(RADIATOR) Issues with the TACPLUS Server

Patrik Forsberg patrik.forsberg at dataphone.net
Tue Dec 4 10:51:40 CST 2007


Hi,

I've been trying to convert our old Cisco enabled Radiator Tacacs
configuration from the old Depricated "CommandAuth" format to the newer
"AuthorizeGroup" format but I've ran into a feature that is quite
unwanted.

First off the configuration I have works on all my current hardware but
we need the features that the AuthorizeGroup gives.
Everything works great exept on cisco boxes. Besides I don't like the
idea to use configuration that will be gone in some future release.
Atleast our old Cisco 7200 seem to not like the new format.

I've done some debugging and the only differens I can see is that there
are one difference between the new and old format

Level 4 debug log on the 

Old Format
"
Tue Dec  4 17:25:10 2007: DEBUG: New TacacsplusConnection created for
212.37.9.27:16082
Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection request 192, 2, 1,
0, 3787464609, 87
Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell cmd=show
cmd-arg=running-config cmd-arg=<cr>
Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
RESPONSE 1, , , 
Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection disconnected from
212.37.9.27:16082
"

New Format
"
Tue Dec  4 17:26:08 2007: DEBUG: New TacacsplusConnection created for
212.37.9.27:16085
Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection request 192, 2, 1,
0, 1625861, 87
Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell cmd=show
cmd-arg=running-config cmd-arg=<cr>
Tue Dec  4 17:26:08 2007: DEBUG: AuthorizeGroup rule match found: permit
.* {  }
Tue Dec  4 17:26:08 2007: INFO: Authorization permitted for paddy, group
securityofficer, args service=shell cmd=show cmd-arg=running-config
cmd-arg=<cr>
Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
RESPONSE 1, , , priv-lvl=15
Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection disconnected from
212.37.9.27:16085
"


Notice the little "priv-lvl=15" on the end of the last RESPONSE ?

That's the only thing I can see that is different between the two
formats.

Cisco debugs--

Old Format
"
Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): Port='tty3'
list='' service=CMD
Dec  4 11:21:10.860 MET: AAA/AUTHOR/CMD: tty3 (3753599229) user='paddy'
Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
service=shell
Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
cmd=show
Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
cmd-arg=running-config
Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
cmd-arg=<cr>
Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): found list
"default"
Dec  4 11:21:10.864 MET: tty3 AAA/AUTHOR/CMD (3753599229):
Method=tacacs+ (tacacs+)
Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): user=paddy
Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
service=shell
Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV cmd=show
Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
cmd-arg=running-config
Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
cmd-arg=<cr>
Dec  4 11:21:10.864 MET: TAC+: using previously set server 212.37.0.171
from group tacacs+
Dec  4 11:21:10.864 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
timeout=5
Dec  4 11:21:10.864 MET: TAC+: Opened TCP/IP handle 0x621DC9D4 to
212.37.0.171/49 using source 212.37.9.27
Dec  4 11:21:10.864 MET: TAC+: Opened 212.37.0.171 index=1
Dec  4 11:21:10.864 MET: TAC+: periodic timer started
Dec  4 11:21:10.864 MET: TAC+: 212.37.0.171 req=620BD880 Qd
id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=5 AUTHOR/START
queued
Dec  4 11:21:10.868 MET: TAC+: 212.37.0.171 (3753599229) AUTHOR/START
queued
Dec  4 11:21:10.964 MET: TAC+: 212.37.0.171 ESTAB id=3753599229 wrote 99
of 99 bytes
Dec  4 11:21:10.964 MET: TAC+: 212.37.0.171 req=620BD880 Qd
id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START
sent
Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
alloc=12 got=12
Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=18 wanted=18
alloc=18 got=6
Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 received 18 byte reply for
620BD880
Dec  4 11:21:11.064 MET: TAC+: req=620BD880 Tx id=3753599229 ver=192
handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START processed
Dec  4 11:21:11.064 MET: TAC+: (3753599229) AUTHOR/START processed
Dec  4 11:21:11.064 MET: TAC+: periodic timer stopped (queue empty)
Dec  4 11:21:11.064 MET: TAC+: (3753599229): received author response
status = PASS_ADD
Dec  4 11:21:11.064 MET: TAC+: Closing TCP/IP 0x621DC9D4 connection to
212.37.0.171/49
Dec  4 11:21:11.064 MET: AAA/AUTHOR (3753599229): Post authorization
status = PASS_ADD
"

New Format
"
Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): Port='tty3'
list='' service=CMD
Dec  4 11:19:42.357 MET: AAA/AUTHOR/CMD: tty3 (2448089756) user='paddy'
Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
service=shell
Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
cmd=show
Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
cmd-arg=running-config
Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
cmd-arg=<cr>
Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): found list
"default"
Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756):
Method=tacacs+ (tacacs+)
Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): user=paddy
Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
service=shell
Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV cmd=show
Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
cmd-arg=running-config
Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
cmd-arg=<cr>
Dec  4 11:19:42.357 MET: TAC+: using previously set server 212.37.0.171
from group tacacs+
Dec  4 11:19:42.357 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
timeout=5
Dec  4 11:19:42.361 MET: TAC+: Opened TCP/IP handle 0x621E52B0 to
212.37.0.171/49 using source 212.37.9.27
Dec  4 11:19:42.361 MET: TAC+: Opened 212.37.0.171 index=1
Dec  4 11:19:42.361 MET: TAC+: periodic timer started
Dec  4 11:19:42.361 MET: TAC+: 212.37.0.171 req=6238E368 Qd
id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=5 AUTHOR/START
queued
Dec  4 11:19:42.361 MET: TAC+: 212.37.0.171 (2448089756) AUTHOR/START
queued
Dec  4 11:19:42.461 MET: TAC+: 212.37.0.171 ESTAB id=2448089756 wrote 99
of 99 bytes
Dec  4 11:19:42.461 MET: TAC+: 212.37.0.171 req=6238E368 Qd
id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START
sent
Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
alloc=12 got=12
Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=30 wanted=30
alloc=30 got=18
Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 received 30 byte reply for
6238E368
Dec  4 11:19:42.561 MET: TAC+: req=6238E368 Tx id=2448089756 ver=192
handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START processed
Dec  4 11:19:42.561 MET: TAC+: (2448089756) AUTHOR/START processed
Dec  4 11:19:42.561 MET: TAC+: periodic timer stopped (queue empty)
Dec  4 11:19:42.561 MET: TAC+: (2448089756): received author response
status = PASS_ADD
Dec  4 11:19:42.561 MET: TAC+: Closing TCP/IP 0x621E52B0 connection to
212.37.0.171/49
Dec  4 11:19:42.561 MET: AAA/AUTHOR (2448089756): Post authorization
status = PASS_ADD
Dec  4 11:19:42.561 MET: AAA/AUTHOR/CMD Cannot replace commands
"

Notice the last line ?
That seem to screw the whole thing up :(

Yes, I know the timestamps between cisco and radiator debug differ.. one
can say that it has taken me awhile to get this far!


Radiator Config

Old Format
"
# Include local parameters
Include /etc/radiator-test/radius.local.cfg

<ServerTACACSPLUS>
        # Include local tacacs parameters
        Include /etc/radiator-test/radius.tacacs.local.cfg

        #
        AddToRequest NAS-Identifier=TACACS

        # Groups
        GroupMemberAttr RouterGroup
        GroupCacheFile %D/tacacs-users.cache

        # Group: SecurityOfficer gives privilige level 15
        GroupAuthAttr securityofficer priv-lvl=15
        CommandAuth securityofficer permit .*
</ServerTACACSPLUS>

<Client DEFAULT>
        Secret <<--snipped-->>
</Client>

<Handler Calling-Station-Id =
/(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
62.225.4.102|209.16.117.6|60.2
50.127.184)/>
        AcctLogFileName %L/acct.denied
        <AuthBy INTERNAL>
                DefaultResult   REJECT
        </AuthBy>
</Handler>

<Handler NAS-Port-Id = /tty.*/, User-Name = testuser>
        AcctLogFileName %L/acct.admin
        <AuthBy DBFILE>
                Filename %D/tacacs-users
                StripFromReply RouterGroup
                AddToReply RouterGroup="securityofficer"
                AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
                AddToReplyIfNotExist cisco-avpair="idletime=15"
        </AuthBy>
</Handler>

<Handler NAS-Port-Id = /mgmt.*/, User-Name = testuser>
        AcctLogFileName %L/acct.admin
        <AuthBy DBFILE>
                Filename %D/tacacs-users
                StripFromReply RouterGroup
                AddToReply RouterGroup="securityofficer"
                AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
                AddToReplyIfNotExist cisco-avpair="idletime=15"
        </AuthBy>
</Handler>

<Handler>
        AcctLogFileName %L/acct.user
        <AuthBy DBFILE>
                Filename %D/tacacs-users
                AddToReplyIfNotExist cisco-avpair="idletime=15"
        </AuthBy>
</Handler>
"

New Format
"
# Include local parameters
Include /etc/radiator-test/radius.local.cfg

<ServerTACACSPLUS>
        # Include local tacacs parameters
        Include /etc/radiator-test/radius.tacacs.local.cfg

        #
        AddToRequest NAS-Identifier=TACACS

        # Groups
        GroupMemberAttr RouterGroup
        GroupCacheFile %D/tacacs-users.cache

        # Group: SecurityOfficer gives privilige level 15
        AuthorizeGroup securityofficer permit service=junos_exec
{local-user-name=admins}
        AuthorizeGroup securityofficer permit service=shell cmd\*
{priv-lvl=15}
        AuthorizeGroup securityofficer permit .*
</ServerTACACSPLUS>

<Client DEFAULT>
        Secret <<--snipped-->>
</Client>

<Handler Calling-Station-Id =
/(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
62.225.4.102|209.16.117.6|60.2
50.127.184)/>
        AcctLogFileName %L/acct.denied
        <AuthBy INTERNAL>
                DefaultResult   REJECT
        </AuthBy>
</Handler>

<Handler User-Name = paddy>
        AcctLogFileName %L/acct.admin

        # Packet Trace
        PacketTrace

        # Explain reject
        RejectHasReason

        <Log FILE>
                Filename %L/paddy-log
        </Log>

        <AuthBy DBFILE>
                Filename %D/tacacs-users
                AddToReplyIfNotExist cisco-avpair="idletime=15"
        </AuthBy>
</Handler>


<Handler>
        AcctLogFileName %L/acct.user

        # Explain reject
        RejectHasReason

        <AuthBy DBFILE>
                Filename %D/tacacs-users
                AddToReplyIfNotExist cisco-avpair="idletime=15"
        </AuthBy>
</Handler>
"

The included configuration files only keep ports and that kind of
information, nothing that could affect this.

I've tried looking throw the ServerTACPLUS.pm but I can't really figure
what could be wrong.. quite busy at work to so haven't had much time to
spend on it :P

Please help ?

---
Regards,
Patrik


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list