[c-nsp] CiscoVPN Klient vs unauthorized access

BoXeR piestaga at aster.pl
Sat Feb 19 17:41:28 EST 2005 

Hi,

last 4 hours I have spent thinking about the possible ways of prevent the 
unauthorize access using the IPSec profile username.

I will explain shortly.
I have 3 services connected with remote access to VPN network.

1. ISDN-backup for remote CPE (if primary link fails down, the backup stands 
up and establishes the ppp directly to customer's VRF)
2. Remote access to cutromer's VPN using Software VPN Client
3. Regular dialup access to VPN (VPDN)

All 3 services use the same radius for user AAA.
For user profiles that are typical dialup profiles (I mean services 1/ and 
3/ ) I have several ways of protection to be cure, that ISDN user's profile 
can not be used for access the VPDN service and vice versa.

Problem is with the user profile for Software VPN client.
I can not see any possible way, to block such user to use regular modem and 
with its username and passwd dial the ISDN-backup access numer. The NAS will 
recognize such a call as backup call and will permit it (I have checked 
that, and in fact that works tath way)

Problem with such a user is that in access request it sends only:

Client Name            the same for all 3 services
User-Name                    well :-)
User-Password            *****
NAS-Port-Type      useless for my needs
NAS-Port               useless for my needs
NAS-Port-ID          useless for my needs
Calling-Station-Id    (useless because ip address can be dynamic)
Service-Type           which is set to 2 = LOGIN
NAS-IP-Address    the same for all 3 services
NAS-Identifier        the same for all 3 services

My only idea was to to verify "Service-Type". For such user it is set for 
LOGIN (for two remaining to FRAMED), but there is a group of users that use 
the same profile for VPDN access and Sw VPN Client. I can not say either-or. 
They will not maintain 2 profiles for each user.

So I had to forget about that and I am back to the Mine.

Do you have any idea, I am almost out of fuel.

TIA
Sebastian


__________________________
usuń odpowiedni string z mojego adresu przed wysłaniem odpowiedzi.

More information about the cisco-nsp mailing list