(RADIATOR) CommandAuth with TACACS+

Nicolai van der Smagt nicolai.vandersmagt at bbned.nl
Fri Jul 9 09:00:57 CDT 2004 

Hi,

I experienced exactly the same problem as described in the message below
I found in the mailinglist archives. The second argument in a
CommandAuth directive would be ignored:

	CommandAuth shell permit show:startup-config:.*
	CommandAuth shell deny show:.*

This would permit _all_ show commands, while it should only permit show
start en deny all other show commands.

When I changed ServerTACACSPLUS.pm as in the diff below, the second
argument was recognized, and command authorization worked as expected.
Show start was permitted and all other show commands are denied.


--- ServerTACACSPLUS.pm.orig    2004-07-06 17:03:28.000000000 +0200
+++ ServerTACACSPLUS.pm 2004-07-09 15:45:59.000000000 +0200
@@ -695,8 +695,11 @@
            for ( my $i = 0; $i <= length(@commands) && $commands[$i] ne ""; $i++ ) {
  
                my $current_arg = "cmd-arg=" . $commands[$i];
-               next command_match if !$auth_args[$i] =~ /^$current_arg$/;
+#              next command_match if !$auth_args[$i] =~ /^$current_arg$/;
  
+               unless ($auth_args[$i] =~ /^$current_arg$/) {
+                   next command_match;
+               }
            }
  
            if ( $action eq "permit" ) {

Regards,
Nicolai van der Smagt

        
        
        Hello Nick -
        
        What you describe is what is in the code.
        
        Have a look at "Radius/ServerTACACSPLUS.pm".
        
        regards
        
        Hugh
        
        
        On 19 Mar 2004, at 17:36, Nick Slager wrote:
        
                I have a TACACS+ server set up using Radiator 3.9, and am having a small
                problem configuring CommandAuth to work correctly.
                
                In my configuration file, I have the following:
                
                        # support group
                        GroupAuthAttr support priv-lvl=1
                        CommandAuth support permit debug:ppp:.*
                        CommandAuth support deny .*  Access Denied
                ie, I want to permit members of the support group to enter 'debug ppp'
                commands, but deny all other exec-level commands, including other debug
                commands.
                However, users in this group are able to enter any debug command at all,
                not just 'debug ppp' commands. It seems that only the first part of the
                CommandAuth string is checked (ie, the 'debug' part). In this example,
                I would expect the second debug command to fail:
                
                        router#deb ppp auth
                        PPP authentication debugging is on
                        router#deb bgp ev
                        BGP events debugging is on
                However, it clearly works. It appears that only the first "word" of the
                command string is checked. Is anyone able to shed light on why this is
                happening?

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list