(RADIATOR) TacacsPlus AuthorizeGroup
Mike McCauley
mikem at open.com.au
Thu Mar 10 03:58:37 CST 2005
Hello Roel,
On Thursday 10 March 2005 19:33, Conjaerts, Roel wrote:
> Hello all,
>
> we are using Radiator 3.11.
> I'm very interested in the new AuthorizeGroup parameter, but I just can't
> get it to work.
> I tried everything, even an Authby DBFILE as described here
> http://www.open.com.au/archives/radiator/2004-10/msg00073.html.
> It seems like I can't get the GroupMemberAttr parameter into radiator.
> Any suggestions on how to do this?!?
IN order to make Tacacs groups work, you have to do several things.
1. Configure GroupMemberAttr to be the name of a Radius attribtue that will
contain the name of the users Tacacs group. It can be a real or pseudo Radius
attribute, and should be present in the users Acess-Accept.
2. Configure your users so the attribute named in GroupMemberAttr continas hte
name of their tacacs group. If not specified, their tacacs group will default
to 'DEFAULT'
3. For each possible value of the GroupMemberAttr (ie for each possible group
name, and maybe DEFAULT), specify some AuthorizeGroup parameters.
4. Arrange for your NAS to send Tacacs Authentication and Authorization
requests (the AuthorizeGroup parameters affect the response to Tacacs
Authorization requests).
I note from your config and log that you have specified
GroupMemberAttr tacacsgroup
but the user you are testing did not have a tacacsgroup reply item. Therefore
the tacacs group would have defaulted to DEFAULT, but you have no
AuthorizeGroup config for the DEFAULT group.
And in any case, there seems to be no Authorization requests coming from your
NAS, only Authentication and Accounting requests. Looks like your NAS needs
some configuration too.
Hope that helps.
Cheers.
>
>
> Regards,
>
> Roel
>
>
>
> RADIUS.CFG
>
> BindAddress 192.168.1.100
> AuthPort 1645,1812
> AcctPort 1646,1813
> DictionaryFile /etc/radiator/dictionary, /etc/radiator/dictionary.ascend
> LogDir /var/log/radiator
> LogFile %L/%Y%m%d.log
> PidFile %L/radiator.pid
> Trace 4
> Foreground
> LogStdout
>
> <ServerTACACSPLUS>
> Key secret
> Port 49
> BindAddress 192.168.1.100
> AddToRequest NAS-Identifier=TACACS
> GroupMemberAttr tacacsgroup
> AuthorizeGroup user permit service=shell cmd=show cmd-arg=.*
> AuthorizeGroup user deny .*
> </ServerTACACSPLUS>
>
> <Client DEFAULT>
> Secret secret
> </Client>
>
> <Realm DEFAULT>
> PreProcessingHook sub { \
> my $p=${$_[0]}; \
> if (my
> @avpair=$p->get_attr('cisco-avpair')) { \
> foreach my $avpair
> (@avpair) { \
> $avpair=~s/\0//; \
> $avpair=~s/ <cr>//;
> \
>
> $p->add_attr(split('=',$avpair)); \
> } \
> } \
> if (my
> $calling_station_id=$p->get_attr('Calling-Station-Id')) { \
>
> $calling_station_id=~s/\///; \
>
> $calling_station_id=~s/\0//; \
>
> $p->add_attr('Calling_Station_Id', $calling_station_id); \
> } \
> }
> PostAuthHook sub { \
> my $p=${$_[0]}; \
> my $usr=$p->getUserName; \
> my
> $dbh=DBI->connect("dbi:mysql:radiator", "radiator", "radiator"); \
> if (${$_[2]}==$main::REJECT &&
> ${$_[0]}->code eq 'Access-Request') { \
> $dbh->do("UPDATE users SET
> wrong_pwd=wrong_pwd+1 WHERE username='$usr' AND active='Y'"); \
> } \
> my $sth=$dbh->prepare("SELECT
> wrong_pwd FROM users WHERE username='$usr' AND active='Y'"); \
> $sth->execute(); \
> my $bad_logins=$sth->fetchrow; \
> if ($bad_logins==5) { \
> my
> $timestamp=&Radius::Util::strftime("%Y-%m-%d %H:%M:%S"); \
> $dbh->do("UPDATE users SET
> timestamp='$timestamp' WHERE username='$usr' AND active='Y'"); \
> $dbh->do("UPDATE users SET
> active='N' WHERE username='$usr' AND active='Y'"); \
> } \
> if (${$_[2]}==$main::ACCEPT &&
> ${$_[0]}->code eq 'Access-Request') { \
> $dbh->do("UPDATE users SET
> wrong_pwd='0' WHERE username='$usr' AND active='Y'"); \
> } \
> $dbh->disconnect(); \
> }
> <AuthBy SQL>
> DBSource dbi:mysql:radiator
> DBUsername radiator
> DBAuth radiator
> NoDefault
> AuthSelect SELECT CONCAT('{MD5}', password)
> FROM users WHERE username=%0 AND active='Y'
> AccountingTable accounting
> AcctColumnDef date,Timestamp,integer-date,%Y-%m-%d
> AcctColumnDef time,Timestamp,integer-date,%H:%M:%S
> AcctColumnDef nas_ip_address,NAS-IP-Address
> AcctColumnDef nas_port_id,NAS-Port-Id
> AcctColumnDef user_name,User-Name
> AcctColumnDef calling_station_id,Calling_Station_Id
> AcctColumnDef priv_lvl,priv-lvl
> AcctColumnDef command,cmd
> </AuthBy>
> </Realm>
>
>
>
> LOGGING
>
> Thu Mar 10 08:43:40 2005: DEBUG: New TacacsplusConnection created for
> 192.168.1.26:11030
> Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0,
> 727162934, 17
> Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection Authentication START
> 1, 1, 1 for , tty0, async
> Thu Mar 10 08:43:40 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 4, 0, Username: ,
> Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
> 727162934, 9
> Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection Authentication
> CONTINUE 0, test,
> Thu Mar 10 08:43:42 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 5, 1, Password: ,
> Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection request 192, 1, 5, 0,
> 727162934, 9
> Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection Authentication
> CONTINUE 0, test,
> Thu Mar 10 08:43:43 2005: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: H<194><25><181>,X<180><234>@<226>?<171><18><148>N*
> Attributes:
> NAS-IP-Address = 192.168.1.26
> NAS-Port-Id = "tty0"
> Calling-Station-Id = "async"
> Service-Type = Login-User
> NAS-Identifier = "TACACS"
> User-Name = "test"
> User-Password = "test"
>
> Thu Mar 10 08:43:43 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Mar 10 08:43:43 2005: DEBUG: Deleting session for , 192.168.1.26,
> Thu Mar 10 08:43:43 2005: DEBUG: Handling with Radius::AuthSQL
> Thu Mar 10 08:43:43 2005: DEBUG: Handling with Radius::AuthSQL:
> Thu Mar 10 08:43:43 2005: DEBUG: Query is: 'SELECT CONCAT('{MD5}',
> password) FROM users WHERE username='test' AND active='Y'':
> Thu Mar 10 08:43:43 2005: DEBUG: Radius::AuthSQL looks for match with test
> Thu Mar 10 08:43:43 2005: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Mar 10 08:43:43 2005: DEBUG: AuthBy SQL result: ACCEPT,
> Thu Mar 10 08:43:43 2005: DEBUG: Access accepted for test
> Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection result Access-Accept
> Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 1, 0, ,
> Thu Mar 10 08:43:43 2005: DEBUG: TacacsplusConnection disconnected from
> 192.168.1.26:11030
> Thu Mar 10 08:43:47 2005: DEBUG: New TacacsplusConnection created for
> 192.168.1.26:11031
> Thu Mar 10 08:43:47 2005: DEBUG: New TacacsplusConnection created for
> 192.168.1.26:11032
> Thu Mar 10 08:43:47 2005: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
> 353545308, 87
> Thu Mar 10 08:43:47 2005: DEBUG: TacacsplusConnection Accounting REQUEST 4,
> 6, 1, 1, 1, test, tty0, async, 5, task_id=26 timezone=CET service=shell
> priv-lvl=0 cmd=enable <cr>
> Thu Mar 10 08:43:47 2005: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Accounting-Request
> Identifier: UNDEF
> Authentic: <192><137>C<217>#w<188><153><254>W<184>v<144><238>G<196>
> Attributes:
> NAS-IP-Address = 192.168.1.26
> NAS-Port-Id = "tty0"
> Calling-Station-Id = "async"
> NAS-Identifier = "TACACS"
> User-Name = "test"
> Acct-Status-Type = Stop
> cisco-avpair = "task_id=26"
> cisco-avpair = "timezone=CET"
> cisco-avpair = "service=shell"
> cisco-avpair = "priv-lvl=0"
> cisco-avpair = "cmd=enable <cr>"
>
> Thu Mar 10 08:43:48 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Mar 10 08:43:48 2005: DEBUG: Deleting session for , 192.168.1.26,
> Thu Mar 10 08:43:48 2005: DEBUG: Handling with Radius::AuthSQL
> Thu Mar 10 08:43:48 2005: DEBUG: Handling accounting with Radius::AuthSQL
> Thu Mar 10 08:43:48 2005: DEBUG: do query is: 'insert into accounting
> (calling_station_id,command,date,nas_ip_address,nas_port_id,priv_lvl,time,u
>s er_name) values
> ('async','enable','2005-03-10','192.168.1.26','tty0','0','08:43:47','test')
>'
>
> Thu Mar 10 08:43:48 2005: DEBUG: AuthBy SQL result: ACCEPT,
> Thu Mar 10 08:43:48 2005: DEBUG: Accounting accepted
> Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection result
> Accounting-Response
> Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 2, 0, ,
> Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
> Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection disconnected from
> 192.168.1.26:11032
> Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0,
> 2197639848, 21
> Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication START
> 1, 1, 2 for test, tty0, async
> Thu Mar 10 08:43:48 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 5, 1, Password: ,
> Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
> 2197639848, 9
> Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection Authentication
> CONTINUE 0, test,
> Thu Mar 10 08:43:49 2005: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <179><209>[<236>m<160><162>y<180>6<152><179><2>f<211>V
> Attributes:
> NAS-IP-Address = 192.168.1.26
> NAS-Port-Id = "tty0"
> Calling-Station-Id = "async"
> Service-Type = Administrative-User
> NAS-Identifier = "TACACS"
> User-Name = "test"
> User-Password = "test"
>
> Thu Mar 10 08:43:49 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Mar 10 08:43:49 2005: DEBUG: Deleting session for , 192.168.1.26,
> Thu Mar 10 08:43:49 2005: DEBUG: Handling with Radius::AuthSQL
> Thu Mar 10 08:43:49 2005: DEBUG: Handling with Radius::AuthSQL:
> Thu Mar 10 08:43:49 2005: DEBUG: Query is: 'SELECT CONCAT('{MD5}',
> password) FROM users WHERE username='test' AND active='Y'':
> Thu Mar 10 08:43:49 2005: DEBUG: Radius::AuthSQL looks for match with test
> Thu Mar 10 08:43:49 2005: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Mar 10 08:43:49 2005: DEBUG: AuthBy SQL result: ACCEPT,
> Thu Mar 10 08:43:49 2005: DEBUG: Access accepted for test
> Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection result Access-Accept
> Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 1, 0, ,
> Thu Mar 10 08:43:49 2005: DEBUG: TacacsplusConnection disconnected from
> 192.168.1.26:11031
> Thu Mar 10 08:43:52 2005: DEBUG: New TacacsplusConnection created for
> 192.168.1.26:11033
> Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
> 958638801, 95
> Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Accounting REQUEST 4,
> 6, 15, 1, 1, test, tty0, async, 5, task_id=27 timezone=CET service=shell
> priv-lvl=15 cmd=clear logging <cr>
> Thu Mar 10 08:43:52 2005: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Accounting-Request
> Identifier: UNDEF
> Authentic: <128><189><3><138><152><227><230>*<7><236><26><174><255>'0<15>
> Attributes:
> NAS-IP-Address = 192.168.1.26
> NAS-Port-Id = "tty0"
> Calling-Station-Id = "async"
> NAS-Identifier = "TACACS"
> User-Name = "test"
> Acct-Status-Type = Stop
> cisco-avpair = "task_id=27"
> cisco-avpair = "timezone=CET"
> cisco-avpair = "service=shell"
> cisco-avpair = "priv-lvl=15"
> cisco-avpair = "cmd=clear logging <cr>"
>
> Thu Mar 10 08:43:52 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Mar 10 08:43:52 2005: DEBUG: Deleting session for , 192.168.1.26,
> Thu Mar 10 08:43:52 2005: DEBUG: Handling with Radius::AuthSQL
> Thu Mar 10 08:43:52 2005: DEBUG: Handling accounting with Radius::AuthSQL
> Thu Mar 10 08:43:52 2005: DEBUG: do query is: 'insert into accounting
> (calling_station_id,command,date,nas_ip_address,nas_port_id,priv_lvl,time,u
>s er_name) values ('async','clear
> logging','2005-03-10','192.168.1.26','tty0','15','08:43:52','test')':
> Thu Mar 10 08:43:52 2005: DEBUG: AuthBy SQL result: ACCEPT,
> Thu Mar 10 08:43:52 2005: DEBUG: Accounting accepted
> Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection result
> Accounting-Response
> Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 2, 0, ,
> Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
> Thu Mar 10 08:43:52 2005: DEBUG: TacacsplusConnection disconnected from
> 192.168.1.26:11033
>
>
>
> ----
>
> This message is confidential and may be privileged. Any review,
> retransmission, dissemination or other use of, or taking any action with
> reference to this information by persons other than the intended recipient
> is prohibited. If you received this message in error, please notify the
> sender by reply e-mail and delete this message from all computers. Please
> note that e-mails are susceptible to change. The sender will not accept
> liability for the improper or incomplete transmission of the information
> contained in this message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list