(RADIATOR) Issues with the TACPLUS Server

Patrik Forsberg patrik.forsberg at dataphone.net
Thu Dec 6 03:04:28 CST 2007


Hi,

Guess you got my original mail too ;)

I run on two FreeBSD 6.2 and a 5.2 all running perl 5.8.8 with
appropriate cpan modules and Radiator 3.17.1 with the latest patches up
till 2007-10-11.

After looking at the code yesterday I notice you do different things
between CommandAuth and AuthorizeGroup. In the deprecated code you
treated a single command differently then if you get a attribute
attached to the command in AuthorizeGroup you use the same routine no
matter if it has a attribute or not, I am not sure but it could be a
clue to the behavior I'm seeing ?

Referring to line 708-718 for the new code and 759-762,776-782 of
ServerTACPLUS.pm. This is the only thing I could find that actually
differ the two commands from each other that would affect my problem.
I've only tried this out on Cisco so I don't know if any other hardware
shows the same behavior or not.

Best Regards,
Patrik


> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Thursday, December 06, 2007 1:11 AM
> To: Patrik Forsberg
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Issues with the TACPLUS Server
> 
> Hello Patrik,
> 
> Thanks for the detailed logs.
> We still have not been able to reproduce this.
> We note a comment in the relevant source:
> 
>     # Hmmm. funny behaviour remembering the value of @reply_pairs from
> call to
> call
>     # on perl 5.8.5
> 
> and its @reply_pairs that is the relveant thing in your case.
> 
> What version of perl are you running? On what platform?
> 
> Cheers.
> 
> On Wednesday 05 December 2007 02:51, Patrik Forsberg wrote:
> > Hi,
> >
> > I've been trying to convert our old Cisco enabled Radiator Tacacs
> > configuration from the old Depricated "CommandAuth" format to the
> newer
> > "AuthorizeGroup" format but I've ran into a feature that is quite
> > unwanted.
> >
> > First off the configuration I have works on all my current hardware
> but
> > we need the features that the AuthorizeGroup gives.
> > Everything works great exept on cisco boxes. Besides I don't like
the
> > idea to use configuration that will be gone in some future release.
> > Atleast our old Cisco 7200 seem to not like the new format.
> >
> > I've done some debugging and the only differens I can see is that
> there
> > are one difference between the new and old format
> >
> > Level 4 debug log on the
> >
> > Old Format
> > "
> > Tue Dec  4 17:25:10 2007: DEBUG: New TacacsplusConnection created
for
> > 212.37.9.27:16082
> > Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection request 192,
2,
> 1,
> > 0, 3787464609, 87
> > Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> > REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell
> cmd=show
> > cmd-arg=running-config cmd-arg=<cr>
> > Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> > RESPONSE 1, , ,
> > Tue Dec  4 17:25:11 2007: DEBUG: TacacsplusConnection disconnected
> from
> > 212.37.9.27:16082
> > "
> >
> > New Format
> > "
> > Tue Dec  4 17:26:08 2007: DEBUG: New TacacsplusConnection created
for
> > 212.37.9.27:16085
> > Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection request 192,
2,
> 1,
> > 0, 1625861, 87
> > Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> > REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell
> cmd=show
> > cmd-arg=running-config cmd-arg=<cr>
> > Tue Dec  4 17:26:08 2007: DEBUG: AuthorizeGroup rule match found:
> permit
> > .* {  }
> > Tue Dec  4 17:26:08 2007: INFO: Authorization permitted for paddy,
> group
> > securityofficer, args service=shell cmd=show cmd-arg=running-config
> > cmd-arg=<cr>
> > Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> > RESPONSE 1, , , priv-lvl=15
> > Tue Dec  4 17:26:08 2007: DEBUG: TacacsplusConnection disconnected
> from
> > 212.37.9.27:16085
> > "
> >
> >
> > Notice the little "priv-lvl=15" on the end of the last RESPONSE ?
> >
> > That's the only thing I can see that is different between the two
> > formats.
> >
> > Cisco debugs--
> >
> > Old Format
> > "
> > Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229):
Port='tty3'
> > list='' service=CMD
> > Dec  4 11:21:10.860 MET: AAA/AUTHOR/CMD: tty3 (3753599229)
> user='paddy'
> > Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > service=shell
> > Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > cmd=show
> > Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > cmd-arg=running-config
> > Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > cmd-arg=<cr>
> > Dec  4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): found
list
> > "default"
> > Dec  4 11:21:10.864 MET: tty3 AAA/AUTHOR/CMD (3753599229):
> > Method=tacacs+ (tacacs+)
> > Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): user=paddy
> > Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> > service=shell
> > Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> cmd=show
> > Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> > cmd-arg=running-config
> > Dec  4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> > cmd-arg=<cr>
> > Dec  4 11:21:10.864 MET: TAC+: using previously set server
> 212.37.0.171
> > from group tacacs+
> > Dec  4 11:21:10.864 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> > timeout=5
> > Dec  4 11:21:10.864 MET: TAC+: Opened TCP/IP handle 0x621DC9D4 to
> > 212.37.0.171/49 using source 212.37.9.27
> > Dec  4 11:21:10.864 MET: TAC+: Opened 212.37.0.171 index=1
> > Dec  4 11:21:10.864 MET: TAC+: periodic timer started
> > Dec  4 11:21:10.864 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> > id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=5
AUTHOR/START
> > queued
> > Dec  4 11:21:10.868 MET: TAC+: 212.37.0.171 (3753599229)
AUTHOR/START
> > queued
> > Dec  4 11:21:10.964 MET: TAC+: 212.37.0.171 ESTAB id=3753599229
wrote
> 99
> > of 99 bytes
> > Dec  4 11:21:10.964 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> > id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=4
AUTHOR/START
> > sent
> > Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> > alloc=12 got=12
> > Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=18 wanted=18
> > alloc=18 got=6
> > Dec  4 11:21:11.064 MET: TAC+: 212.37.0.171 received 18 byte reply
for
> > 620BD880
> > Dec  4 11:21:11.064 MET: TAC+: req=620BD880 Tx id=3753599229 ver=192
> > handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START processed
> > Dec  4 11:21:11.064 MET: TAC+: (3753599229) AUTHOR/START processed
> > Dec  4 11:21:11.064 MET: TAC+: periodic timer stopped (queue empty)
> > Dec  4 11:21:11.064 MET: TAC+: (3753599229): received author
response
> > status = PASS_ADD
> > Dec  4 11:21:11.064 MET: TAC+: Closing TCP/IP 0x621DC9D4 connection
to
> > 212.37.0.171/49
> > Dec  4 11:21:11.064 MET: AAA/AUTHOR (3753599229): Post authorization
> > status = PASS_ADD
> > "
> >
> > New Format
> > "
> > Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756):
Port='tty3'
> > list='' service=CMD
> > Dec  4 11:19:42.357 MET: AAA/AUTHOR/CMD: tty3 (2448089756)
> user='paddy'
> > Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > service=shell
> > Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > cmd=show
> > Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > cmd-arg=running-config
> > Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > cmd-arg=<cr>
> > Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): found
list
> > "default"
> > Dec  4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756):
> > Method=tacacs+ (tacacs+)
> > Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): user=paddy
> > Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> > service=shell
> > Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> cmd=show
> > Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> > cmd-arg=running-config
> > Dec  4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> > cmd-arg=<cr>
> > Dec  4 11:19:42.357 MET: TAC+: using previously set server
> 212.37.0.171
> > from group tacacs+
> > Dec  4 11:19:42.357 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> > timeout=5
> > Dec  4 11:19:42.361 MET: TAC+: Opened TCP/IP handle 0x621E52B0 to
> > 212.37.0.171/49 using source 212.37.9.27
> > Dec  4 11:19:42.361 MET: TAC+: Opened 212.37.0.171 index=1
> > Dec  4 11:19:42.361 MET: TAC+: periodic timer started
> > Dec  4 11:19:42.361 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> > id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=5
AUTHOR/START
> > queued
> > Dec  4 11:19:42.361 MET: TAC+: 212.37.0.171 (2448089756)
AUTHOR/START
> > queued
> > Dec  4 11:19:42.461 MET: TAC+: 212.37.0.171 ESTAB id=2448089756
wrote
> 99
> > of 99 bytes
> > Dec  4 11:19:42.461 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> > id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=4
AUTHOR/START
> > sent
> > Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> > alloc=12 got=12
> > Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=30 wanted=30
> > alloc=30 got=18
> > Dec  4 11:19:42.561 MET: TAC+: 212.37.0.171 received 30 byte reply
for
> > 6238E368
> > Dec  4 11:19:42.561 MET: TAC+: req=6238E368 Tx id=2448089756 ver=192
> > handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START processed
> > Dec  4 11:19:42.561 MET: TAC+: (2448089756) AUTHOR/START processed
> > Dec  4 11:19:42.561 MET: TAC+: periodic timer stopped (queue empty)
> > Dec  4 11:19:42.561 MET: TAC+: (2448089756): received author
response
> > status = PASS_ADD
> > Dec  4 11:19:42.561 MET: TAC+: Closing TCP/IP 0x621E52B0 connection
to
> > 212.37.0.171/49
> > Dec  4 11:19:42.561 MET: AAA/AUTHOR (2448089756): Post authorization
> > status = PASS_ADD
> > Dec  4 11:19:42.561 MET: AAA/AUTHOR/CMD Cannot replace commands
> > "
> >
> > Notice the last line ?
> > That seem to screw the whole thing up :(
> >
> > Yes, I know the timestamps between cisco and radiator debug differ..
> one
> > can say that it has taken me awhile to get this far!
> >
> >
> > Radiator Config
> >
> > Old Format
> > "
> > # Include local parameters
> > Include /etc/radiator-test/radius.local.cfg
> >
> > <ServerTACACSPLUS>
> >         # Include local tacacs parameters
> >         Include /etc/radiator-test/radius.tacacs.local.cfg
> >
> >         #
> >         AddToRequest NAS-Identifier=TACACS
> >
> >         # Groups
> >         GroupMemberAttr RouterGroup
> >         GroupCacheFile %D/tacacs-users.cache
> >
> >         # Group: SecurityOfficer gives privilige level 15
> >         GroupAuthAttr securityofficer priv-lvl=15
> >         CommandAuth securityofficer permit .*
> > </ServerTACACSPLUS>
> >
> > <Client DEFAULT>
> >         Secret <<--snipped-->>
> > </Client>
> >
> > <Handler Calling-Station-Id =
> >
>
/(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
> > 62.225.4.102|209.16.117.6|60.2
> > 50.127.184)/>
> >         AcctLogFileName %L/acct.denied
> >         <AuthBy INTERNAL>
> >                 DefaultResult   REJECT
> >         </AuthBy>
> > </Handler>
> >
> > <Handler NAS-Port-Id = /tty.*/, User-Name = testuser>
> >         AcctLogFileName %L/acct.admin
> >         <AuthBy DBFILE>
> >                 Filename %D/tacacs-users
> >                 StripFromReply RouterGroup
> >                 AddToReply RouterGroup="securityofficer"
> >                 AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
> >                 AddToReplyIfNotExist cisco-avpair="idletime=15"
> >         </AuthBy>
> > </Handler>
> >
> > <Handler NAS-Port-Id = /mgmt.*/, User-Name = testuser>
> >         AcctLogFileName %L/acct.admin
> >         <AuthBy DBFILE>
> >                 Filename %D/tacacs-users
> >                 StripFromReply RouterGroup
> >                 AddToReply RouterGroup="securityofficer"
> >                 AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
> >                 AddToReplyIfNotExist cisco-avpair="idletime=15"
> >         </AuthBy>
> > </Handler>
> >
> > <Handler>
> >         AcctLogFileName %L/acct.user
> >         <AuthBy DBFILE>
> >                 Filename %D/tacacs-users
> >                 AddToReplyIfNotExist cisco-avpair="idletime=15"
> >         </AuthBy>
> > </Handler>
> > "
> >
> > New Format
> > "
> > # Include local parameters
> > Include /etc/radiator-test/radius.local.cfg
> >
> > <ServerTACACSPLUS>
> >         # Include local tacacs parameters
> >         Include /etc/radiator-test/radius.tacacs.local.cfg
> >
> >         #
> >         AddToRequest NAS-Identifier=TACACS
> >
> >         # Groups
> >         GroupMemberAttr RouterGroup
> >         GroupCacheFile %D/tacacs-users.cache
> >
> >         # Group: SecurityOfficer gives privilige level 15
> >         AuthorizeGroup securityofficer permit service=junos_exec
> > {local-user-name=admins}
> >         AuthorizeGroup securityofficer permit service=shell cmd\*
> > {priv-lvl=15}
> >         AuthorizeGroup securityofficer permit .*
> > </ServerTACACSPLUS>
> >
> > <Client DEFAULT>
> >         Secret <<--snipped-->>
> > </Client>
> >
> > <Handler Calling-Station-Id =
> >
>
/(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
> > 62.225.4.102|209.16.117.6|60.2
> > 50.127.184)/>
> >         AcctLogFileName %L/acct.denied
> >         <AuthBy INTERNAL>
> >                 DefaultResult   REJECT
> >         </AuthBy>
> > </Handler>
> >
> > <Handler User-Name = paddy>
> >         AcctLogFileName %L/acct.admin
> >
> >         # Packet Trace
> >         PacketTrace
> >
> >         # Explain reject
> >         RejectHasReason
> >
> >         <Log FILE>
> >                 Filename %L/paddy-log
> >         </Log>
> >
> >         <AuthBy DBFILE>
> >                 Filename %D/tacacs-users
> >                 AddToReplyIfNotExist cisco-avpair="idletime=15"
> >         </AuthBy>
> > </Handler>
> >
> >
> > <Handler>
> >         AcctLogFileName %L/acct.user
> >
> >         # Explain reject
> >         RejectHasReason
> >
> >         <AuthBy DBFILE>
> >                 Filename %D/tacacs-users
> >                 AddToReplyIfNotExist cisco-avpair="idletime=15"
> >         </AuthBy>
> > </Handler>
> > "
> >
> > The included configuration files only keep ports and that kind of
> > information, nothing that could affect this.
> >
> > I've tried looking throw the ServerTACPLUS.pm but I can't really
> figure
> > what could be wrong.. quite busy at work to so haven't had much time
> to
> > spend on it :P
> >
> > Please help ?
> >
> > ---
> > Regards,
> > Patrik
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> 
> --
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list