(RADIATOR) Issues with the TACPLUS Server
Mike McCauley
mikem at open.com.au
Wed Dec 5 18:11:01 CST 2007
Hello Patrik,
Thanks for the detailed logs.
We still have not been able to reproduce this.
We note a comment in the relevant source:
# Hmmm. funny behaviour remembering the value of @reply_pairs from call to
call
# on perl 5.8.5
and its @reply_pairs that is the relveant thing in your case.
What version of perl are you running? On what platform?
Cheers.
On Wednesday 05 December 2007 02:51, Patrik Forsberg wrote:
> Hi,
>
> I've been trying to convert our old Cisco enabled Radiator Tacacs
> configuration from the old Depricated "CommandAuth" format to the newer
> "AuthorizeGroup" format but I've ran into a feature that is quite
> unwanted.
>
> First off the configuration I have works on all my current hardware but
> we need the features that the AuthorizeGroup gives.
> Everything works great exept on cisco boxes. Besides I don't like the
> idea to use configuration that will be gone in some future release.
> Atleast our old Cisco 7200 seem to not like the new format.
>
> I've done some debugging and the only differens I can see is that there
> are one difference between the new and old format
>
> Level 4 debug log on the
>
> Old Format
> "
> Tue Dec 4 17:25:10 2007: DEBUG: New TacacsplusConnection created for
> 212.37.9.27:16082
> Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 3787464609, 87
> Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell cmd=show
> cmd-arg=running-config cmd-arg=<cr>
> Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , ,
> Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection disconnected from
> 212.37.9.27:16082
> "
>
> New Format
> "
> Tue Dec 4 17:26:08 2007: DEBUG: New TacacsplusConnection created for
> 212.37.9.27:16085
> Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 1625861, 87
> Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell cmd=show
> cmd-arg=running-config cmd-arg=<cr>
> Tue Dec 4 17:26:08 2007: DEBUG: AuthorizeGroup rule match found: permit
> .* { }
> Tue Dec 4 17:26:08 2007: INFO: Authorization permitted for paddy, group
> securityofficer, args service=shell cmd=show cmd-arg=running-config
> cmd-arg=<cr>
> Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , , priv-lvl=15
> Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection disconnected from
> 212.37.9.27:16085
> "
>
>
> Notice the little "priv-lvl=15" on the end of the last RESPONSE ?
>
> That's the only thing I can see that is different between the two
> formats.
>
> Cisco debugs--
>
> Old Format
> "
> Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): Port='tty3'
> list='' service=CMD
> Dec 4 11:21:10.860 MET: AAA/AUTHOR/CMD: tty3 (3753599229) user='paddy'
> Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> service=shell
> Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> cmd=show
> Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> cmd-arg=running-config
> Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> cmd-arg=<cr>
> Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): found list
> "default"
> Dec 4 11:21:10.864 MET: tty3 AAA/AUTHOR/CMD (3753599229):
> Method=tacacs+ (tacacs+)
> Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): user=paddy
> Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> service=shell
> Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV cmd=show
> Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> cmd-arg=running-config
> Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> cmd-arg=<cr>
> Dec 4 11:21:10.864 MET: TAC+: using previously set server 212.37.0.171
> from group tacacs+
> Dec 4 11:21:10.864 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> timeout=5
> Dec 4 11:21:10.864 MET: TAC+: Opened TCP/IP handle 0x621DC9D4 to
> 212.37.0.171/49 using source 212.37.9.27
> Dec 4 11:21:10.864 MET: TAC+: Opened 212.37.0.171 index=1
> Dec 4 11:21:10.864 MET: TAC+: periodic timer started
> Dec 4 11:21:10.864 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=5 AUTHOR/START
> queued
> Dec 4 11:21:10.868 MET: TAC+: 212.37.0.171 (3753599229) AUTHOR/START
> queued
> Dec 4 11:21:10.964 MET: TAC+: 212.37.0.171 ESTAB id=3753599229 wrote 99
> of 99 bytes
> Dec 4 11:21:10.964 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START
> sent
> Dec 4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> alloc=12 got=12
> Dec 4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=18 wanted=18
> alloc=18 got=6
> Dec 4 11:21:11.064 MET: TAC+: 212.37.0.171 received 18 byte reply for
> 620BD880
> Dec 4 11:21:11.064 MET: TAC+: req=620BD880 Tx id=3753599229 ver=192
> handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START processed
> Dec 4 11:21:11.064 MET: TAC+: (3753599229) AUTHOR/START processed
> Dec 4 11:21:11.064 MET: TAC+: periodic timer stopped (queue empty)
> Dec 4 11:21:11.064 MET: TAC+: (3753599229): received author response
> status = PASS_ADD
> Dec 4 11:21:11.064 MET: TAC+: Closing TCP/IP 0x621DC9D4 connection to
> 212.37.0.171/49
> Dec 4 11:21:11.064 MET: AAA/AUTHOR (3753599229): Post authorization
> status = PASS_ADD
> "
>
> New Format
> "
> Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): Port='tty3'
> list='' service=CMD
> Dec 4 11:19:42.357 MET: AAA/AUTHOR/CMD: tty3 (2448089756) user='paddy'
> Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> service=shell
> Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> cmd=show
> Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> cmd-arg=running-config
> Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> cmd-arg=<cr>
> Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): found list
> "default"
> Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756):
> Method=tacacs+ (tacacs+)
> Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): user=paddy
> Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> service=shell
> Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV cmd=show
> Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> cmd-arg=running-config
> Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> cmd-arg=<cr>
> Dec 4 11:19:42.357 MET: TAC+: using previously set server 212.37.0.171
> from group tacacs+
> Dec 4 11:19:42.357 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> timeout=5
> Dec 4 11:19:42.361 MET: TAC+: Opened TCP/IP handle 0x621E52B0 to
> 212.37.0.171/49 using source 212.37.9.27
> Dec 4 11:19:42.361 MET: TAC+: Opened 212.37.0.171 index=1
> Dec 4 11:19:42.361 MET: TAC+: periodic timer started
> Dec 4 11:19:42.361 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=5 AUTHOR/START
> queued
> Dec 4 11:19:42.361 MET: TAC+: 212.37.0.171 (2448089756) AUTHOR/START
> queued
> Dec 4 11:19:42.461 MET: TAC+: 212.37.0.171 ESTAB id=2448089756 wrote 99
> of 99 bytes
> Dec 4 11:19:42.461 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START
> sent
> Dec 4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> alloc=12 got=12
> Dec 4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=30 wanted=30
> alloc=30 got=18
> Dec 4 11:19:42.561 MET: TAC+: 212.37.0.171 received 30 byte reply for
> 6238E368
> Dec 4 11:19:42.561 MET: TAC+: req=6238E368 Tx id=2448089756 ver=192
> handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START processed
> Dec 4 11:19:42.561 MET: TAC+: (2448089756) AUTHOR/START processed
> Dec 4 11:19:42.561 MET: TAC+: periodic timer stopped (queue empty)
> Dec 4 11:19:42.561 MET: TAC+: (2448089756): received author response
> status = PASS_ADD
> Dec 4 11:19:42.561 MET: TAC+: Closing TCP/IP 0x621E52B0 connection to
> 212.37.0.171/49
> Dec 4 11:19:42.561 MET: AAA/AUTHOR (2448089756): Post authorization
> status = PASS_ADD
> Dec 4 11:19:42.561 MET: AAA/AUTHOR/CMD Cannot replace commands
> "
>
> Notice the last line ?
> That seem to screw the whole thing up :(
>
> Yes, I know the timestamps between cisco and radiator debug differ.. one
> can say that it has taken me awhile to get this far!
>
>
> Radiator Config
>
> Old Format
> "
> # Include local parameters
> Include /etc/radiator-test/radius.local.cfg
>
> <ServerTACACSPLUS>
> # Include local tacacs parameters
> Include /etc/radiator-test/radius.tacacs.local.cfg
>
> #
> AddToRequest NAS-Identifier=TACACS
>
> # Groups
> GroupMemberAttr RouterGroup
> GroupCacheFile %D/tacacs-users.cache
>
> # Group: SecurityOfficer gives privilige level 15
> GroupAuthAttr securityofficer priv-lvl=15
> CommandAuth securityofficer permit .*
> </ServerTACACSPLUS>
>
> <Client DEFAULT>
> Secret <<--snipped-->>
> </Client>
>
> <Handler Calling-Station-Id =
> /(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
> 62.225.4.102|209.16.117.6|60.2
> 50.127.184)/>
> AcctLogFileName %L/acct.denied
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> </Handler>
>
> <Handler NAS-Port-Id = /tty.*/, User-Name = testuser>
> AcctLogFileName %L/acct.admin
> <AuthBy DBFILE>
> Filename %D/tacacs-users
> StripFromReply RouterGroup
> AddToReply RouterGroup="securityofficer"
> AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
> AddToReplyIfNotExist cisco-avpair="idletime=15"
> </AuthBy>
> </Handler>
>
> <Handler NAS-Port-Id = /mgmt.*/, User-Name = testuser>
> AcctLogFileName %L/acct.admin
> <AuthBy DBFILE>
> Filename %D/tacacs-users
> StripFromReply RouterGroup
> AddToReply RouterGroup="securityofficer"
> AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
> AddToReplyIfNotExist cisco-avpair="idletime=15"
> </AuthBy>
> </Handler>
>
> <Handler>
> AcctLogFileName %L/acct.user
> <AuthBy DBFILE>
> Filename %D/tacacs-users
> AddToReplyIfNotExist cisco-avpair="idletime=15"
> </AuthBy>
> </Handler>
> "
>
> New Format
> "
> # Include local parameters
> Include /etc/radiator-test/radius.local.cfg
>
> <ServerTACACSPLUS>
> # Include local tacacs parameters
> Include /etc/radiator-test/radius.tacacs.local.cfg
>
> #
> AddToRequest NAS-Identifier=TACACS
>
> # Groups
> GroupMemberAttr RouterGroup
> GroupCacheFile %D/tacacs-users.cache
>
> # Group: SecurityOfficer gives privilige level 15
> AuthorizeGroup securityofficer permit service=junos_exec
> {local-user-name=admins}
> AuthorizeGroup securityofficer permit service=shell cmd\*
> {priv-lvl=15}
> AuthorizeGroup securityofficer permit .*
> </ServerTACACSPLUS>
>
> <Client DEFAULT>
> Secret <<--snipped-->>
> </Client>
>
> <Handler Calling-Station-Id =
> /(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
> 62.225.4.102|209.16.117.6|60.2
> 50.127.184)/>
> AcctLogFileName %L/acct.denied
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> </Handler>
>
> <Handler User-Name = paddy>
> AcctLogFileName %L/acct.admin
>
> # Packet Trace
> PacketTrace
>
> # Explain reject
> RejectHasReason
>
> <Log FILE>
> Filename %L/paddy-log
> </Log>
>
> <AuthBy DBFILE>
> Filename %D/tacacs-users
> AddToReplyIfNotExist cisco-avpair="idletime=15"
> </AuthBy>
> </Handler>
>
>
> <Handler>
> AcctLogFileName %L/acct.user
>
> # Explain reject
> RejectHasReason
>
> <AuthBy DBFILE>
> Filename %D/tacacs-users
> AddToReplyIfNotExist cisco-avpair="idletime=15"
> </AuthBy>
> </Handler>
> "
>
> The included configuration files only keep ports and that kind of
> information, nothing that could affect this.
>
> I've tried looking throw the ServerTACPLUS.pm but I can't really figure
> what could be wrong.. quite busy at work to so haven't had much time to
> spend on it :P
>
> Please help ?
>
> ---
> Regards,
> Patrik
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list