
>> 9Y8jkEjUBbWq2+F1zpvd1aFD
>> =MVWk
>> -----END PGP SIGNATURE-----
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin
iQA/AwUBRdBr98RE6QfTb3V0EQLXKACcD2CfA1PehQOU0IRwLBsk1igHyZwAnjfC
ruYBlQRiwysJ/OuZMhz/Bur5
=VvDR
-----END PGP SIGNATURE-----
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list