[RADIATOR] AddToReply tacacsgroup
Heikki Vatiainen
hvn at open.com.au
Fri Nov 16 05:31:15 CST 2012
On 11/15/2012 10:34 PM, Murat Bilal wrote:
> I have three dıfferent groups and for TACACS authorization.My radius
> .cfg is like that
Hello Murat,
you can have only one AddToReply line in an AuthBy. This is why you get
DEFAULT with the Access-Accept. Try removing all except one that adds
group3.
The authorize arguments the device sends are:
service=shell cmd* command-access*
The matching AuthorizeGroup for group3 would be this:
AuthorizeGroup group3 permit service=shell cmd\* command-access\*
{priv-lvl=15}
Since the patterns, such as cmd\*, are regular expressions, you need to
escape any special characters such as '*'.
I suggest you should re-read the reference manual ServerTACACSPLUS entry
with goodies/servertacacsplus.cfg. I'd you are currently changing too
many things simultaneously fixing some things while breaking others. Now
would be good time to review how TACACS+ authentication and
authorization works with Radiator.
Thanks,
Heikki
> <ServerTACACSPLUS>
>
> Key *****
>
> AddToRequest NAS-Identifier=TACACS
>
> GroupMemberAttr tacacsgroup
>
> AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.*
>
> AuthorizeGroup group1 permit .*
>
> # AuthorizeGroup DEFAULT deny .*
>
> AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15}
>
> </ServerTACACSPLUS>
>
>
>
> <Handler>
>
> <AuthBy SQL>
>
> # Change DBSource, DBUsername, DBAuth for your database
>
> # See the reference manual. You will also have to
>
> # change the one in <SessionDatabse SQL> below
>
> # so its the same
>
> DBSource dbi:mysql:radius:localhost
>
> DBUsername raduser
>
> DBAuth raduser
>
>
>
> # Never look up the DEFAULT user
>
> NoDefault
>
> # You can customise the SQL query used to get user details with the
>
> # AuthSelect parameter:
>
> AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
> 'GroupList="group1 group2 group3"' from SUBSCRIBERS where USERNAME=%0
>
> -----
>
> ------------
>
> AddToReply tacacsgroup= group1
>
> AddToReply tacacsgroup= group3
>
> AddToReply tacacsgroup= DEFAULT
>
>
>
> *I try with user mikem in group1.And the trace log*
>
> * *
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
> 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1 group2 group3"'
> from SUBSCRIBERS where USERNAME='mikem'': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with
> mikem [mikem]*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
> 'select GROUPNAME from GROUPS where USERNAME='mikem' and
> GROUPNAME='group1'': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP,
> USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
>
> **** Reply to TACACSPLUS request:*
>
> *Code: Access-Accept*
>
> *Identifier: UNDEF*
>
> *Authentic: p<146><26><192>4H<235><16>\<21><252>v.<142><152><28>*
>
> *Attributes:*
>
> * tacacsgroup = DEFAULT*
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication
> REPLY 1, 0, , *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
> 93.155.11.54:58517*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
> 93.155.11.54:61939*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3,
> 1, 0, 3529830477, 105*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting
> REQUEST 2, 6, 0, 1, 1, mikem at local, /dev/ttyp3, 78.169.249.3, 4,
> start_time=1353011477 task_id=10700 timezone=GMT service=shell*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request
> packet dump:*
>
> *Code: Accounting-Request*
>
> *Identifier: UNDEF*
>
> *Authentic: p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
>
> *Attributes:*
>
> * NAS-IP-Address = 93.155.11.54*
>
> * NAS-Port-Id = "/dev/ttyp3"*
>
> * Calling-Station-Id = "78.169.249.3"*
>
> * NAS-Identifier = "TACACS"*
>
> * User-Name = "mikem at local"*
>
> * Acct-Status-Type = Start*
>
> * Acct-Session-Id = "3529830477"*
>
> * cisco-avpair = "start_time=1353011477"*
>
> * cisco-avpair = "task_id=10700"*
>
> * cisco-avpair = "timezone=GMT"*
>
> * cisco-avpair = "service=shell"*
>
> * OSC-Version-Identifier = "192"*
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '',
> Identifier ''*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Adding session for mikem at local,
> 93.155.11.54, *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where
> NASIDENTIFIER='93.155.11.54' and NASPORT=00': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'insert into RADONLINE (USERNAME,
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS,
> NASPORTTYPE, SERVICETYPE) values ('mikem at local', '93.155.11.54', 0,
> '3529830477', 1353011477, '', '', '')': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling with Radius::AuthSQL: *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling accounting with Radius::AuthSQL*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radius:localhost': 'insert into ACCOUNTING
> (ACCTSESSIONID,ACCTSTATUSTYPE,NASIDENTIFIER,TIME_STAMP,USERNAME) values
> ('3529830477','Start','TACACS',1353011477,'mikem at local')': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Accounting accepted*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
>
> **** Reply to TACACSPLUS request:*
>
> *Code: Accounting-Response*
>
> *Identifier: UNDEF*
>
> *Authentic: p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
>
> *Attributes:*
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
> Accounting-Response*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REPLY
> 1, , *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
> 93.155.11.54:61939*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
> 93.155.11.54:64085*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 2,
> 1, 0, 2033174599, 70*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 0, 1, 1, mikem, /dev/ttyp3, 78.169.249.3, 3, service=shell
> cmd* command-access**
>
> *Thu Nov 15 22:31:17 2012: INFO: Authorization denied for mikem, group
> DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd*
> command-access**
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization
> RESPONSE 16, denied, , *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
> 93.155.11.54:64085*
>
> * *
>
> *Reply message always say group default.is smt wrong with my AddtoReply
> clause.Why always reply says group DEFAULT?*
>
> *And strange issue if group 3 is at he end of line for AddToReply clause
> then the reply message comes as Group3.*
>
> * *
>
> * *
>
> *MURAT BİLAL *
> *Services Engineer*
>
>
> Ericsson Turkey
> CU Customer Support
> Cyber Plaza C Blok Kat:1 No:146
> Cyberpark 6800 Bilkent/Ankara
> Mobile +90 554 898 98 43
> murat.bilal at ericsson.com <mailto:murat.bilal at ericsson.com>
> www.ericsson.com
>
>
>
> <http://www.ericsson.com/>
>
>
> This Communication is Confidential. We only send and receive email on
> the basis of the terms set out at www.ericsson.com/email_disclaimer
> <http://www.ericsson.com/email_disclaimer>
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list