My memory might be wrong on the order of requests. Our radiator config is as follows:
# handler for vpn group-users <Handler Realm="group1", Service-Type="Outbound-User"> # those group users are also stored in our database but with a different type, all have the password 'cisco' # the reply attributes are group specific, e.g.: Session-Timeout=0 Framed-IP-Netmask=255.255.255.255 cisco-avpair="ipsec:dns-servers=1.2.3.4 1.2.3.5" cisco-avpair="ipsec:addr-pool=group1_pool" cisco-avpair="ipsec:tunnel-password=foobarbaz" cisco-avpair="ipsec:default-domain=customer.tld" # these control the Cisco IPSec 5.x client settings cisco-avpair="ipsec:firewall=0" cisco-avpair="ipsec:include-local-lan=0" cisco-avpair="ipsec:save-password=0" </Handler> # handler for vpn users <Handler Realm="yourrealm"> # those group users are also stored in our database but with a different type The reply attributes contain some of the above, not sure which one overrides the other </Handler> On 2013-11-07 15:22, Michael wrote: > i don't understand it. The requests i'm speaking of all come before > the user auth. not after. And, they of course are all being rejected > because we don't even know what they are, nor use them, nor need them. > > On 07/11/13 03:40 AM, Hartmaier Alexander wrote: >> Yes, a Cisco IOS router configured to terminate IPSec IKEv1 client vpn >> will send such an authorization request after the user auth to check if >> the user is allowed to connect using this group. >> >> On 2013-11-07 06:04, Hugh Irvine wrote: >>> Hello Michael - >>> >>> This is configured on the Cisco box - you will need to ask your >>> network people to turn it off. >>> >>> regards >>> >>> Hugh >>> >>> >>> On 7 Nov 2013, at 10:05, Michael <ri...@vianet.ca> wrote: >>> >>>> i'm looking to stop it. not set it up. i'm not sure what had >>>> enabled/configured it to start happening. I guess this is probably >>>> the wrong place to ask. >>>> >>>> On 06/11/13 04:56 PM, Hugh Irvine wrote: >>>>> Hello Michael - >>>>> >>>>> This sounds like Cisco VPDN tunnelling. >>>>> >>>>> This example is from the standard “users” file in the Radiator >>>>> distribution: >>>>> >>>>> >>>>> # This example shows how to configure a Cisco VPDN circuit: >>>>> open.com.au User-Password=cisco, Service-Type=Outbound-User >>>>> cisco-avpair = "vpdn:tunnel-id=cca-gw", >>>>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4", >>>>> cisco-avpair = "vpdn:nas-password=pw", >>>>> cisco-avpair = "vpdn:gw-password=pw” >>>>> >>>>> >>>>> regards >>>>> >>>>> Hugh >>>>> >>>>> >>>>> On 7 Nov 2013, at 04:56, Michael <ri...@vianet.ca> wrote: >>>>> >>>>>> Has anyone ever seen a situation where, for every authentication >>>>>> attempt >>>>>> to a radiator system from a cisco device, there is an authentication >>>>>> attempt right before it that appears to be: >>>>>> >>>>>> - a domain (the username with the 'username@' part stripped off). >>>>>> - plain text password is always 'cisco'. >>>>>> - Service-Type = Outbound-User >>>>>> >>>>>> if I remove this line from the cisco lns: >>>>>> aaa authorization network TEST group TEST >>>>>> ...the extra auth attempts stop, but then my radius network static >>>>>> profiles don't work, so it's not a solution but it narrows down >>>>>> the problem. >>>>>> >>>>>> my auth requests for the radiator system are essentially doubled >>>>>> due to >>>>>> this. This only started happening recently. Network guys >>>>>> sometimes are >>>>>> like a ticking time bomb and asking them can cause an explosion so i >>>>>> thought i would ask here. >>>>>> >>>>>> >>>>>> Mike >>>>>> _______________________________________________ >>>>>> radiator mailing list >>>>>> radiator@open.com.au >>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>> -- >>>>> >>>>> Hugh Irvine >>>>> h...@open.com.au >>>>> >>>>> Radiator: the most portable, flexible and configurable RADIUS server >>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, >>>>> TLS, >>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>>> DIAMETER etc. >>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>>> >>>>> >>> -- >>> >>> Hugh Irvine >>> h...@open.com.au >>> >>> Radiator: the most portable, flexible and configurable RADIUS server >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>> DIAMETER etc. >>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>> >>> _______________________________________________ >>> radiator mailing list >>> radiator@open.com.au >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> >> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >> Handelsgericht Wien, FN 79340b >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> >> Notice: This e-mail contains information that is confidential and may >> be privileged. >> If you are not the intended recipient, please notify the sender and then >> delete this e-mail immediately. >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator >> > _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
