It seems you don't understand the importance of those *authorization* requests: without them every user could authenticate against *every* xauth group you've configured!
On 2013-11-07 18:20, Michael wrote: > so you are talking about actually authenticating these requests > successfully where i'm looking at stopping them. I guess i could just > reject all Service-Type="Outbound-User" but i was kinda just hoping to > stop the requests all together. Thanks though. maybe i will just make > a handler config to just reject them. > > > On 07/11/13 11:02 AM, Hartmaier Alexander wrote: >> My memory might be wrong on the order of requests. >> Our radiator config is as follows: >> >> # handler for vpn group-users >> <Handler Realm="group1", Service-Type="Outbound-User"> >> # those group users are also stored in our database but with a different >> type, all have the password 'cisco' >> # the reply attributes are group specific, e.g.: >> >> Session-Timeout=0 >> Framed-IP-Netmask=255.255.255.255 >> cisco-avpair="ipsec:dns-servers=1.2.3.4 1.2.3.5" >> cisco-avpair="ipsec:addr-pool=group1_pool" >> >> cisco-avpair="ipsec:tunnel-password=foobarbaz" >> cisco-avpair="ipsec:default-domain=customer.tld" >> # these control the Cisco IPSec 5.x client settings >> cisco-avpair="ipsec:firewall=0" >> cisco-avpair="ipsec:include-local-lan=0" >> cisco-avpair="ipsec:save-password=0" >> >> </Handler> >> >> # handler for vpn users >> <Handler Realm="yourrealm"> >> # those group users are also stored in our database but with a different >> type >> >> The reply attributes contain some of the above, not sure which one >> overrides the other >> >> </Handler> >> >> On 2013-11-07 15:22, Michael wrote: >>> i don't understand it. The requests i'm speaking of all come before >>> the user auth. not after. And, they of course are all being rejected >>> because we don't even know what they are, nor use them, nor need them. >>> >>> On 07/11/13 03:40 AM, Hartmaier Alexander wrote: >>>> Yes, a Cisco IOS router configured to terminate IPSec IKEv1 client vpn >>>> will send such an authorization request after the user auth to >>>> check if >>>> the user is allowed to connect using this group. >>>> >>>> On 2013-11-07 06:04, Hugh Irvine wrote: >>>>> Hello Michael - >>>>> >>>>> This is configured on the Cisco box - you will need to ask your >>>>> network people to turn it off. >>>>> >>>>> regards >>>>> >>>>> Hugh >>>>> >>>>> >>>>> On 7 Nov 2013, at 10:05, Michael <ri...@vianet.ca> wrote: >>>>> >>>>>> i'm looking to stop it. not set it up. i'm not sure what had >>>>>> enabled/configured it to start happening. I guess this is probably >>>>>> the wrong place to ask. >>>>>> >>>>>> On 06/11/13 04:56 PM, Hugh Irvine wrote: >>>>>>> Hello Michael - >>>>>>> >>>>>>> This sounds like Cisco VPDN tunnelling. >>>>>>> >>>>>>> This example is from the standard “users” file in the Radiator >>>>>>> distribution: >>>>>>> >>>>>>> >>>>>>> # This example shows how to configure a Cisco VPDN circuit: >>>>>>> open.com.au User-Password=cisco, Service-Type=Outbound-User >>>>>>> cisco-avpair = "vpdn:tunnel-id=cca-gw", >>>>>>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4", >>>>>>> cisco-avpair = "vpdn:nas-password=pw", >>>>>>> cisco-avpair = "vpdn:gw-password=pw” >>>>>>> >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Hugh >>>>>>> >>>>>>> >>>>>>> On 7 Nov 2013, at 04:56, Michael <ri...@vianet.ca> wrote: >>>>>>> >>>>>>>> Has anyone ever seen a situation where, for every authentication >>>>>>>> attempt >>>>>>>> to a radiator system from a cisco device, there is an >>>>>>>> authentication >>>>>>>> attempt right before it that appears to be: >>>>>>>> >>>>>>>> - a domain (the username with the 'username@' part stripped off). >>>>>>>> - plain text password is always 'cisco'. >>>>>>>> - Service-Type = Outbound-User >>>>>>>> >>>>>>>> if I remove this line from the cisco lns: >>>>>>>> aaa authorization network TEST group TEST >>>>>>>> ...the extra auth attempts stop, but then my radius network static >>>>>>>> profiles don't work, so it's not a solution but it narrows down >>>>>>>> the problem. >>>>>>>> >>>>>>>> my auth requests for the radiator system are essentially doubled >>>>>>>> due to >>>>>>>> this. This only started happening recently. Network guys >>>>>>>> sometimes are >>>>>>>> like a ticking time bomb and asking them can cause an explosion >>>>>>>> so i >>>>>>>> thought i would ask here. >>>>>>>> >>>>>>>> >>>>>>>> Mike >>>>>>>> _______________________________________________ >>>>>>>> radiator mailing list >>>>>>>> radiator@open.com.au >>>>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>>>> -- >>>>>>> >>>>>>> Hugh Irvine >>>>>>> h...@open.com.au >>>>>>> >>>>>>> Radiator: the most portable, flexible and configurable RADIUS >>>>>>> server >>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, >>>>>>> Emerald, >>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, >>>>>>> TLS, >>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>>>>> DIAMETER etc. >>>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>>>>> >>>>>>> >>>>> -- >>>>> >>>>> Hugh Irvine >>>>> h...@open.com.au >>>>> >>>>> Radiator: the most portable, flexible and configurable RADIUS server >>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, >>>>> TLS, >>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>>> DIAMETER etc. >>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>>> >>>>> _______________________________________________ >>>>> radiator mailing list >>>>> radiator@open.com.au >>>>> http://www.open.com.au/mailman/listinfo/radiator >>>> >>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>>> >>>> >>>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >>>> Handelsgericht Wien, FN 79340b >>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>>> >>>> >>>> Notice: This e-mail contains information that is confidential and may >>>> be privileged. >>>> If you are not the intended recipient, please notify the sender and >>>> then >>>> delete this e-mail immediately. >>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>>> >>>> >>>> _______________________________________________ >>>> radiator mailing list >>>> radiator@open.com.au >>>> http://www.open.com.au/mailman/listinfo/radiator >>>> >> > _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
