[RADIATOR] Radius domain only auth, with password='cisco'

Hartmaier Alexander alexander.hartmaier at t-systems.at
Thu Nov 7 02:40:49 CST 2013


Yes, a Cisco IOS router configured to terminate IPSec IKEv1 client vpn
will send such an authorization request after the user auth to check if
the user is allowed to connect using this group.

On 2013-11-07 06:04, Hugh Irvine wrote:
> Hello Michael -
>
> This is configured on the Cisco box - you will need to ask your network people to turn it off.
>
> regards
>
> Hugh
>
>
> On 7 Nov 2013, at 10:05, Michael <ringo at vianet.ca> wrote:
>
>> i'm looking to stop it. not set it up.  i'm not sure what had enabled/configured it to start happening.  I guess this is probably the wrong place to ask.
>>
>> On 06/11/13 04:56 PM, Hugh Irvine wrote:
>>> Hello Michael -
>>>
>>> This sounds like Cisco VPDN tunnelling.
>>>
>>> This example is from the standard “users” file in the Radiator distribution:
>>>
>>>
>>> # This example shows how to configure a Cisco VPDN circuit:
>>> open.com.au     User-Password=cisco, Service-Type=Outbound-User
>>>         cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>         cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>         cisco-avpair = "vpdn:nas-password=pw",
>>>         cisco-avpair = "vpdn:gw-password=pw”
>>>
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 7 Nov 2013, at 04:56, Michael <ringo at vianet.ca> wrote:
>>>
>>>> Has anyone ever seen a situation where, for every authentication attempt
>>>> to a radiator system from a cisco device, there is an authentication
>>>> attempt right before it that appears to be:
>>>>
>>>> - a domain (the username with the 'username@' part stripped off).
>>>> - plain text password is always 'cisco'.
>>>> - Service-Type = Outbound-User
>>>>
>>>> if I remove this line from the cisco lns:
>>>> aaa authorization network TEST group TEST
>>>> ...the extra auth attempts stop, but then my radius network static
>>>> profiles don't work, so it's not a solution but it narrows down the problem.
>>>>
>>>> my auth requests for the radiator system are essentially doubled due to
>>>> this.  This only started happening recently.  Network guys sometimes are
>>>> like a ticking time bomb and asking them can cause an explosion so i
>>>> thought i would ask here.
>>>>
>>>>
>>>> Mike
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>> --
>>>
>>> Hugh Irvine
>>> hugh at open.com.au
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>> DIAMETER etc.
>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>
>>>
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*


More information about the radiator mailing list