(RADIATOR) ServerTACACSPLUS - Juniper ERX authorization question.

Chris Patterson Chris.Patterson at transact.com.au
Mon Apr 12 23:11:42 CDT 2004 

Folks,
	A member of our team is currently setting up Authorization levels, and has asked me to present the following question.

Our objective is to provide TACACS+ authentication for Juniper ERX (v5.1.1) using Radiator.  Like many other devices, we would like to login with a predefined privilege level.  In the case of the ERX, the predefined levels are: 

1 =non-privileged
5 =read-only
10=read-write
15=read-write-debug

Configuring and specifying the CLI access level works correctly via RADIUS, however when specifying these through serverTACACSPLUS there seems to be some issues.

Specifically Radiator is not replying to the TACACS+ request with the reply items from the AuthBy module (users file).  As such we cannot specify the initial CLI access, nor any of the other attributes supported.

Also the Radiator history indicates successful interoperability with Juniper, further examples and information on how extensive the interoperability is would be great.

Any assistance or suggestions are welcome.


config and log files follow...we are usign Radiator v3.9

RADIUS Config:
################################################################
LogDir /logdir/
DbDir /dbdir/
BindAddress 192.168.0.29
DictionaryFile %D/dictionary
AuthPort 1812
AcctPort 1813
Trace 5

<ServerTACACSPLUS>
        AddToRequest NAS-Identifier=TACACS
        Key secret
        Port 1814
        BindAddress 192.168.0.29
</ServerTACACSPLUS>

<Client 192.168.0.10>
        IdenticalClients 192.168.0.11 10.184.0.1
        Secret secret
# DeafultRealm does not affect incoming requests using serverTACACSPLUS
# Instead we rewite usernames... is this a bug?
        DefaultRealm transcorp.com.au
</Client>

<Realm DEFAULT>
        RewriteUsername s/(.*)/$1\@transcorp.com.au/
        <AuthBy FILE>
                #The Filename defaults to %D/users
                Filename %D/users
        </AuthBy>
        AcctLogFileName %L/details.log
</Realm>

<Realm transcorp.com.au>
        <AuthBy FILE>
                #The Filename defaults to %D/users
                Filename %D/users
        </AuthBy>
        AcctLogFileName %L/details.log
</Realm>

###########################################################

USERS File
###########################################################
rexx at transcorp.com.au   User-Password = "test"
        Service-Type = Administrative-User,
#       Service-Type = Login-User,
#       Virtual-Router = default,
        Initial-CLI-Access-Level = 10
#       Alt-CLI-Access-Level = 1
###########################################################

Log Output
###########################################################
Tue Apr 13 12:00:01 2004: DEBUG: New TacacsplusConnection created for 192.168.0.10:1249
Tue Apr 13 12:00:01 2004: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 118, 23
Tue Apr 13 12:00:01 2004: DEBUG: TacacsPlus request packet dump: c00101000000007600000017362954f02309b0a39f1c21db9dfc2e556e9a5f57f3a9cd
Tue Apr 13 12:00:01 2004: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for , vty3, 192.168.0.2
Tue Apr 13 12:00:01 2004: DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username: ,
Tue Apr 13 12:00:11 2004: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 118, 5
Tue Apr 13 12:00:11 2004: DEBUG: TacacsPlus request packet dump: c00103000000007600000005455975c12f
Tue Apr 13 12:00:11 2004: DEBUG: TacacsplusConnection Authentication CONTINUE 1, ,
Tue Apr 13 12:00:11 2004: ERR: TacacsplusConnection Authentication CONTINUE aborted:
Tue Apr 13 12:00:11 2004: DEBUG: TacacsplusConnection disconnected from 192.168.0.10:1249
Tue Apr 13 12:00:11 2004: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password: ,
Tue Apr 13 13:08:35 2004: DEBUG: New TacacsplusConnection created for 192.168.0.10:1250
Tue Apr 13 13:08:35 2004: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 119, 23
Tue Apr 13 13:08:35 2004: DEBUG: TacacsPlus request packet dump: c00101000000007700000017a8fc996ee56c5b63845f9474791c868cbecf7c6310d264
Tue Apr 13 13:08:35 2004: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for , vty0, 192.168.0.3
Tue Apr 13 13:08:35 2004: DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username: ,
Tue Apr 13 13:08:37 2004: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 119, 9
Tue Apr 13 13:08:37 2004: DEBUG: TacacsPlus request packet dump: c0010300000000770000000921b76df770fc8580b9
Tue Apr 13 13:08:37 2004: DEBUG: TacacsplusConnection Authentication CONTINUE 0, rexx,
Tue Apr 13 13:08:37 2004: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password: ,
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 119, 9
Tue Apr 13 13:08:39 2004: DEBUG: TacacsPlus request packet dump: c00105000000007700000009938e5e6ea23f84c007
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection Authentication CONTINUE 0, test,
Tue Apr 13 13:08:39 2004: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <172><188><204>O4<183><218><20>!<0>B<207><209>5<188><14>
Attributes:
        NAS-IP-Address = 192.168.0.10
        NAS-Port-Id = "vty0"
        Calling-Station-Id = "192.168.0.3"
        Service-Type = Login-User
        NAS-Identifier = "TACACS"
        User-Name = "rexx"
        User-Password = "test"

Tue Apr 13 13:08:39 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Apr 13 13:08:39 2004: DEBUG: Rewrote user name to rexx at transcorp.com.au
Tue Apr 13 13:08:39 2004: DEBUG:  Deleting session for , 192.168.0.10,
Tue Apr 13 13:08:39 2004: DEBUG: Handling with Radius::AuthFILE:
Tue Apr 13 13:08:39 2004: DEBUG: Radius::AuthFILE looks for match with rexx at transcorp.com.au
Tue Apr 13 13:08:39 2004: DEBUG: Radius::AuthFILE ACCEPT:
Tue Apr 13 13:08:39 2004: DEBUG: Access accepted for rexx at transcorp.com.au
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection result Access-Accept
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection disconnected from 192.168.0.10:1250
Tue Apr 13 13:08:39 2004: DEBUG: New TacacsplusConnection created for 192.168.0.10:1251
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 120, 46
Tue Apr 13 13:08:39 2004: DEBUG: TacacsPlus request packet dump: c0020100000000780000002e634873c9841d2a9ba3c259cc313d42e9e22f1b9cea1de6ec0a1e5ff7d879de9eeebda51bd575eeda4dbe4cab23ab
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection Authorization REQUEST 6, 15, 1, 1, rexx, vty0, 192.168.0.3, 2, service=shell cmd*
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Tue Apr 13 13:08:39 2004: DEBUG: TacacsplusConnection disconnected from 192.168.0.10:1251
Tue Apr 13 13:08:40 2004: DEBUG: New TacacsplusConnection created for 192.168.0.10:1252
Tue Apr 13 13:08:40 2004: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 121, 27
Tue Apr 13 13:08:40 2004: DEBUG: TacacsPlus request packet dump: c0010100000000790000001b9fac6ec648ea4d7431a51bad0d08ee2902d889f7a60743465d8810
Tue Apr 13 13:08:40 2004: DEBUG: TacacsplusConnection Authentication START 1, 1, 2 for rexx, vty0, 192.168.0.3
Tue Apr 13 13:08:40 2004: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password: ,
Tue Apr 13 13:08:41 2004: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 121, 9
Tue Apr 13 13:08:41 2004: DEBUG: TacacsPlus request packet dump: c001030000000079000000094bc2ad8be392409057
Tue Apr 13 13:08:41 2004: DEBUG: TacacsplusConnection Authentication CONTINUE 0, test,
Tue Apr 13 13:08:41 2004: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <226><171><182>*T!<164><206>!<14>Jq<6><176><8><26>
Attributes:
        NAS-IP-Address = 192.168.0.10
        NAS-Port-Id = "vty0"
        Calling-Station-Id = "192.168.0.3"
        Service-Type = Administrative-User
        NAS-Identifier = "TACACS"
        User-Name = "rexx"
        User-Password = "test"

Tue Apr 13 13:08:41 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Apr 13 13:08:41 2004: DEBUG: Rewrote user name to rexx at transcorp.com.au
Tue Apr 13 13:08:41 2004: DEBUG:  Deleting session for , 192.168.0.10,
Tue Apr 13 13:08:41 2004: DEBUG: Handling with Radius::AuthFILE:
Tue Apr 13 13:08:41 2004: DEBUG: Radius::AuthFILE looks for match with rexx at transcorp.com.au
Tue Apr 13 13:08:41 2004: DEBUG: Radius::AuthFILE ACCEPT:
Tue Apr 13 13:08:41 2004: DEBUG: Access accepted for rexx at transcorp.com.au
Tue Apr 13 13:08:41 2004: DEBUG: TacacsplusConnection result Access-Accept
Tue Apr 13 13:08:41 2004: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Tue Apr 13 13:08:41 2004: DEBUG: TacacsplusConnection disconnected from 192.168.0.10:1252




--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list