(RADIATOR) TacacsPlus AuthorizeGroup
Conjaerts, Roel
Roel.Conjaerts at essent.nl
Thu Mar 10 03:33:22 CST 2005
Hello all,
we are using Radiator 3.11.
I'm very interested in the new AuthorizeGroup parameter, but I just can't
get it to work.
I tried everything, even an Authby DBFILE as described here
http://www.open.com.au/archives/radiator/2004-10/msg00073.html.
It seems like I can't get the GroupMemberAttr parameter into radiator.
Any suggestions on how to do this?!?
Regards,
Roel
RADIUS.CFG
BindAddress 192.168.1.100
AuthPort 1645,1812
AcctPort 1646,1813
DictionaryFile /etc/radiator/dictionary, /etc/radiator/dictionary.ascend
LogDir /var/log/radiator
LogFile %L/%Y%m%d.log
PidFile %L/radiator.pid
Trace 4
Foreground
LogStdout
<ServerTACACSPLUS>
Key secret
Port 49
BindAddress 192.168.1.100
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup
AuthorizeGroup user permit service=shell cmd=show cmd-arg=.*
AuthorizeGroup user deny .*
</ServerTACACSPLUS>
<Client DEFAULT>
Secret secret
</Client>
<Realm DEFAULT>
PreProcessingHook sub { \
my $p=${$_[0]}; \
if (my
@avpair=$p->get_attr('cisco-avpair')) { \
foreach my $avpair (@avpair)
{ \
$avpair=~s/\0//; \
$avpair=~s/ <cr>//;
\
$p->add_attr(split('=',$avpair)); \
} \
} \
if (my
$calling_station_id=$p->get_attr('Calling-Station-Id')) { \
$calling_station_id=~s/\///;
\
$calling_station_id=~s/\0//;
\
$p->add_attr('Calling_Station_Id', $calling_station_id); \
} \
}
PostAuthHook sub { \
my $p=${$_[0]}; \
my $usr=$p->getUserName; \
my
$dbh=DBI->connect("dbi:mysql:radiator", "radiator", "radiator"); \
if (${$_[2]}==$main::REJECT &&
${$_[0]}->code eq 'Access-Request') { \
$dbh->do("UPDATE users SET
wrong_pwd=wrong_pwd+1 WHERE username='$usr' AND active='Y'"); \
} \
my $sth=$dbh->prepare("SELECT
wrong_pwd FROM users WHERE username='$usr' AND active='Y'"); \
$sth->execute(); \
my $bad_logins=$sth->fetchrow; \
if ($bad_logins==5) { \
my
$timestamp=&Radius::Util::strftime("%Y-%m-%d %H:%M:%S"); \
$dbh->do("UPDATE users SET
timestamp='$timestamp' WHERE username='$usr' AND active='Y'"); \
$dbh->do("UPDATE users SET
active='N' WHERE username='$usr' AND active='Y'"); \
} \
if (${$_[2]}==$main::ACCEPT &&
${$_[0]}->code eq 'Access-Request') { \
$dbh->do("UPDATE users SET
wrong_pwd='0' WHERE username='$usr' AND active='Y'"); \
} \
$dbh->disconnect(); \
}
<AuthBy SQL>
DBSource dbi:mysql:radiator
DBUsername radiator
DBAuth radiator
NoDefault
AuthSelect SELECT CONCAT('{MD5}', password)
FROM users WHERE username=%0 AND active='Y'
AccountingTable accounting
AcctColumnDef date,Timestamp,integer-date,%Y-%m-%d
AcctColumnDef time,Timestamp,integer-date,%H:%M:%S
AcctColumnDef nas_ip_address,NAS-IP-Address
AcctColumnDef nas_port_id,NAS-Port-Id
AcctColumnDef user_name,User-Name
AcctColumnDef calling_station_id,Calling_Station_Id
AcctColumnDef priv_lvl,priv-lvl
AcctColumnDef command,cmd
</AuthBy>
</Realm>
LOGGING
Thu Mar 10 08:43:40 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11030
Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0,
727162934, 17
Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection Authentication START
1, 1, 1 for , tty0, async
Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection Authentication REPLY
4, 0, Username: ,
Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
727162934, 9
Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, test,
Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection Authentication REPLY
5, 1, Password: ,
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection request 192, 1, 5, 0,
727162934, 9
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, test,
Thu Mar 10 08:43:43 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code: Access-Request
Identifier: UNDEF
Authentic: H<194><25><181>,X<180><234>@<226>?<171><18><148>N*
Attributes:
NAS-IP-Address = 192.168.1.26
NAS-Port-Id = "tty0"
Calling-Station-Id = "async"
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "test"
User-Password = "test"
Thu Mar 10 08:43:43 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:43 2005: DEBUG: Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:43 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:43 2005: DEBUG: Handling with Radius::AuthSQL:
Thu Mar 10 08:43:43 2005: DEBUG: Query is: 'SELECT CONCAT('{MD5}', password)
FROM users WHERE username='test' AND active='Y'':
Thu Mar 10 08:43:43 2005: DEBUG: Radius::AuthSQL looks for match with test
Thu Mar 10 08:43:43 2005: DEBUG: Radius::AuthSQL ACCEPT:
Thu Mar 10 08:43:43 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:43 2005: DEBUG: Access accepted for test
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection result Access-Accept
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection Authentication REPLY
1, 0, ,
Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11030
Thu Mar 10 08:43:47 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11031
Thu Mar 10 08:43:47 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11032
Thu Mar 10 08:43:47 2005: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
353545308, 87
Thu Mar 10 08:43:47 2005: DEBUG: TacacsplusConnection Accounting REQUEST 4,
6, 1, 1, 1, test, tty0, async, 5, task_id=26 timezone=CET service=shell
priv-lvl=0 cmd=enable <cr>
Thu Mar 10 08:43:47 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code: Accounting-Request
Identifier: UNDEF
Authentic: <192><137>C<217>#w<188><153><254>W<184>v<144><238>G<196>
Attributes:
NAS-IP-Address = 192.168.1.26
NAS-Port-Id = "tty0"
Calling-Station-Id = "async"
NAS-Identifier = "TACACS"
User-Name = "test"
Acct-Status-Type = Stop
cisco-avpair = "task_id=26"
cisco-avpair = "timezone=CET"
cisco-avpair = "service=shell"
cisco-avpair = "priv-lvl=0"
cisco-avpair = "cmd=enable <cr>"
Thu Mar 10 08:43:48 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:48 2005: DEBUG: Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:48 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:48 2005: DEBUG: Handling accounting with Radius::AuthSQL
Thu Mar 10 08:43:48 2005: DEBUG: do query is: 'insert into accounting
(calling_station_id,command,date,nas_ip_address,nas_port_id,priv_lvl,time,us
er_name) values
('async','enable','2005-03-10','192.168.1.26','tty0','0','08:43:47','test')'
:
Thu Mar 10 08:43:48 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:48 2005: DEBUG: Accounting accepted
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection result
Accounting-Response
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication REPLY
2, 0, ,
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11032
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0,
2197639848, 21
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication START
1, 1, 2 for test, tty0, async
Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication REPLY
5, 1, Password: ,
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
2197639848, 9
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, test,
Thu Mar 10 08:43:49 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <179><209>[<236>m<160><162>y<180>6<152><179><2>f<211>V
Attributes:
NAS-IP-Address = 192.168.1.26
NAS-Port-Id = "tty0"
Calling-Station-Id = "async"
Service-Type = Administrative-User
NAS-Identifier = "TACACS"
User-Name = "test"
User-Password = "test"
Thu Mar 10 08:43:49 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:49 2005: DEBUG: Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:49 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:49 2005: DEBUG: Handling with Radius::AuthSQL:
Thu Mar 10 08:43:49 2005: DEBUG: Query is: 'SELECT CONCAT('{MD5}', password)
FROM users WHERE username='test' AND active='Y'':
Thu Mar 10 08:43:49 2005: DEBUG: Radius::AuthSQL looks for match with test
Thu Mar 10 08:43:49 2005: DEBUG: Radius::AuthSQL ACCEPT:
Thu Mar 10 08:43:49 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:49 2005: DEBUG: Access accepted for test
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection result Access-Accept
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection Authentication REPLY
1, 0, ,
Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11031
Thu Mar 10 08:43:52 2005: DEBUG: New TacacsplusConnection created for
192.168.1.26:11033
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
958638801, 95
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Accounting REQUEST 4,
6, 15, 1, 1, test, tty0, async, 5, task_id=27 timezone=CET service=shell
priv-lvl=15 cmd=clear logging <cr>
Thu Mar 10 08:43:52 2005: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code: Accounting-Request
Identifier: UNDEF
Authentic: <128><189><3><138><152><227><230>*<7><236><26><174><255>'0<15>
Attributes:
NAS-IP-Address = 192.168.1.26
NAS-Port-Id = "tty0"
Calling-Station-Id = "async"
NAS-Identifier = "TACACS"
User-Name = "test"
Acct-Status-Type = Stop
cisco-avpair = "task_id=27"
cisco-avpair = "timezone=CET"
cisco-avpair = "service=shell"
cisco-avpair = "priv-lvl=15"
cisco-avpair = "cmd=clear logging <cr>"
Thu Mar 10 08:43:52 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Mar 10 08:43:52 2005: DEBUG: Deleting session for , 192.168.1.26,
Thu Mar 10 08:43:52 2005: DEBUG: Handling with Radius::AuthSQL
Thu Mar 10 08:43:52 2005: DEBUG: Handling accounting with Radius::AuthSQL
Thu Mar 10 08:43:52 2005: DEBUG: do query is: 'insert into accounting
(calling_station_id,command,date,nas_ip_address,nas_port_id,priv_lvl,time,us
er_name) values ('async','clear
logging','2005-03-10','192.168.1.26','tty0','15','08:43:52','test')':
Thu Mar 10 08:43:52 2005: DEBUG: AuthBy SQL result: ACCEPT,
Thu Mar 10 08:43:52 2005: DEBUG: Accounting accepted
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection result
Accounting-Response
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Authentication REPLY
2, 0, ,
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection disconnected from
192.168.1.26:11033
----
This message is confidential and may be privileged. Any review, retransmission, dissemination or other use of, or taking any action with reference to this information by persons other than the intended recipient is prohibited. If you received this message in error, please notify the sender by reply e-mail and delete this message from all computers. Please note that e-mails are susceptible to change. The sender will not accept liability for the improper or incomplete transmission of the information contained in this message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list