(RADIATOR) TacacsPlus AuthorizeGroup

Conjaerts, Roel Roel.Conjaerts at essent.nl
Thu Mar 10 03:33:22 CST 2005


Hello all,

we are using Radiator 3.11.
I'm very interested in the new AuthorizeGroup parameter, but I just can't
get it to work.
I tried everything, even an Authby DBFILE as described here
http://www.open.com.au/archives/radiator/2004-10/msg00073.html.
It seems like I can't get the GroupMemberAttr parameter into radiator.
Any suggestions on how to do this?!?


Regards,

Roel



RADIUS.CFG

BindAddress	192.168.1.100
AuthPort	1645,1812
AcctPort		1646,1813
DictionaryFile	/etc/radiator/dictionary, /etc/radiator/dictionary.ascend
LogDir		/var/log/radiator
LogFile		%L/%Y%m%d.log
PidFile		%L/radiator.pid
Trace		4
Foreground
LogStdout

<ServerTACACSPLUS>
        Key		secret
        Port		49
        BindAddress	192.168.1.100
        AddToRequest	NAS-Identifier=TACACS
        GroupMemberAttr	tacacsgroup
        AuthorizeGroup	user	permit	service=shell cmd=show cmd-arg=.*
        AuthorizeGroup	user	deny	.*
</ServerTACACSPLUS>

<Client DEFAULT>
        Secret		secret
</Client>

<Realm DEFAULT>
        PreProcessingHook       sub { \
                                        my $p=${$_[0]}; \
                                        if (my
@avpair=$p->get_attr('cisco-avpair')) { \
                                                foreach my $avpair (@avpair)
{ \
                                                        $avpair=~s/\0//; \
                                                        $avpair=~s/ <cr>//;
\
 
$p->add_attr(split('=',$avpair)); \
                                                } \
                                        } \
                                        if (my
$calling_station_id=$p->get_attr('Calling-Station-Id')) { \
                                                $calling_station_id=~s/\///;
\
                                                $calling_station_id=~s/\0//;
\
 
$p->add_attr('Calling_Station_Id', $calling_station_id); \
                                        } \
                                }
        PostAuthHook            sub { \
                                        my $p=${$_[0]}; \
                                        my $usr=$p->getUserName; \
                                        my
$dbh=DBI->connect("dbi:mysql:radiator", "radiator", "radiator"); \
                                        if (${$_[2]}==$main::REJECT &&
${$_[0]}->code eq 'Access-Request') { \
                                                $dbh->do("UPDATE users SET
wrong_pwd=wrong_pwd+1 WHERE username='$usr' AND active='Y'"); \
                                        } \
                                        my $sth=$dbh->prepare("SELECT
wrong_pwd FROM users WHERE username='$usr' AND active='Y'"); \
                                        $sth->execute(); \
                                        my $bad_logins=$sth->fetchrow; \
                                        if ($bad_logins==5) { \
                                                my
$timestamp=&Radius::Util::strftime("%Y-%m-%d %H:%M:%S"); \
                                                $dbh->do("UPDATE users SET
timestamp='$timestamp' WHERE username='$usr' AND active='Y'"); \
                                                $dbh->do("UPDATE users SET
active='N' WHERE username='$usr' AND active='Y'"); \
                                        } \
                                        if (${$_[2]}==$main::ACCEPT &&
${$_[0]}->code eq 'Access-Request') { \
                                                $dbh->do("UPDATE users SET
wrong_pwd='0' WHERE username='$usr' AND active='Y'"); \
                                        } \
                                        $dbh->disconnect(); \
                                }
        <AuthBy SQL>
                DBSource		dbi:mysql:radiator
                DBUsername		radiator
                DBAuth		radiator
                NoDefault
                AuthSelect		SELECT CONCAT('{MD5}', password)
FROM users WHERE username=%0 AND active='Y'
                AccountingTable	accounting
                AcctColumnDef	date,Timestamp,integer-date,%Y-%m-%d
                AcctColumnDef	time,Timestamp,integer-date,%H:%M:%S
                AcctColumnDef	nas_ip_address,NAS-IP-Address
                AcctColumnDef	nas_port_id,NAS-Port-Id
                AcctColumnDef	user_name,User-Name
                AcctColumnDef	calling_station_id,Calling_Station_Id
                AcctColumnDef	priv_lvl,priv-lvl
                AcctColumnDef	command,cmd
        </AuthBy>
</Realm>



LOGGING

Thu Mar 10 08:43:40 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11030
Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0,
727162934, 17
Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection Authentication START
1, 1, 1 for , tty0, async
Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection Authentication REPLY
4, 0, Username: ,
Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
727162934, 9
Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, test,
Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection Authentication REPLY
5, 1, Password: ,
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection request 192, 1, 5, 0,
727162934, 9
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, test,
Thu Mar 10 08:43:43 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  H<194><25><181>,X<180><234>@<226>?<171><18><148>N*
Attributes:
        NAS-IP-Address = 192.168.1.26
        NAS-Port-Id = "tty0"
        Calling-Station-Id = "async"
        Service-Type = Login-User
        NAS-Identifier = "TACACS"
        User-Name = "test"
        User-Password = "test"

Thu Mar 10 08:43:43 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:43 2005: DEBUG:  Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:43 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:43 2005: DEBUG: Handling with Radius::AuthSQL:
Thu Mar 10 08:43:43 2005: DEBUG: Query is: 'SELECT CONCAT('{MD5}', password)
FROM users WHERE username='test' AND active='Y'':
Thu Mar 10 08:43:43 2005: DEBUG: Radius::AuthSQL looks for match with test
Thu Mar 10 08:43:43 2005: DEBUG: Radius::AuthSQL ACCEPT:
Thu Mar 10 08:43:43 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:43 2005: DEBUG: Access accepted for test
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection result Access-Accept
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection Authentication REPLY
1, 0, ,
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11030
Thu Mar 10 08:43:47 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11031
Thu Mar 10 08:43:47 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11032
Thu Mar 10 08:43:47 2005: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
353545308, 87
Thu Mar 10 08:43:47 2005: DEBUG: TacacsplusConnection Accounting REQUEST 4,
6, 1, 1, 1, test, tty0, async, 5, task_id=26 timezone=CET service=shell
priv-lvl=0 cmd=enable <cr>
Thu Mar 10 08:43:47 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  <192><137>C<217>#w<188><153><254>W<184>v<144><238>G<196>
Attributes:
        NAS-IP-Address = 192.168.1.26
        NAS-Port-Id = "tty0"
        Calling-Station-Id = "async"
        NAS-Identifier = "TACACS"
        User-Name = "test"
        Acct-Status-Type = Stop
        cisco-avpair = "task_id=26"
        cisco-avpair = "timezone=CET"
        cisco-avpair = "service=shell"
        cisco-avpair = "priv-lvl=0"
        cisco-avpair = "cmd=enable <cr>"

Thu Mar 10 08:43:48 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:48 2005: DEBUG:  Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:48 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:48 2005: DEBUG: Handling accounting with Radius::AuthSQL
Thu Mar 10 08:43:48 2005: DEBUG: do query is: 'insert into accounting
(calling_station_id,command,date,nas_ip_address,nas_port_id,priv_lvl,time,us
er_name) values
('async','enable','2005-03-10','192.168.1.26','tty0','0','08:43:47','test')'
:
Thu Mar 10 08:43:48 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:48 2005: DEBUG: Accounting accepted
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection result
Accounting-Response
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication REPLY
2, 0, ,
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11032
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0,
2197639848, 21
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication START
1, 1, 2 for test, tty0, async
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication REPLY
5, 1, Password: ,
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
2197639848, 9
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, test,
Thu Mar 10 08:43:49 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <179><209>[<236>m<160><162>y<180>6<152><179><2>f<211>V
Attributes:
        NAS-IP-Address = 192.168.1.26
        NAS-Port-Id = "tty0"
        Calling-Station-Id = "async"
        Service-Type = Administrative-User
        NAS-Identifier = "TACACS"
        User-Name = "test"
        User-Password = "test"

Thu Mar 10 08:43:49 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:49 2005: DEBUG:  Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:49 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:49 2005: DEBUG: Handling with Radius::AuthSQL:
Thu Mar 10 08:43:49 2005: DEBUG: Query is: 'SELECT CONCAT('{MD5}', password)
FROM users WHERE username='test' AND active='Y'':
Thu Mar 10 08:43:49 2005: DEBUG: Radius::AuthSQL looks for match with test
Thu Mar 10 08:43:49 2005: DEBUG: Radius::AuthSQL ACCEPT:
Thu Mar 10 08:43:49 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:49 2005: DEBUG: Access accepted for test
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection result Access-Accept
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection Authentication REPLY
1, 0, ,
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11031
Thu Mar 10 08:43:52 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11033
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
958638801, 95
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Accounting REQUEST 4,
6, 15, 1, 1, test, tty0, async, 5, task_id=27 timezone=CET service=shell
priv-lvl=15 cmd=clear logging <cr>
Thu Mar 10 08:43:52 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  <128><189><3><138><152><227><230>*<7><236><26><174><255>'0<15>
Attributes:
        NAS-IP-Address = 192.168.1.26
        NAS-Port-Id = "tty0"
        Calling-Station-Id = "async"
        NAS-Identifier = "TACACS"
        User-Name = "test"
        Acct-Status-Type = Stop
        cisco-avpair = "task_id=27"
        cisco-avpair = "timezone=CET"
        cisco-avpair = "service=shell"
        cisco-avpair = "priv-lvl=15"
        cisco-avpair = "cmd=clear logging <cr>"

Thu Mar 10 08:43:52 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:52 2005: DEBUG:  Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:52 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:52 2005: DEBUG: Handling accounting with Radius::AuthSQL
Thu Mar 10 08:43:52 2005: DEBUG: do query is: 'insert into accounting
(calling_station_id,command,date,nas_ip_address,nas_port_id,priv_lvl,time,us
er_name) values ('async','clear
logging','2005-03-10','192.168.1.26','tty0','15','08:43:52','test')':
Thu Mar 10 08:43:52 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:52 2005: DEBUG: Accounting accepted
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection result
Accounting-Response
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Authentication REPLY
2, 0, ,
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11033



----

This message is confidential and may be privileged. Any review, retransmission, dissemination or other use of, or taking any action with reference to this information by persons other than the intended recipient is prohibited. If you received this message in error, please notify the sender by reply e-mail and delete this message from all computers. Please note that e-mails are susceptible to change. The sender will not accept liability for the improper or incomplete transmission of the information contained in this message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list