[RADIATOR] Radius domain only auth, with password='cisco'

Hartmaier Alexander alexander.hartmaier at t-systems.at
Fri Nov 8 02:54:22 CST 2013 

We for example have a pair of Cisco IOS routers with multiple vrf's
(usually one per customer) where client vpn's terminate, one xauth group
per customer and this authorization requests makes sure that a user of
customer1 can't connect with another group.

On 2013-11-07 18:57, Michael wrote:
> what i do understand is that they are being rejected anyways because i
> have no config for it. they're all rejected. what's the point of
> having requests like these being rejected.  it's true i don't
> understand what they are for, but at the same time they're not
> working.  so how are they important?
>
>
>
> On 07/11/13 12:34 PM, Hartmaier Alexander wrote:
>> It seems you don't understand the importance of those *authorization*
>> requests: without them every user could authenticate against *every*
>> xauth group you've configured!
>>
>> On 2013-11-07 18:20, Michael wrote:
>>> so you are talking about actually authenticating these requests
>>> successfully where i'm looking at stopping them.  I guess i could just
>>> reject all Service-Type="Outbound-User" but i was kinda just hoping to
>>> stop the requests all together. Thanks though.  maybe i will just make
>>> a handler config to just reject them.
>>>
>>>
>>> On 07/11/13 11:02 AM, Hartmaier Alexander wrote:
>>>> My memory might be wrong on the order of requests.
>>>> Our radiator config is as follows:
>>>>
>>>> # handler for vpn group-users
>>>> <Handler Realm="group1", Service-Type="Outbound-User">
>>>> # those group users are also stored in our database but with a
>>>> different
>>>> type, all have the password 'cisco'
>>>> # the reply attributes are group specific, e.g.:
>>>>
>>>> Session-Timeout=0
>>>> Framed-IP-Netmask=255.255.255.255
>>>> cisco-avpair="ipsec:dns-servers=1.2.3.4 1.2.3.5"
>>>> cisco-avpair="ipsec:addr-pool=group1_pool"
>>>>
>>>> cisco-avpair="ipsec:tunnel-password=foobarbaz"
>>>> cisco-avpair="ipsec:default-domain=customer.tld"
>>>> # these control the Cisco IPSec 5.x client settings
>>>> cisco-avpair="ipsec:firewall=0"
>>>> cisco-avpair="ipsec:include-local-lan=0"
>>>> cisco-avpair="ipsec:save-password=0"
>>>>
>>>> </Handler>
>>>>
>>>> # handler for vpn users
>>>> <Handler Realm="yourrealm">
>>>> # those group users are also stored in our database but with a
>>>> different
>>>> type
>>>>
>>>> The reply attributes contain some of the above, not sure which one
>>>> overrides the other
>>>>
>>>> </Handler>
>>>>
>>>> On 2013-11-07 15:22, Michael wrote:
>>>>> i don't understand it. The requests i'm speaking of all come before
>>>>> the user auth.  not after.  And, they of course are all being
>>>>> rejected
>>>>> because we don't even know what they are, nor use them, nor need
>>>>> them.
>>>>>
>>>>> On 07/11/13 03:40 AM, Hartmaier Alexander wrote:
>>>>>> Yes, a Cisco IOS router configured to terminate IPSec IKEv1
>>>>>> client vpn
>>>>>> will send such an authorization request after the user auth to
>>>>>> check if
>>>>>> the user is allowed to connect using this group.
>>>>>>
>>>>>> On 2013-11-07 06:04, Hugh Irvine wrote:
>>>>>>> Hello Michael -
>>>>>>>
>>>>>>> This is configured on the Cisco box - you will need to ask your
>>>>>>> network people to turn it off.
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Hugh
>>>>>>>
>>>>>>>
>>>>>>> On 7 Nov 2013, at 10:05, Michael <ringo at vianet.ca> wrote:
>>>>>>>
>>>>>>>> i'm looking to stop it. not set it up.  i'm not sure what had
>>>>>>>> enabled/configured it to start happening.  I guess this is
>>>>>>>> probably
>>>>>>>> the wrong place to ask.
>>>>>>>>
>>>>>>>> On 06/11/13 04:56 PM, Hugh Irvine wrote:
>>>>>>>>> Hello Michael -
>>>>>>>>>
>>>>>>>>> This sounds like Cisco VPDN tunnelling.
>>>>>>>>>
>>>>>>>>> This example is from the standard “users” file in the Radiator
>>>>>>>>> distribution:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> # This example shows how to configure a Cisco VPDN circuit:
>>>>>>>>> open.com.au     User-Password=cisco, Service-Type=Outbound-User
>>>>>>>>>            cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>>>>>>>            cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>>>>>>>            cisco-avpair = "vpdn:nas-password=pw",
>>>>>>>>>            cisco-avpair = "vpdn:gw-password=pw”
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> regards
>>>>>>>>>
>>>>>>>>> Hugh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 7 Nov 2013, at 04:56, Michael <ringo at vianet.ca> wrote:
>>>>>>>>>
>>>>>>>>>> Has anyone ever seen a situation where, for every authentication
>>>>>>>>>> attempt
>>>>>>>>>> to a radiator system from a cisco device, there is an
>>>>>>>>>> authentication
>>>>>>>>>> attempt right before it that appears to be:
>>>>>>>>>>
>>>>>>>>>> - a domain (the username with the 'username@' part stripped
>>>>>>>>>> off).
>>>>>>>>>> - plain text password is always 'cisco'.
>>>>>>>>>> - Service-Type = Outbound-User
>>>>>>>>>>
>>>>>>>>>> if I remove this line from the cisco lns:
>>>>>>>>>> aaa authorization network TEST group TEST
>>>>>>>>>> ...the extra auth attempts stop, but then my radius network
>>>>>>>>>> static
>>>>>>>>>> profiles don't work, so it's not a solution but it narrows down
>>>>>>>>>> the problem.
>>>>>>>>>>
>>>>>>>>>> my auth requests for the radiator system are essentially doubled
>>>>>>>>>> due to
>>>>>>>>>> this.  This only started happening recently.  Network guys
>>>>>>>>>> sometimes are
>>>>>>>>>> like a ticking time bomb and asking them can cause an explosion
>>>>>>>>>> so i
>>>>>>>>>> thought i would ask here.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Mike
>>>>>>>>>> _______________________________________________
>>>>>>>>>> radiator mailing list
>>>>>>>>>> radiator at open.com.au
>>>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>> -- 
>>>>>>>>>
>>>>>>>>> Hugh Irvine
>>>>>>>>> hugh at open.com.au
>>>>>>>>>
>>>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>>>> server
>>>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>>>>>>>>> Emerald,
>>>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory,
>>>>>>>>> EAP,
>>>>>>>>> TLS,
>>>>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>>>>>>> DIAMETER etc.
>>>>>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>>>>>>
>>>>>>>>>
>>>>>>> -- 
>>>>>>>
>>>>>>> Hugh Irvine
>>>>>>> hugh at open.com.au
>>>>>>>
>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>> server
>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>>>>>>> Emerald,
>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>>>>> TLS,
>>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>>>>> DIAMETER etc.
>>>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> radiator mailing list
>>>>>>> radiator at open.com.au
>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>>>>
>>>>>>
>>>>>>
>>>>>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>>>>>> Handelsgericht Wien, FN 79340b
>>>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>>>>
>>>>>>
>>>>>>
>>>>>> Notice: This e-mail contains information that is confidential and
>>>>>> may
>>>>>> be privileged.
>>>>>> If you are not the intended recipient, please notify the sender and
>>>>>> then
>>>>>> delete this e-mail immediately.
>>>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>

More information about the radiator mailing list