(RADIATOR) CommandAuth with TACACS+
Nicolai van der Smagt
nicolai.vandersmagt at bbned.nl
Fri Jul 9 09:00:57 CDT 2004
Hi,
I experienced exactly the same problem as described in the message below
I found in the mailinglist archives. The second argument in a
CommandAuth directive would be ignored:
CommandAuth shell permit show:startup-config:.*
CommandAuth shell deny show:.*
This would permit _all_ show commands, while it should only permit show
start en deny all other show commands.
When I changed ServerTACACSPLUS.pm as in the diff below, the second
argument was recognized, and command authorization worked as expected.
Show start was permitted and all other show commands are denied.
--- ServerTACACSPLUS.pm.orig 2004-07-06 17:03:28.000000000 +0200
+++ ServerTACACSPLUS.pm 2004-07-09 15:45:59.000000000 +0200
@@ -695,8 +695,11 @@
for ( my $i = 0; $i <= length(@commands) && $commands[$i] ne ""; $i++ ) {
my $current_arg = "cmd-arg=" . $commands[$i];
- next command_match if !$auth_args[$i] =~ /^$current_arg$/;
+# next command_match if !$auth_args[$i] =~ /^$current_arg$/;
+ unless ($auth_args[$i] =~ /^$current_arg$/) {
+ next command_match;
+ }
}
if ( $action eq "permit" ) {
Regards,
Nicolai van der Smagt
Hello Nick -
What you describe is what is in the code.
Have a look at "Radius/ServerTACACSPLUS.pm".
regards
Hugh
On 19 Mar 2004, at 17:36, Nick Slager wrote:
I have a TACACS+ server set up using Radiator 3.9, and am having a small
problem configuring CommandAuth to work correctly.
In my configuration file, I have the following:
# support group
GroupAuthAttr support priv-lvl=1
CommandAuth support permit debug:ppp:.*
CommandAuth support deny .* Access Denied
ie, I want to permit members of the support group to enter 'debug ppp'
commands, but deny all other exec-level commands, including other debug
commands.
However, users in this group are able to enter any debug command at all,
not just 'debug ppp' commands. It seems that only the first part of the
CommandAuth string is checked (ie, the 'debug' part). In this example,
I would expect the second debug command to fail:
router#deb ppp auth
PPP authentication debugging is on
router#deb bgp ev
BGP events debugging is on
However, it clearly works. It appears that only the first "word" of the
command string is checked. Is anyone able to shed light on why this is
happening?
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list