[RADIATOR] Radius domain only auth, with password='cisco'

Hartmaier Alexander alexander.hartmaier at t-systems.at
Thu Nov 7 11:34:42 CST 2013 

It seems you don't understand the importance of those *authorization*
requests: without them every user could authenticate against *every*
xauth group you've configured!

On 2013-11-07 18:20, Michael wrote:
> so you are talking about actually authenticating these requests
> successfully where i'm looking at stopping them.  I guess i could just
> reject all Service-Type="Outbound-User" but i was kinda just hoping to
> stop the requests all together. Thanks though.  maybe i will just make
> a handler config to just reject them.
>
>
> On 07/11/13 11:02 AM, Hartmaier Alexander wrote:
>> My memory might be wrong on the order of requests.
>> Our radiator config is as follows:
>>
>> # handler for vpn group-users
>> <Handler Realm="group1", Service-Type="Outbound-User">
>> # those group users are also stored in our database but with a different
>> type, all have the password 'cisco'
>> # the reply attributes are group specific, e.g.:
>>
>> Session-Timeout=0
>> Framed-IP-Netmask=255.255.255.255
>> cisco-avpair="ipsec:dns-servers=1.2.3.4 1.2.3.5"
>> cisco-avpair="ipsec:addr-pool=group1_pool"
>>
>> cisco-avpair="ipsec:tunnel-password=foobarbaz"
>> cisco-avpair="ipsec:default-domain=customer.tld"
>> # these control the Cisco IPSec 5.x client settings
>> cisco-avpair="ipsec:firewall=0"
>> cisco-avpair="ipsec:include-local-lan=0"
>> cisco-avpair="ipsec:save-password=0"
>>
>> </Handler>
>>
>> # handler for vpn users
>> <Handler Realm="yourrealm">
>> # those group users are also stored in our database but with a different
>> type
>>
>> The reply attributes contain some of the above, not sure which one
>> overrides the other
>>
>> </Handler>
>>
>> On 2013-11-07 15:22, Michael wrote:
>>> i don't understand it. The requests i'm speaking of all come before
>>> the user auth.  not after.  And, they of course are all being rejected
>>> because we don't even know what they are, nor use them, nor need them.
>>>
>>> On 07/11/13 03:40 AM, Hartmaier Alexander wrote:
>>>> Yes, a Cisco IOS router configured to terminate IPSec IKEv1 client vpn
>>>> will send such an authorization request after the user auth to
>>>> check if
>>>> the user is allowed to connect using this group.
>>>>
>>>> On 2013-11-07 06:04, Hugh Irvine wrote:
>>>>> Hello Michael -
>>>>>
>>>>> This is configured on the Cisco box - you will need to ask your
>>>>> network people to turn it off.
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 7 Nov 2013, at 10:05, Michael <ringo at vianet.ca> wrote:
>>>>>
>>>>>> i'm looking to stop it. not set it up.  i'm not sure what had
>>>>>> enabled/configured it to start happening.  I guess this is probably
>>>>>> the wrong place to ask.
>>>>>>
>>>>>> On 06/11/13 04:56 PM, Hugh Irvine wrote:
>>>>>>> Hello Michael -
>>>>>>>
>>>>>>> This sounds like Cisco VPDN tunnelling.
>>>>>>>
>>>>>>> This example is from the standard “users” file in the Radiator
>>>>>>> distribution:
>>>>>>>
>>>>>>>
>>>>>>> # This example shows how to configure a Cisco VPDN circuit:
>>>>>>> open.com.au     User-Password=cisco, Service-Type=Outbound-User
>>>>>>>           cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>>>>>           cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>>>>>           cisco-avpair = "vpdn:nas-password=pw",
>>>>>>>           cisco-avpair = "vpdn:gw-password=pw”
>>>>>>>
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Hugh
>>>>>>>
>>>>>>>
>>>>>>> On 7 Nov 2013, at 04:56, Michael <ringo at vianet.ca> wrote:
>>>>>>>
>>>>>>>> Has anyone ever seen a situation where, for every authentication
>>>>>>>> attempt
>>>>>>>> to a radiator system from a cisco device, there is an
>>>>>>>> authentication
>>>>>>>> attempt right before it that appears to be:
>>>>>>>>
>>>>>>>> - a domain (the username with the 'username@' part stripped off).
>>>>>>>> - plain text password is always 'cisco'.
>>>>>>>> - Service-Type = Outbound-User
>>>>>>>>
>>>>>>>> if I remove this line from the cisco lns:
>>>>>>>> aaa authorization network TEST group TEST
>>>>>>>> ...the extra auth attempts stop, but then my radius network static
>>>>>>>> profiles don't work, so it's not a solution but it narrows down
>>>>>>>> the problem.
>>>>>>>>
>>>>>>>> my auth requests for the radiator system are essentially doubled
>>>>>>>> due to
>>>>>>>> this.  This only started happening recently.  Network guys
>>>>>>>> sometimes are
>>>>>>>> like a ticking time bomb and asking them can cause an explosion
>>>>>>>> so i
>>>>>>>> thought i would ask here.
>>>>>>>>
>>>>>>>>
>>>>>>>> Mike
>>>>>>>> _______________________________________________
>>>>>>>> radiator mailing list
>>>>>>>> radiator at open.com.au
>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>> -- 
>>>>>>>
>>>>>>> Hugh Irvine
>>>>>>> hugh at open.com.au
>>>>>>>
>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>> server
>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>>>>>>> Emerald,
>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>>>>> TLS,
>>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>>>>> DIAMETER etc.
>>>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>>>>
>>>>>>>
>>>>> -- 
>>>>>
>>>>> Hugh Irvine
>>>>> hugh at open.com.au
>>>>>
>>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>>> TLS,
>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>>> DIAMETER etc.
>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>>
>>>>
>>>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>>>> Handelsgericht Wien, FN 79340b
>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>>
>>>>
>>>> Notice: This e-mail contains information that is confidential and may
>>>> be privileged.
>>>> If you are not the intended recipient, please notify the sender and
>>>> then
>>>> delete this e-mail immediately.
>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>
>

More information about the radiator mailing list