We for example have a pair of Cisco IOS routers with multiple vrf's (usually one per customer) where client vpn's terminate, one xauth group per customer and this authorization requests makes sure that a user of customer1 can't connect with another group.
On 2013-11-07 18:57, Michael wrote: > what i do understand is that they are being rejected anyways because i > have no config for it. they're all rejected. what's the point of > having requests like these being rejected. it's true i don't > understand what they are for, but at the same time they're not > working. so how are they important? > > > > On 07/11/13 12:34 PM, Hartmaier Alexander wrote: >> It seems you don't understand the importance of those *authorization* >> requests: without them every user could authenticate against *every* >> xauth group you've configured! >> >> On 2013-11-07 18:20, Michael wrote: >>> so you are talking about actually authenticating these requests >>> successfully where i'm looking at stopping them. I guess i could just >>> reject all Service-Type="Outbound-User" but i was kinda just hoping to >>> stop the requests all together. Thanks though. maybe i will just make >>> a handler config to just reject them. >>> >>> >>> On 07/11/13 11:02 AM, Hartmaier Alexander wrote: >>>> My memory might be wrong on the order of requests. >>>> Our radiator config is as follows: >>>> >>>> # handler for vpn group-users >>>> <Handler Realm="group1", Service-Type="Outbound-User"> >>>> # those group users are also stored in our database but with a >>>> different >>>> type, all have the password 'cisco' >>>> # the reply attributes are group specific, e.g.: >>>> >>>> Session-Timeout=0 >>>> Framed-IP-Netmask=255.255.255.255 >>>> cisco-avpair="ipsec:dns-servers=1.2.3.4 1.2.3.5" >>>> cisco-avpair="ipsec:addr-pool=group1_pool" >>>> >>>> cisco-avpair="ipsec:tunnel-password=foobarbaz" >>>> cisco-avpair="ipsec:default-domain=customer.tld" >>>> # these control the Cisco IPSec 5.x client settings >>>> cisco-avpair="ipsec:firewall=0" >>>> cisco-avpair="ipsec:include-local-lan=0" >>>> cisco-avpair="ipsec:save-password=0" >>>> >>>> </Handler> >>>> >>>> # handler for vpn users >>>> <Handler Realm="yourrealm"> >>>> # those group users are also stored in our database but with a >>>> different >>>> type >>>> >>>> The reply attributes contain some of the above, not sure which one >>>> overrides the other >>>> >>>> </Handler> >>>> >>>> On 2013-11-07 15:22, Michael wrote: >>>>> i don't understand it. The requests i'm speaking of all come before >>>>> the user auth. not after. And, they of course are all being >>>>> rejected >>>>> because we don't even know what they are, nor use them, nor need >>>>> them. >>>>> >>>>> On 07/11/13 03:40 AM, Hartmaier Alexander wrote: >>>>>> Yes, a Cisco IOS router configured to terminate IPSec IKEv1 >>>>>> client vpn >>>>>> will send such an authorization request after the user auth to >>>>>> check if >>>>>> the user is allowed to connect using this group. >>>>>> >>>>>> On 2013-11-07 06:04, Hugh Irvine wrote: >>>>>>> Hello Michael - >>>>>>> >>>>>>> This is configured on the Cisco box - you will need to ask your >>>>>>> network people to turn it off. >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> Hugh >>>>>>> >>>>>>> >>>>>>> On 7 Nov 2013, at 10:05, Michael <ri...@vianet.ca> wrote: >>>>>>> >>>>>>>> i'm looking to stop it. not set it up. i'm not sure what had >>>>>>>> enabled/configured it to start happening. I guess this is >>>>>>>> probably >>>>>>>> the wrong place to ask. >>>>>>>> >>>>>>>> On 06/11/13 04:56 PM, Hugh Irvine wrote: >>>>>>>>> Hello Michael - >>>>>>>>> >>>>>>>>> This sounds like Cisco VPDN tunnelling. >>>>>>>>> >>>>>>>>> This example is from the standard “users” file in the Radiator >>>>>>>>> distribution: >>>>>>>>> >>>>>>>>> >>>>>>>>> # This example shows how to configure a Cisco VPDN circuit: >>>>>>>>> open.com.au User-Password=cisco, Service-Type=Outbound-User >>>>>>>>> cisco-avpair = "vpdn:tunnel-id=cca-gw", >>>>>>>>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4", >>>>>>>>> cisco-avpair = "vpdn:nas-password=pw", >>>>>>>>> cisco-avpair = "vpdn:gw-password=pw” >>>>>>>>> >>>>>>>>> >>>>>>>>> regards >>>>>>>>> >>>>>>>>> Hugh >>>>>>>>> >>>>>>>>> >>>>>>>>> On 7 Nov 2013, at 04:56, Michael <ri...@vianet.ca> wrote: >>>>>>>>> >>>>>>>>>> Has anyone ever seen a situation where, for every authentication >>>>>>>>>> attempt >>>>>>>>>> to a radiator system from a cisco device, there is an >>>>>>>>>> authentication >>>>>>>>>> attempt right before it that appears to be: >>>>>>>>>> >>>>>>>>>> - a domain (the username with the 'username@' part stripped >>>>>>>>>> off). >>>>>>>>>> - plain text password is always 'cisco'. >>>>>>>>>> - Service-Type = Outbound-User >>>>>>>>>> >>>>>>>>>> if I remove this line from the cisco lns: >>>>>>>>>> aaa authorization network TEST group TEST >>>>>>>>>> ...the extra auth attempts stop, but then my radius network >>>>>>>>>> static >>>>>>>>>> profiles don't work, so it's not a solution but it narrows down >>>>>>>>>> the problem. >>>>>>>>>> >>>>>>>>>> my auth requests for the radiator system are essentially doubled >>>>>>>>>> due to >>>>>>>>>> this. This only started happening recently. Network guys >>>>>>>>>> sometimes are >>>>>>>>>> like a ticking time bomb and asking them can cause an explosion >>>>>>>>>> so i >>>>>>>>>> thought i would ask here. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Mike >>>>>>>>>> _______________________________________________ >>>>>>>>>> radiator mailing list >>>>>>>>>> radiator@open.com.au >>>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Hugh Irvine >>>>>>>>> h...@open.com.au >>>>>>>>> >>>>>>>>> Radiator: the most portable, flexible and configurable RADIUS >>>>>>>>> server >>>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, >>>>>>>>> Emerald, >>>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, >>>>>>>>> EAP, >>>>>>>>> TLS, >>>>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>>>>>>> DIAMETER etc. >>>>>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>>>>>>> >>>>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Hugh Irvine >>>>>>> h...@open.com.au >>>>>>> >>>>>>> Radiator: the most portable, flexible and configurable RADIUS >>>>>>> server >>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, >>>>>>> Emerald, >>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, >>>>>>> TLS, >>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>>>>> DIAMETER etc. >>>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>>>>> >>>>>>> _______________________________________________ >>>>>>> radiator mailing list >>>>>>> radiator@open.com.au >>>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>>>>> >>>>>> >>>>>> >>>>>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >>>>>> Handelsgericht Wien, FN 79340b >>>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>>>>> >>>>>> >>>>>> >>>>>> Notice: This e-mail contains information that is confidential and >>>>>> may >>>>>> be privileged. >>>>>> If you are not the intended recipient, please notify the sender and >>>>>> then >>>>>> delete this e-mail immediately. >>>>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> radiator mailing list >>>>>> radiator@open.com.au >>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>>> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator >> > _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
