[RADIATOR] Radius domain only auth, with password='cisco'
Hartmaier Alexander
alexander.hartmaier at t-systems.at
Thu Nov 7 10:02:34 CST 2013
My memory might be wrong on the order of requests.
Our radiator config is as follows:
# handler for vpn group-users
<Handler Realm="group1", Service-Type="Outbound-User">
# those group users are also stored in our database but with a different
type, all have the password 'cisco'
# the reply attributes are group specific, e.g.:
Session-Timeout=0
Framed-IP-Netmask=255.255.255.255
cisco-avpair="ipsec:dns-servers=1.2.3.4 1.2.3.5"
cisco-avpair="ipsec:addr-pool=group1_pool"
cisco-avpair="ipsec:tunnel-password=foobarbaz"
cisco-avpair="ipsec:default-domain=customer.tld"
# these control the Cisco IPSec 5.x client settings
cisco-avpair="ipsec:firewall=0"
cisco-avpair="ipsec:include-local-lan=0"
cisco-avpair="ipsec:save-password=0"
</Handler>
# handler for vpn users
<Handler Realm="yourrealm">
# those group users are also stored in our database but with a different
type
The reply attributes contain some of the above, not sure which one
overrides the other
</Handler>
On 2013-11-07 15:22, Michael wrote:
> i don't understand it. The requests i'm speaking of all come before
> the user auth. not after. And, they of course are all being rejected
> because we don't even know what they are, nor use them, nor need them.
>
> On 07/11/13 03:40 AM, Hartmaier Alexander wrote:
>> Yes, a Cisco IOS router configured to terminate IPSec IKEv1 client vpn
>> will send such an authorization request after the user auth to check if
>> the user is allowed to connect using this group.
>>
>> On 2013-11-07 06:04, Hugh Irvine wrote:
>>> Hello Michael -
>>>
>>> This is configured on the Cisco box - you will need to ask your
>>> network people to turn it off.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 7 Nov 2013, at 10:05, Michael <ringo at vianet.ca> wrote:
>>>
>>>> i'm looking to stop it. not set it up. i'm not sure what had
>>>> enabled/configured it to start happening. I guess this is probably
>>>> the wrong place to ask.
>>>>
>>>> On 06/11/13 04:56 PM, Hugh Irvine wrote:
>>>>> Hello Michael -
>>>>>
>>>>> This sounds like Cisco VPDN tunnelling.
>>>>>
>>>>> This example is from the standard “users” file in the Radiator
>>>>> distribution:
>>>>>
>>>>>
>>>>> # This example shows how to configure a Cisco VPDN circuit:
>>>>> open.com.au User-Password=cisco, Service-Type=Outbound-User
>>>>> cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>>> cisco-avpair = "vpdn:nas-password=pw",
>>>>> cisco-avpair = "vpdn:gw-password=pw”
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 7 Nov 2013, at 04:56, Michael <ringo at vianet.ca> wrote:
>>>>>
>>>>>> Has anyone ever seen a situation where, for every authentication
>>>>>> attempt
>>>>>> to a radiator system from a cisco device, there is an authentication
>>>>>> attempt right before it that appears to be:
>>>>>>
>>>>>> - a domain (the username with the 'username@' part stripped off).
>>>>>> - plain text password is always 'cisco'.
>>>>>> - Service-Type = Outbound-User
>>>>>>
>>>>>> if I remove this line from the cisco lns:
>>>>>> aaa authorization network TEST group TEST
>>>>>> ...the extra auth attempts stop, but then my radius network static
>>>>>> profiles don't work, so it's not a solution but it narrows down
>>>>>> the problem.
>>>>>>
>>>>>> my auth requests for the radiator system are essentially doubled
>>>>>> due to
>>>>>> this. This only started happening recently. Network guys
>>>>>> sometimes are
>>>>>> like a ticking time bomb and asking them can cause an explosion so i
>>>>>> thought i would ask here.
>>>>>>
>>>>>>
>>>>>> Mike
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>> --
>>>>>
>>>>> Hugh Irvine
>>>>> hugh at open.com.au
>>>>>
>>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>>> TLS,
>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>>> DIAMETER etc.
>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>>
>>>>>
>>> --
>>>
>>> Hugh Irvine
>>> hugh at open.com.au
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>> DIAMETER etc.
>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>> Notice: This e-mail contains information that is confidential and may
>> be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
More information about the radiator
mailing list