(RADIATOR) Issues with the TACPLUS Server

Mike McCauley mikem at open.com.au
Wed Dec 5 18:11:01 CST 2007


Hello Patrik,

Thanks for the detailed logs.
We still have not been able to reproduce this.
We note a comment in the relevant source:

    # Hmmm. funny behaviour remembering the value of @reply_pairs from call to 
call
    # on perl 5.8.5

and its @reply_pairs that is the relveant thing in your case.

What version of perl are you running? On what platform?

Cheers.

On Wednesday 05 December 2007 02:51, Patrik Forsberg wrote:
> Hi,
>
> I've been trying to convert our old Cisco enabled Radiator Tacacs
> configuration from the old Depricated "CommandAuth" format to the newer
> "AuthorizeGroup" format but I've ran into a feature that is quite
> unwanted.
>
> First off the configuration I have works on all my current hardware but
> we need the features that the AuthorizeGroup gives.
> Everything works great exept on cisco boxes. Besides I don't like the
> idea to use configuration that will be gone in some future release.
> Atleast our old Cisco 7200 seem to not like the new format.
>
> I've done some debugging and the only differens I can see is that there
> are one difference between the new and old format
>
> Level 4 debug log on the
>
> Old Format
> "
> Tue Dec  4 17:25:10 2007: DEBUG: New TacacsplusConnection created for
> 212.37.9.27:16082
> Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 3787464609, 87
> Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell cmd=show
> cmd-arg=running-config cmd-arg=<cr>
> Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , ,
> Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection disconnected from
> 212.37.9.27:16082
> "
>
> New Format
> "
> Tue Dec  4 17:26:08 2007: DEBUG: New TacacsplusConnection created for
> 212.37.9.27:16085
> Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 1625861, 87
> Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell cmd=show
> cmd-arg=running-config cmd-arg=<cr>
> Tue Dec  4 17:26:08 2007: DEBUG: AuthorizeGroup rule match found: permit
> .* {  }
> Tue Dec  4 17:26:08 2007: INFO: Authorization permitted for paddy, group
> securityofficer, args service=shell cmd=show cmd-arg=running-config
> cmd-arg=<cr>
> Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , , priv-lvl=15
> Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection disconnected from
> 212.37.9.27:16085
> "
>
>
> Notice the little "priv-lvl=15" on the end of the last RESPONSE ?
>
> That's the only thing I can see that is different between the two
> formats.
>
> Cisco debugs--
>
> Old Format
> "
> Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): Port='tty3'
> list='' service=CMD
> Dec  4 11:21:10.860 MET: AAA/AUTHOR/CMD: tty3 (3753599229) user='paddy'
> Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> service=shell
> Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> cmd=show
> Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> cmd-arg=running-config
> Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> cmd-arg=<cr>
> Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): found list
> "default"
> Dec  4 11:21:10.864 MET: tty3 AAA/AUTHOR/CMD (3753599229):
> Method=tacacs+ (tacacs+)
> Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): user=paddy
> Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> service=shell
> Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV cmd=show
> Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> cmd-arg=running-config
> Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> cmd-arg=<cr>
> Dec  4 11:21:10.864 MET: TAC+: using previously set server 212.37.0.171
> from group tacacs+
> Dec  4 11:21:10.864 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> timeout=5
> Dec  4 11:21:10.864 MET: TAC+: Opened TCP/IP handle 0x621DC9D4 to
> 212.37.0.171/49 using source 212.37.9.27
> Dec  4 11:21:10.864 MET: TAC+: Opened 212.37.0.171 index=1
> Dec  4 11:21:10.864 MET: TAC+: periodic timer started
> Dec  4 11:21:10.864 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=5 AUTHOR/START
> queued
> Dec  4 11:21:10.868 MET: TAC+: 212.37.0.171 (3753599229) AUTHOR/START
> queued
> Dec  4 11:21:10.964 MET: TAC+: 212.37.0.171 ESTAB id=3753599229 wrote 99
> of 99 bytes
> Dec  4 11:21:10.964 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START
> sent
> Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> alloc=12 got=12
> Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=18 wanted=18
> alloc=18 got=6
> Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 received 18 byte reply for
> 620BD880
> Dec  4 11:21:11.064 MET: TAC+: req=620BD880 Tx id=3753599229 ver=192
> handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START processed
> Dec  4 11:21:11.064 MET: TAC+: (3753599229) AUTHOR/START processed
> Dec  4 11:21:11.064 MET: TAC+: periodic timer stopped (queue empty)
> Dec  4 11:21:11.064 MET: TAC+: (3753599229): received author response
> status = PASS_ADD
> Dec  4 11:21:11.064 MET: TAC+: Closing TCP/IP 0x621DC9D4 connection to
> 212.37.0.171/49
> Dec  4 11:21:11.064 MET: AAA/AUTHOR (3753599229): Post authorization
> status = PASS_ADD
> "
>
> New Format
> "
> Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): Port='tty3'
> list='' service=CMD
> Dec  4 11:19:42.357 MET: AAA/AUTHOR/CMD: tty3 (2448089756) user='paddy'
> Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> service=shell
> Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> cmd=show
> Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> cmd-arg=running-config
> Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> cmd-arg=<cr>
> Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): found list
> "default"
> Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756):
> Method=tacacs+ (tacacs+)
> Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): user=paddy
> Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> service=shell
> Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV cmd=show
> Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> cmd-arg=running-config
> Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> cmd-arg=<cr>
> Dec  4 11:19:42.357 MET: TAC+: using previously set server 212.37.0.171
> from group tacacs+
> Dec  4 11:19:42.357 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> timeout=5
> Dec  4 11:19:42.361 MET: TAC+: Opened TCP/IP handle 0x621E52B0 to
> 212.37.0.171/49 using source 212.37.9.27
> Dec  4 11:19:42.361 MET: TAC+: Opened 212.37.0.171 index=1
> Dec  4 11:19:42.361 MET: TAC+: periodic timer started
> Dec  4 11:19:42.361 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=5 AUTHOR/START
> queued
> Dec  4 11:19:42.361 MET: TAC+: 212.37.0.171 (2448089756) AUTHOR/START
> queued
> Dec  4 11:19:42.461 MET: TAC+: 212.37.0.171 ESTAB id=2448089756 wrote 99
> of 99 bytes
> Dec  4 11:19:42.461 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START
> sent
> Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> alloc=12 got=12
> Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=30 wanted=30
> alloc=30 got=18
> Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 received 30 byte reply for
> 6238E368
> Dec  4 11:19:42.561 MET: TAC+: req=6238E368 Tx id=2448089756 ver=192
> handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START processed
> Dec  4 11:19:42.561 MET: TAC+: (2448089756) AUTHOR/START processed
> Dec  4 11:19:42.561 MET: TAC+: periodic timer stopped (queue empty)
> Dec  4 11:19:42.561 MET: TAC+: (2448089756): received author response
> status = PASS_ADD
> Dec  4 11:19:42.561 MET: TAC+: Closing TCP/IP 0x621E52B0 connection to
> 212.37.0.171/49
> Dec  4 11:19:42.561 MET: AAA/AUTHOR (2448089756): Post authorization
> status = PASS_ADD
> Dec  4 11:19:42.561 MET: AAA/AUTHOR/CMD Cannot replace commands
> "
>
> Notice the last line ?
> That seem to screw the whole thing up :(
>
> Yes, I know the timestamps between cisco and radiator debug differ.. one
> can say that it has taken me awhile to get this far!
>
>
> Radiator Config
>
> Old Format
> "
> # Include local parameters
> Include /etc/radiator-test/radius.local.cfg
>
> <ServerTACACSPLUS>
>         # Include local tacacs parameters
>         Include /etc/radiator-test/radius.tacacs.local.cfg
>
>         #
>         AddToRequest NAS-Identifier=TACACS
>
>         # Groups
>         GroupMemberAttr RouterGroup
>         GroupCacheFile %D/tacacs-users.cache
>
>         # Group: SecurityOfficer gives privilige level 15
>         GroupAuthAttr securityofficer priv-lvl=15
>         CommandAuth securityofficer permit .*
> </ServerTACACSPLUS>
>
> <Client DEFAULT>
>         Secret <<--snipped-->>
> </Client>
>
> <Handler Calling-Station-Id =
> /(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
> 62.225.4.102|209.16.117.6|60.2
> 50.127.184)/>
>         AcctLogFileName %L/acct.denied
>         <AuthBy INTERNAL>
>                 DefaultResult   REJECT
>         </AuthBy>
> </Handler>
>
> <Handler NAS-Port-Id = /tty.*/, User-Name = testuser>
>         AcctLogFileName %L/acct.admin
>         <AuthBy DBFILE>
>                 Filename %D/tacacs-users
>                 StripFromReply RouterGroup
>                 AddToReply RouterGroup="securityofficer"
>                 AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
>                 AddToReplyIfNotExist cisco-avpair="idletime=15"
>         </AuthBy>
> </Handler>
>
> <Handler NAS-Port-Id = /mgmt.*/, User-Name = testuser>
>         AcctLogFileName %L/acct.admin
>         <AuthBy DBFILE>
>                 Filename %D/tacacs-users
>                 StripFromReply RouterGroup
>                 AddToReply RouterGroup="securityofficer"
>                 AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
>                 AddToReplyIfNotExist cisco-avpair="idletime=15"
>         </AuthBy>
> </Handler>
>
> <Handler>
>         AcctLogFileName %L/acct.user
>         <AuthBy DBFILE>
>                 Filename %D/tacacs-users
>                 AddToReplyIfNotExist cisco-avpair="idletime=15"
>         </AuthBy>
> </Handler>
> "
>
> New Format
> "
> # Include local parameters
> Include /etc/radiator-test/radius.local.cfg
>
> <ServerTACACSPLUS>
>         # Include local tacacs parameters
>         Include /etc/radiator-test/radius.tacacs.local.cfg
>
>         #
>         AddToRequest NAS-Identifier=TACACS
>
>         # Groups
>         GroupMemberAttr RouterGroup
>         GroupCacheFile %D/tacacs-users.cache
>
>         # Group: SecurityOfficer gives privilige level 15
>         AuthorizeGroup securityofficer permit service=junos_exec
> {local-user-name=admins}
>         AuthorizeGroup securityofficer permit service=shell cmd\*
> {priv-lvl=15}
>         AuthorizeGroup securityofficer permit .*
> </ServerTACACSPLUS>
>
> <Client DEFAULT>
>         Secret <<--snipped-->>
> </Client>
>
> <Handler Calling-Station-Id =
> /(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
> 62.225.4.102|209.16.117.6|60.2
> 50.127.184)/>
>         AcctLogFileName %L/acct.denied
>         <AuthBy INTERNAL>
>                 DefaultResult   REJECT
>         </AuthBy>
> </Handler>
>
> <Handler User-Name = paddy>
>         AcctLogFileName %L/acct.admin
>
>         # Packet Trace
>         PacketTrace
>
>         # Explain reject
>         RejectHasReason
>
>         <Log FILE>
>                 Filename %L/paddy-log
>         </Log>
>
>         <AuthBy DBFILE>
>                 Filename %D/tacacs-users
>                 AddToReplyIfNotExist cisco-avpair="idletime=15"
>         </AuthBy>
> </Handler>
>
>
> <Handler>
>         AcctLogFileName %L/acct.user
>
>         # Explain reject
>         RejectHasReason
>
>         <AuthBy DBFILE>
>                 Filename %D/tacacs-users
>                 AddToReplyIfNotExist cisco-avpair="idletime=15"
>         </AuthBy>
> </Handler>
> "
>
> The included configuration files only keep ports and that kind of
> information, nothing that could affect this.
>
> I've tried looking throw the ServerTACPLUS.pm but I can't really figure
> what could be wrong.. quite busy at work to so haven't had much time to
> spend on it :P
>
> Please help ?
>
> ---
> Regards,
> Patrik
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list