(RADIATOR) AuthColumnDef type = request not working
Hugh Irvine
hugh at open.com.au
Thu Jul 28 02:58:53 CDT 2005
Hello Andrew -
Using the "request" keyword adds the attribute to the incoming request.
In your case I would have expected you to use "reply", as the
ServerTACACSPLUS clause will check the radius reply packet, not the
request packet.
See the example in "goodies/tacacsplusserver.cfg".
hope that helps
regards
Hugh
On 28 Jul 2005, at 17:40, Andrew Fort wrote:
> Hi folks,
> I have a problem in that using an AuthBy SQL AuthColumnDef where
> the type = 'request' doesn't seem to make the new attribute
> available to later parts of the auth process. I'm running
> Radiator-3.13 without patches.
>
> I have a AuthBy GROUP which auths against LDAP, and then also SQL
> to get additional attributes for a user (via the AuthColumnDef
> 'request' type). This attribute is the same as the one referred to
> by the GroupMemberAttr option in my <ServerTACACSPLUS> stanza.
>
> Looking in Radius/AuthSQL.pm, I can see the attribute being parsed
> correctly in `getAuthColumns', and removing the commented out debug
> statement " print "trying $colnr, $attrib, $type\n"; " shows the
> data I expect to see.
>
> Attached is my configuration and trace 4 log. Note I've snipped
> the attribute dump from the LDAP connection, the client list dump
> (to all but the one we're interested in) and obsfucated domain
> names and LDAP bind details.
>
> Cheers,
> Andrew Fort
> Thu Jul 28 17:14:23 2005: DEBUG: Adding Clients from SQL database
> Thu Jul 28 17:14:23 2005: DEBUG: Query is: 'select
> ip,secret,NULL,NULL,realm,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
> ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT
> ("DeviceRole=",role.description) as DeviceRole from
> device,model,role where modelID=model.ID and device.roleID=role.ID
> and device.sysname not like 'ALL%';':
>
> [snip client list except our one test device]
> Thu Jul 28 17:14:23 2005: DEBUG: ClientListSQL adds Client
> 10.190.0.200
> Thu Jul 28 17:14:23 2005: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
> Thu Jul 28 17:14:23 2005: DEBUG: Finished reading configuration
> file 'config/radius.cfg'
> Thu Jul 28 17:14:23 2005: DEBUG: Reading dictionary file './
> dictionary'
> Thu Jul 28 17:14:23 2005: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Thu Jul 28 17:14:23 2005: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Jul 28 17:14:23 2005: NOTICE: Server started: Radiator 3.13 on
> planck
> Thu Jul 28 17:14:43 2005: DEBUG: New TacacsplusConnection created
> for 10.190.0.200:11227
> Thu Jul 28 17:14:43 2005: DEBUG: TacacsplusConnection request 192,
> 1, 1, 0, 1955004275, 24
> Thu Jul 28 17:14:43 2005: DEBUG: TacacsplusConnection
> Authentication START 1, 1, 1 for , tty1, 172.17.254.7
> Thu Jul 28 17:14:43 2005: DEBUG: TacacsplusConnection
> Authentication REPLY 4, 0, Username: ,
> Thu Jul 28 17:14:44 2005: DEBUG: TacacsplusConnection request 192,
> 1, 3, 0, 1955004275, 10
> Thu Jul 28 17:14:44 2005: DEBUG: TacacsplusConnection
> Authentication CONTINUE 0, afort,
> Thu Jul 28 17:14:44 2005: DEBUG: TacacsplusConnection
> Authentication REPLY 5, 1, Password: ,
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection request 192,
> 1, 5, 0, 1955004275, 15
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection
> Authentication CONTINUE 0, password,
> Thu Jul 28 17:14:45 2005: DEBUG: TACACSPLUS derived Radius request
> packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic:
> <211><195><152><224><171><168>u<146>=r<164><210><178><<30><23>
> Attributes:
> NAS-IP-Address = 10.190.0.200
> NAS-Port-Id = "tty1"
> Calling-Station-Id = "172.17.254.7"
> Service-Type = Login-User
> NAS-Identifier = "TACACS"
> User-Name = "afort"
> User-Password = password
>
> Thu Jul 28 17:14:45 2005: DEBUG: Handling request with Handler 'NAS-
> Identifier=TACACS'
> Thu Jul 28 17:14:45 2005: DEBUG: Deleting session for , 10.190.0.200,
> Thu Jul 28 17:14:45 2005: DEBUG: Handling with Radius::AuthGROUP
> Thu Jul 28 17:14:45 2005: DEBUG: Handling with Radius::AuthLDAP2:
> ActiveDirectory
> Thu Jul 28 17:14:45 2005: INFO: Connecting to 10.190.0.21, port 389
> Thu Jul 28 17:14:45 2005: DEBUG: Starting TLS
> Thu Jul 28 17:14:45 2005: INFO: StartTLS negotiated with cipher
> mode RC4-MD5
> Thu Jul 28 17:14:45 2005: INFO: Attempting to bind to LDAP server
> 10.190.0.21:389
> [snip DEBUG: LDAP got result...]
> Thu Jul 28 17:14:45 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with afort
> Thu Jul 28 17:14:45 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Thu Jul 28 17:14:45 2005: DEBUG: Handling with Radius::AuthSQL
> Thu Jul 28 17:14:45 2005: DEBUG: Handling with Radius::AuthSQL:
> Thu Jul 28 17:14:45 2005: DEBUG: Query is: 'select CONCAT
> ("tacacsgroup=",usergrouprolePermission.levelID) from
> device,usergrouprolePermission,user,usertogroup where
> device.ip='10.190.0.200' and device.roleID =
> usergrouprolePermission.roleID and user.username='afort' and
> user.ID = usertogroup.userID and usertogroup.usergroupID =
> usergrouprolePermission.usergroupID;':
> trying 0, GENERIC, request
> Thu Jul 28 17:14:45 2005: DEBUG: Radius::AuthSQL looks for match
> with afort
> Thu Jul 28 17:14:45 2005: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Jul 28 17:14:45 2005: DEBUG: AuthBy GROUP result: ACCEPT,
> Thu Jul 28 17:14:45 2005: DEBUG: Access accepted for afort
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection result Access-
> Accept
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection
> Authentication REPLY 1, 0, ,
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection disconnected
> from 10.190.0.200:11227
> Thu Jul 28 17:14:45 2005: DEBUG: New TacacsplusConnection created
> for 10.190.0.200:11228
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection request 192,
> 2, 1, 0, 3657690048, 48
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, afort, tty1, 172.17.254.7, 2, service=shell cmd*
> Thu Jul 28 17:14:45 2005: INFO: Authorization denied for afort,
> group DEFAULT. No matching AuthorizeGroup rule for args
> service=shell cmd*
> Thu Jul 28 17:14:45 2005: DEBUG: TacacsplusConnection disconnected
> from 10.190.0.200:11235
>
> #
> # $Id: radius.cfg,v 1.14 2005/07/28 07:05:02 afort Exp $
> #
> # radiator tacacs+ test configuration
> #
>
> #
> # general options
> #
>
> #Foreground
> #LogStdout
> LogDir .
> #DbDir .
> Trace 4
>
> AuthPort 1812
> AcctPort 1813
>
> #
> # Database parameters
> #
>
> DefineGlobalVar dbSource dbi:mysql:radiusdb
> DefineGlobalVar dbUser user
> DefineGlobalVar dbAuth password
> DbDir /var/lib/mysql/radiusdb
>
> #
> # client list (device list) via SQL query
> #
>
> <ClientListSQL>
> DBSource %{GlobalVar:dbSource}
> DBUsername %{GlobalVar:dbUser}
> DBAuth %{GlobalVar:dbAuth}
> GetClientQuery select
> ip,secret,NULL,NULL,realm,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
> ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT
> ("DeviceRole=",role.description) as DeviceRole from
> device,model,role where modelID=model.ID and device.roleID=role.ID
> and device.sysname not like 'ALL%';
> </ClientListSQL>
>
>
> <Handler NAS-Identifier=TACACS>
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy LDAP2>
> # ldaphost
> Host 10.190.0.21
>
> UseTLS
> SSLVerify none
> Identifier ActiveDirectory
> Version 3
>
> # use to bind to LDAP directory
> AuthDN username at corp.example.com.au
> AuthPassword password
>
> # base DN for user information
> BaseDN dc=corp,dc=example,dc=com,dc=au
> ServerChecksPassword
> UsernameAttr SAMAccountName
>
> # If we fail to auth to LDAP server, try again in 2
> minutes
> FailureBackoffTime 120
> </AuthBy>
>
> <AuthBy SQL>
> DBSource %{GlobalVar:dbSource}
> DBUsername %{GlobalVar:dbUser}
> DBAuth %{GlobalVar:dbAuth}
>
> Timeout 30
> FailureBackoffTime 4
>
> AuthSelect select CONCAT
> ("tacacsgroup=",usergrouprolePermission.levelID) from
> device,usergrouprolePermission,user,usertogroup where device.ip='%
> N' and device.roleID = usergrouprolePermission.roleID and
> user.username='%n' and user.ID = usertogroup.userID and
> usertogroup.usergroupID = usergrouprolePermission.usergroupID;
>
> AuthColumnDef 0, GENERIC, request
>
> ##
> ## note: This has also been tried with the query changed
> ## so that the first column is just
> 'usergrouprolePermission.levelID'
> ## and the AuthColumnDef reads
> ## AuthColumnDef 0, tacacsgroup, request
> ## Without any success (same symptoms)
>
> </AuthBy>
>
> </AuthBy>
>
> <AuthLog FILE>
> Identifier logfile
> Filename ./authlog
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> </Handler>
>
>
> #
> # tacacs+ server details
> #
>
> <ServerTACACSPLUS>
> Key mysecret
> Port 49
> GroupMemberAttr tacacsgroup
>
> AddToRequest NAS-Identifier=TACACS
>
> AuthorizeGroup 1 permit service=shell cmd\* {priv-lvl=15}
> AuthorizeGroup 1 permit .*
>
> GroupCacheFile %D/group-cache.dat
>
> </ServerTACACSPLUS>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list