Re: Locking down IAS and NAS
From: Manjunath Bharadwaj [MSFT] (mbhara_at_online.microsoft.com)
Date: 02/27/05
- Previous message: Thomas K: "Re: Locking down IAS and NAS"
- In reply to: Thomas K: "Re: Locking down IAS and NAS"
- Next in thread: Thomas K: "Re: Locking down IAS and NAS"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 27 Feb 2005 09:14:00 -0800
Thomas,
You can do a few things by modifying dnary.mdb. For example IAS (for your
protection) does not log a few of the attributes in the log files since it
considers them to be sensitive (like passwords and keys). You can enable
logging for such items at your own risk. You can add conditions and remove
conditions or do the same with profile elements (you can do so selectively
for Proxy Processing or RAP policies).
You need not use dnary changes to add new attributes to RAP since you can
use the "Vendor-Specific" attribute in RAP->Profile->Advanced to customize
what you want to send.
You should be aware that some of the attributes in dnary.mdb have custom
handling in code and you may not always get what you expect when you modify
it yourself.
And always backup ias.mdb and dnary.mdb before you do any changes by hand.
Thanks, Manju
-----------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights
"Thomas K" <thomas@kuborn.be> wrote in message
news:42218e20$0$44071$5fc3050@dreader2.news.tiscali.nl...
> Very very cool !
>
> Can you leak out some information regarding dnary.mdb? Do you know of
> additional things that can be done by customizing dnary.mdb?
>
> Cheers,
>
> /T
>
> "Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> wrote in
> message
> news:u9RUITCHFHA.3612@TK2MSFTNGP09.phx.gbl...
>> Also back up your ias.mdb file before attempting to modify any
> configuration
>> "by hand".
>> Thanks, Manju
>>
>> -----------------------------------
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>>
>> "Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> wrote in
> message
>> news:%23sEKCNCHFHA.2276@TK2MSFTNGP15.phx.gbl...
>> > <disclaimer>
>> > Doing this might corrupt your entire IAS configuration. Please back up
>> > your dnary.mdb before you try changing this. There is no guarantee that
>> > this will work. I have not tried this.
>> > </disclaimer>
>> >
>> > If you are refering to "Nas-port-id"
>> > http://www.faqs.org/rfcs/rfc2869.html (5.17)
>> >
>> > This Attribute contains a text string which identifies the port of
>> > the NAS which is authenticating the user. It is only used in
>> > Access-Request and Accounting-Request packets. Note that this is
>> > using "port" in its sense of a physical connection on the NAS, not
>> > in the sense of a TCP or UDP port number.
>> >
>> > Either NAS-Port or NAS-Port-Id SHOULD be present in an Access-
>> > Request packet, if the NAS differentiates among its ports. NAS-
>> > Port-Id is intended for use by NASes which cannot conveniently
>> > number their ports.
>> >
>> > This is present in the profile part of the configuration and not the
>> > condition. If you want to add this to the condition:
>> > 1) Open c:\WINDOWS\system32\ias\dnary.mdb in MS access
>> > 2) Open the attributes table
>> > 3) Scroll down to NAS-Port-Id (87)
>> > 4) Select menu Format->Unhide columns
>> > 5) Select IsAllowedInCondition (if not already selected) from menu
>> > 6) You will see one more column being displayed: now check the check
>> > box
>> > for "NAS-Port-ID"
>> > 7) save dnary.mdb
>> > 8) start ias.msc
>> >
>> > Once again, this is not a recommended way to modify any of the IAS
>> > configuration.
>> > Let us know if this works for you.
>> > Thanks, Manju
>> >
>> > -----------------------------------
>> > This posting is provided "AS IS" with no warranties, and confers no
> rights
>> >
>> >
>> > "Thomas K" <thomas@kuborn.be> wrote in message
>> > news:42205224$0$44106$5fc3050@dreader2.news.tiscali.nl...
>> >> Whatever trick you have, I'm interested :-)
>> >>
>> >> "Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> wrote in
>> >> message
>> >> news:#2kz408GFHA.2704@tk2msftngp13.phx.gbl...
>> >>> Timo,
>> >>>
>> >>> Are you refering to "Nas-Port-Id"? If so, let me know and I think
>> >>> I
>> >>> can
>> >>> priovide a very sneaky workaround..
>> >>>
>> >>> Thanks, Manju
>> >>>
>> >>> -----------------------------------
>> >>> This posting is provided "AS IS" with no warranties, and confers no
>> >>> rights
>> >>>
>> >>>
>> >>> "Timo" <timo@theglens.net> wrote in message
>> >>> news:1109362007.949730.199600@l41g2000cwc.googlegroups.com...
>> >>> > Hey
>> >>> >
>> >>> > Your right that telnet and ssh are using PAP but the VPN is as well
> .
>> >>> > I really though you hit it with that one but when I changed my
> policy
>> >>> > to include Authentication-Type to include PAP the VPN routers
>> >>> > received
>> >>> > an Access-Reject to both login types.
>> >>> >
>> >>> > Any other ideas ?
>> >>> >
>> >>> > Thanks again
>> >>> >
>> >>> > Timo
>> >>> >
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Previous message: Thomas K: "Re: Locking down IAS and NAS"
- In reply to: Thomas K: "Re: Locking down IAS and NAS"
- Next in thread: Thomas K: "Re: Locking down IAS and NAS"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
