[RADIATOR] Tacacs role reply.

Mark Bassett mbassett at intelius.com
Fri Feb 25 12:12:31 CST 2011 

I added it to AuthorizationAdd like you suggested, but it doesn't seem
to be making any difference.

Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection Authentication
START 1, 2, 1 for username, 0, x.x.160.23
Fri Feb 25 10:07:53 2011: DEBUG: TACACSPLUS derived Radius request
packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <131>9}<14>k<132><193><132><3><134><164><222><160>4m<0>
Attributes:
	NAS-IP-Address = xxxxxx
	NAS-Port-Id = "0"
	Calling-Station-Id = "xxxxxx"
	Service-Type = Login-User
	NAS-Identifier = "TACACS"
	cisco-avpair = "shell:roles="network-admin""
	User-Name = "username"
	User-Password = **obscured**
	OSC-Version-Identifier = "193"

Fri Feb 25 10:07:53 2011: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Fri Feb 25 10:07:53 2011: DEBUG:  Deleting session for username,
x.x.128.34, 
Fri Feb 25 10:07:53 2011: DEBUG: Handling with Radius::AuthLDAP2:
CheckAD
Fri Feb 25 10:07:53 2011: INFO: Connecting to
dc-bel1.intelius1.intelius.com:636
---snip--- 
LDAP debug stuff
---snip---
Fri Feb 25 10:07:53 2011: DEBUG: Radius::AuthLDAP2 looks for match with
username [username]
Fri Feb 25 10:07:53 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : username
[username]
Fri Feb 25 10:07:53 2011: DEBUG: AuthBy LDAP2 result: ACCEPT, 
Fri Feb 25 10:07:53 2011: DEBUG: Access accepted for username
Fri Feb 25 10:07:53 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <131>9}<14>k<132><193><132><3><134><164><222><160>4m<0>
Attributes:

Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection result
Access-Accept
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, ,  
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection disconnected from
x.x.128.34:44681
Fri Feb 25 10:07:53 2011: DEBUG: New TacacsplusConnection created for
x.x.128.34:44682
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection request 192, 2, 1,
0, 431885456, 77
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 2, 1, username, 0, x.x.160.23, 4, service=shell cmd=
cisco-av-pair* shell:roles*
Fri Feb 25 10:07:53 2011: INFO: Authorization denied for username, group
DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd=
cisco-av-pair* shell:roles*
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection Authorization
RESPONSE 16, denied, , 
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection disconnected from
x.x.128.34:44682
Fri Feb 25 10:07:53 2011: DEBUG: New TacacsplusConnection created for
x.x.128.34:44683
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection request 192, 3, 1,
0, 549675136, 113
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection Accounting REQUEST
2, 6, 0, 2, 0, username, 3009, , 4, task_id=/dev/pts/9_x.x.160.23
start_time=Fri Feb 25 10:07:52 2011
 err_msg= service=none
Fri Feb 25 10:07:53 2011: DEBUG: TACACSPLUS derived Radius request
packet dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  PkS<188><223>z<157><18><178><8><141>s<221><130><252>p
Attributes:
	NAS-IP-Address = x.x.128.34
	NAS-Port-Id = "3009"
	NAS-Identifier = "TACACS"
	cisco-avpair = "shell:roles="network-admin""
	User-Name = "username"
	Acct-Status-Type = Start
	Acct-Session-Id = "549675136"
	cisco-avpair = "task_id=/dev/pts/9_x.x.160.23"
	cisco-avpair = "start_time=Fri Feb 25 10:07:52 2011<10>"
	cisco-avpair = "err_msg="
	cisco-avpair = "service=none"
	OSC-Version-Identifier = "192"

Fri Feb 25 10:07:53 2011: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Fri Feb 25 10:07:53 2011: DEBUG:  Adding session for username,
x.x.128.34, 
Fri Feb 25 10:07:53 2011: DEBUG: Handling with Radius::AuthLDAP2:
CheckAD
Fri Feb 25 10:07:53 2011: DEBUG: AuthBy LDAP2 result: ACCEPT, 
Fri Feb 25 10:07:53 2011: DEBUG: Accounting accepted
Fri Feb 25 10:07:53 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Accounting-Response
Identifier: UNDEF
Authentic:  PkS<188><223>z<157><18><178><8><141>s<221><130><252>p
Attributes:

Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection result
Accounting-Response
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection Accounting REPLY
1, ,  
Fri Feb 25 10:07:53 2011: DEBUG: TacacsplusConnection disconnected from
x.x.128.34:44683
Fri Feb 25 10:08:12 2011: DEBUG: Stream connected to x.x.172.106:58091
Fri Feb 25 10:08:12 2011: DEBUG: New StreamServer Connection created for
x.x.172.106:58091
Fri Feb 25 10:08:12 2011: DEBUG: ServerHTTP Connection GET /log

-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at archred.com] 
Sent: Thursday, February 24, 2011 1:56 PM
To: Mark Bassett
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Tacacs role reply.

On 02/24/2011 10:09 PM, Mark Bassett wrote:

> Hi guys, I'm using tacacs+ on some cisco SanOS fiber switches.  I am
> able to authenticate and log in properly, but I am not being assigned
> the proper tacacs role
> 
> "network-admin"

> I need to add this pair
> 
> cisco-av-pair=shell:roles="network-admin"

> but I am not sure where to add it.   

If you want to add it per use, you should arrange the avpair to be
returned during the authentication. For example, if I authenticated
against a file, the file could contain this:

hvn User-Password = "password"
    tacacsgroup = group1
    cisco-avpair = shell:roles="network-admin"

The reference manual and goodies/tacacsplusserver.cfg, say this:
  Any cisco-avpair reply items that result from the Radius
  authentication will be used for TACACS+ authorization.

Just noticed you posted your configuration. If you can arrange your LDAP
server to return an attribute that contains the avpair value, you can do
this within AuthBy LDAP2:

AuthAttrDef ciscoAvPair,cisco-avpair,reply

where ciscoAvPair is the LDAP attribute that contains the desired avpair
value.

An alternative and possibly a way to test the above is to add this into
your <ServerTACACSPLUS>:

AuthorizationAdd shell:roles="network-admin"

The above will add the avpair to all authorization requests. That's why
you may want to consider if it is ok to allow the attribute for all
tacacs users.

Please see doc/ref.pdf section 5.86 <ServerTACACSPLUS> and
goodies/tacacsplusserver.cfg for more information.

Thanks,
Heikki

-- 
Heikki Vatiainen, Arch Red Oy
+358 44 087 6547

More information about the radiator mailing list