IAS - Anyone can dial in

IAS - Anyone can dial in

Post by NTRadi » Mon, 11 Jan 1999 04:00:00



We are a small ISP and are using NT Radius server to authenticate users dialing
in to a national network. The vendor typically uses Postmasters which send the
request for authentication to a central Merit Radius server (v4.1) which sees
our realm name and forwards it to our Radius Server.

The problem is that as long as someone knows the realm name they get
authenticated!!

We have our server setup to use the NT user database. We tried all sorts of
combinations of username/password and everyone is authenticated. We have been
running this for 4 months and only noticed the problem when a user has some
problems and we found the radius logs contained users not in our user database.

Anyone else experience this problem? Please let me know.  I am willing to send
a net mon file but will not post publically as our system would then be wide
open for unauthorized use.

It might be a good idea for anyone running the MS commercial Radius server to
test their setup to see if they might have the same problem.

 
 
 

IAS - Anyone can dial in

Post by John Bevin » Tue, 12 Jan 1999 04:00:00


Disable your "Guest" account and this will not happen.

Regards,
John Bevins


> We are a small ISP and are using NT Radius server to authenticate users dialing
> in to a national network. The vendor typically uses Postmasters which send the
> request for authentication to a central Merit Radius server (v4.1) which sees
> our realm name and forwards it to our Radius Server.

> The problem is that as long as someone knows the realm name they get
> authenticated!!

> We have our server setup to use the NT user database. We tried all sorts of
> combinations of username/password and everyone is authenticated. We have been
> running this for 4 months and only noticed the problem when a user has some
> problems and we found the radius logs contained users not in our user database.

> Anyone else experience this problem? Please let me know.  I am willing to send
> a net mon file but will not post publically as our system would then be wide
> open for unauthorized use.

> It might be a good idea for anyone running the MS commercial Radius server to
> test their setup to see if they might have the same problem.


 
 
 

IAS - Anyone can dial in

Post by NTRadi » Tue, 12 Jan 1999 04:00:00


John,

Thanks for the info. I was sure we would have had the guest account disabled
but sure enough it was "on". As soon as we disabled it valid users started
calling saying they could not log in. As soon as we enabled the guest account
they could log in. Of course!

Maybe a good question is what attributes should be setup. Our current default
profile is:

         Port-Limit = 1
         Service-Type = Framed
         Framed-Protocol = Send                           Framed-Protocol = PPP
         Framed-IP-Address = 255.255.255.254,
         Framed-IP-Netmask = 255.255.255.255,
         Idle-Timeout = 1200,
         Session-Timeout = 28800

Any help would be appreciated!

Thanks

 
 
 

1. IAS on XP workstation won't allow dial up from NT4.0

stand alone XP workstation will only allow local users
access.When trying to connect from NT 4 via Dial Up
networking, supplying a user name and password that
resides on XP computer (with admin rights) I get error
indicating that I have a failed authentication on the
domain, please supply user name and password for the
domain I'm trying to connect to.

I have remote access service running on the XP box, but
how do I configure IAS to allow dial in connections? the
event view on the XP computer indicates that it will only
allow access for local users. I'm lost, please help.

2. where's that name from?

3. IAS, RRAS and Dial-in

4. Simple XSL if problem...

5. Style Of Answering Questions | Dailies & Periodicals for IAS - Some Tips About IAS Exams

6. Read and modify a xml string?

7. Dial-in/Dial-out Thermostat

8. secure shell

9. Dial-up S.O.S "no dial tone" error 680

10. Dial Tone but No Dial?? - Sportster Modem

11. C-kermit dial command on vax vms crashes after 'set dial dir'

12. dialing program; modem receives dial string but doesn't dialout ?

13. dialing program; modem receives dialstring but doesn't dial?