(RADIATOR) Issues with the TACPLUS Server

Mike McCauley mikem at open.com.au
Wed Dec 5 17:42:25 CST 2007


Hello Patrik,

I havent been able to reproduce this problem. Perhaps I dont exactly 
understand your configuration.
I tested with this:

	AuthorizeGroup group1 permit service=shell cmd\* {priv-lvl=15}
	AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
(this was the only group I defined)

and the show command always authorized without any attributes sent back, 
regardless of whether or not a previous cmd* had been authorized.

Bu perhaps I dont understand your setup.

Perhaps you can send a log file and config file that demonstrates the issue?

Cheers.


On Thursday 06 December 2007 00:35, Patrik Forsberg wrote:
> Hi,
>
> Seems like I finally got the time to look closer on this and found what
> was going on.
>
> There seem to be a leakage in the way ServerTACPLUS.pm uses the
> AuthorizeGroup parameters. It doesn't clean the variable for attributes
> correctly and thus the attribute stay when it is supposed to send a
> clean attribute to the device.
> In this case I only had one attribute set (priv-lvl=15) which stayed in
> memory while the server was running so every command I tried to get
> authorized got the attribute added to it, but when I did a reload(kill
> -HUP) it cleaned the memory of this attribute and thus finally delivered
> a response that Cisco, and likely others too, could accept :)
>
> The workaround to this is to add {} at the end of every permission
> clause that aren't supposed to have a attribute.. like
> "
> AuthorizeGroup group1 permit service=shell cmd\* {priv-lvl=15}
> AuthorizeGroup group1 permit .* {}
> "
>
> Well.. issued at least temporary solved :)
>
> Regards,
> Patrik
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list