(RADIATOR) Patch for TACACSPLUS authentication
Jean-Claude Christophe
jch at oleane.net
Wed Jul 17 17:34:53 CDT 2002
Hi all,
Here is a patch for the AuthTACACSPLUS package (attached to this mail).
Before, the authentication type was selected according to the version of
the package (except CHAP).
I added a keyword in order to force the authentication type. Here is an
example of a radiator config file:
<Handler Realm=HOSTING.ALL, NAS-Port-Type=Async>
RewriteUsername s/\@HOSTING\.ALL$//
AuthByPolicy ContinueUntilAccept
<AuthBy DBFILE>
Filename %D/files/users-hosting
NoDefault
AddToReply Service-Type = Administrative-User
</AuthBy>
<AuthBy TACACSPLUS>
Host 192.168.0.1
Key topsecret
AuthType ASCII
Timeout 3
AddToReply \
Service-Type = Administrative-User, \
cisco-avpair = "rtelnet:*=*"
</AuthBy>
</Handler>
AuthType ASCII|CHAP|PAP
Customer are authenticated using the DB file, and all technical staff
can also be authenticated (for support) by using their usual
login/pass on the tacacsplus server.
Regards,
--
Jean-Claude Christophe / jch at oleane.net
-------------- next part --------------
*** Radius/AuthTACACSPLUS.pm.old Thu Jul 18 00:03:44 2002
--- Radius/AuthTACACSPLUS.pm Thu Jul 18 00:04:17 2002
***************
*** 6,13 ****
# with an AuthType of TACACSPLUS is found in the config file
#
# This module can check an TACACSPLUS user password, but cant do any
! # check or reply items. Cant handle CHAP, only PAP
! # Accounting packets ar ignored.
#
# Author: Mike McCauley (mikem at open.com.au)
# Copyright (C) 1997 Open System Consultants
--- 6,13 ----
# with an AuthType of TACACSPLUS is found in the config file
#
# This module can check an TACACSPLUS user password, but cant do any
! # check or reply items. It can handle CHAP, PAP or ASCII authentication
! # type. Accounting packets are ignored.
#
# Author: Mike McCauley (mikem at open.com.au)
# Copyright (C) 1997 Open System Consultants
***************
*** 20,29 ****
use strict;
%Radius::AuthTACACSPLUS::ConfigKeywords =
! ('Host' => 'string',
! 'Key' => 'string',
! 'Port' => 'string',
! 'Timeout' => 'integer'
);
#####################################################################
--- 20,30 ----
use strict;
%Radius::AuthTACACSPLUS::ConfigKeywords =
! ('AuthType' => 'string',
! 'Host' => 'string',
! 'Key' => 'string',
! 'Port' => 'string',
! 'Timeout' => 'integer'
);
#####################################################################
***************
*** 90,97 ****
if ($p->code eq 'Access-Request')
{
my $tac = new Authen::TacacsPlus(Host=>$self->{Host},
! Key=>$self->{Key},
! Timeout=>$self->{Timeout},
Port=>$self->{Port});
if (!$tac)
--- 91,98 ----
if ($p->code eq 'Access-Request')
{
my $tac = new Authen::TacacsPlus(Host=>$self->{Host},
! Key=>$self->{Key},
! Timeout=>$self->{Timeout},
Port=>$self->{Port});
if (!$tac)
***************
*** 103,109 ****
$user_name =~ s/@[^@]*$//
if $self->{UsernameMatchesWithoutRealm};
! my ($tac_result, $result, $reason, $attr, $submitted_pw);
# See if they want to do it by CHAP
if (defined ($attr = $p->getAttrByNum($Radius::Radius::CHAP_PASSWORD)))
--- 104,110 ----
$user_name =~ s/@[^@]*$//
if $self->{UsernameMatchesWithoutRealm};
! my ($tac_result, $result, $reason, $attr, $submitted_pw, $authtype);
# See if they want to do it by CHAP
if (defined ($attr = $p->getAttrByNum($Radius::Radius::CHAP_PASSWORD)))
***************
*** 141,156 ****
($Radius::Radius::USER_PASSWORD))
{
# The submitted password is encoded plaintext,
! # decode it to get th eplaintext back
$submitted_pw = $p->decodedPassword();
# Version 0.16 and better can handle PAP, else take the
! # old version defauilt, which is ASCII
$tac_result = $tac->authen
! ($user_name,
! $submitted_pw,
! $Authen::TacacsPlus::VERSION > 0.15
! ? &Authen::TacacsPlus::TAC_PLUS_AUTHEN_TYPE_PAP
! : undef);
}
if ($tac_result)
{
--- 142,184 ----
($Radius::Radius::USER_PASSWORD))
{
# The submitted password is encoded plaintext,
! # decode it to get the plaintext back
$submitted_pw = $p->decodedPassword();
# Version 0.16 and better can handle PAP, else take the
! # old version default, which is ASCII
! # The authentication type can be override with 'AuthType'
! # to prevent Radiator choosing the type from the version of
! # the TacacsPlus package.
! if (defined($self->{AuthType}))
! {
! if ($self->{AuthType} =~ /PAP/i)
! {
! $authtype = &Authen::TacacsPlus::TAC_PLUS_AUTHEN_TYPE_PAP;
! }
! elsif ($self->{AuthType} =~ /ASCII/i)
! {
! $authtype = &Authen::TacacsPlus::TAC_PLUS_AUTHEN_TYPE_ASCII;
! }
! elsif ($self->{AuthType} =~ /CHAP/i)
! {
! $self->log($main::LOG_ERR, "There is no CHAP challenge in the request.");
! }
! else
! {
! $self->log($main::LOG_ERR, "Unknown TacacsPlus authentication type. Remove it and let Radiator guess it.");
! }
! }
! if (!defined($authtype))
! {
! # $authtype is undefined or incorrect -> try to guess it
! $authtype = $Authen::TacacsPlus::VERSION > 0.15
! ? &Authen::TacacsPlus::TAC_PLUS_AUTHEN_TYPE_PAP
! : &Authen::TacacsPlus::TAC_PLUS_AUTHEN_TYPE_ASCII;
! }
$tac_result = $tac->authen
! ($user_name,
! $submitted_pw,
! $authtype);
}
if ($tac_result)
{
More information about the radiator
mailing list