(RADIATOR) Issues with the TACPLUS Server
Mike McCauley
mikem at open.com.au
Thu Dec 6 03:50:56 CST 2007
Hello Patrik,
Thanks for your reply. We still dont understand why your system is behaving
that way: we cant reproduce it. Though we notice that there is soem
configuration of yours that we havent seen yet:
you have this in your ServerTACACSPLUS config:
Include /etc/radiator-test/radius.tacacs.local.cfg
Could that be relevant?
Cheers.
On Thursday 06 December 2007 19:04, Patrik Forsberg wrote:
> Hi,
>
> Guess you got my original mail too ;)
>
> I run on two FreeBSD 6.2 and a 5.2 all running perl 5.8.8 with
> appropriate cpan modules and Radiator 3.17.1 with the latest patches up
> till 2007-10-11.
>
> After looking at the code yesterday I notice you do different things
> between CommandAuth and AuthorizeGroup. In the deprecated code you
> treated a single command differently then if you get a attribute
> attached to the command in AuthorizeGroup you use the same routine no
> matter if it has a attribute or not, I am not sure but it could be a
> clue to the behavior I'm seeing ?
>
> Referring to line 708-718 for the new code and 759-762,776-782 of
> ServerTACPLUS.pm. This is the only thing I could find that actually
> differ the two commands from each other that would affect my problem.
> I've only tried this out on Cisco so I don't know if any other hardware
> shows the same behavior or not.
>
> Best Regards,
> Patrik
>
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: Thursday, December 06, 2007 1:11 AM
> > To: Patrik Forsberg
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Issues with the TACPLUS Server
> >
> > Hello Patrik,
> >
> > Thanks for the detailed logs.
> > We still have not been able to reproduce this.
> > We note a comment in the relevant source:
> >
> > # Hmmm. funny behaviour remembering the value of @reply_pairs from
> > call to
> > call
> > # on perl 5.8.5
> >
> > and its @reply_pairs that is the relveant thing in your case.
> >
> > What version of perl are you running? On what platform?
> >
> > Cheers.
> >
> > On Wednesday 05 December 2007 02:51, Patrik Forsberg wrote:
> > > Hi,
> > >
> > > I've been trying to convert our old Cisco enabled Radiator Tacacs
> > > configuration from the old Depricated "CommandAuth" format to the
> >
> > newer
> >
> > > "AuthorizeGroup" format but I've ran into a feature that is quite
> > > unwanted.
> > >
> > > First off the configuration I have works on all my current hardware
> >
> > but
> >
> > > we need the features that the AuthorizeGroup gives.
> > > Everything works great exept on cisco boxes. Besides I don't like
>
> the
>
> > > idea to use configuration that will be gone in some future release.
> > > Atleast our old Cisco 7200 seem to not like the new format.
> > >
> > > I've done some debugging and the only differens I can see is that
> >
> > there
> >
> > > are one difference between the new and old format
> > >
> > > Level 4 debug log on the
> > >
> > > Old Format
> > > "
> > > Tue Dec 4 17:25:10 2007: DEBUG: New TacacsplusConnection created
>
> for
>
> > > 212.37.9.27:16082
> > > Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection request 192,
>
> 2,
>
> > 1,
> >
> > > 0, 3787464609, 87
> > > Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> > > REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell
> >
> > cmd=show
> >
> > > cmd-arg=running-config cmd-arg=<cr>
> > > Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection Authorization
> > > RESPONSE 1, , ,
> > > Tue Dec 4 17:25:11 2007: DEBUG: TacacsplusConnection disconnected
> >
> > from
> >
> > > 212.37.9.27:16082
> > > "
> > >
> > > New Format
> > > "
> > > Tue Dec 4 17:26:08 2007: DEBUG: New TacacsplusConnection created
>
> for
>
> > > 212.37.9.27:16085
> > > Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection request 192,
>
> 2,
>
> > 1,
> >
> > > 0, 1625861, 87
> > > Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> > > REQUEST 6, 1, 1, 1, paddy, tty2, 83.145.30.2, 4, service=shell
> >
> > cmd=show
> >
> > > cmd-arg=running-config cmd-arg=<cr>
> > > Tue Dec 4 17:26:08 2007: DEBUG: AuthorizeGroup rule match found:
> >
> > permit
> >
> > > .* { }
> > > Tue Dec 4 17:26:08 2007: INFO: Authorization permitted for paddy,
> >
> > group
> >
> > > securityofficer, args service=shell cmd=show cmd-arg=running-config
> > > cmd-arg=<cr>
> > > Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection Authorization
> > > RESPONSE 1, , , priv-lvl=15
> > > Tue Dec 4 17:26:08 2007: DEBUG: TacacsplusConnection disconnected
> >
> > from
> >
> > > 212.37.9.27:16085
> > > "
> > >
> > >
> > > Notice the little "priv-lvl=15" on the end of the last RESPONSE ?
> > >
> > > That's the only thing I can see that is different between the two
> > > formats.
> > >
> > > Cisco debugs--
> > >
> > > Old Format
> > > "
> > > Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229):
>
> Port='tty3'
>
> > > list='' service=CMD
> > > Dec 4 11:21:10.860 MET: AAA/AUTHOR/CMD: tty3 (3753599229)
> >
> > user='paddy'
> >
> > > Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > > service=shell
> > > Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > > cmd=show
> > > Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > > cmd-arg=running-config
> > > Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): send AV
> > > cmd-arg=<cr>
> > > Dec 4 11:21:10.860 MET: tty3 AAA/AUTHOR/CMD (3753599229): found
>
> list
>
> > > "default"
> > > Dec 4 11:21:10.864 MET: tty3 AAA/AUTHOR/CMD (3753599229):
> > > Method=tacacs+ (tacacs+)
> > > Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): user=paddy
> > > Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> > > service=shell
> > > Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> >
> > cmd=show
> >
> > > Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> > > cmd-arg=running-config
> > > Dec 4 11:21:10.864 MET: AAA/AUTHOR/TAC+: (3753599229): send AV
> > > cmd-arg=<cr>
> > > Dec 4 11:21:10.864 MET: TAC+: using previously set server
> >
> > 212.37.0.171
> >
> > > from group tacacs+
> > > Dec 4 11:21:10.864 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> > > timeout=5
> > > Dec 4 11:21:10.864 MET: TAC+: Opened TCP/IP handle 0x621DC9D4 to
> > > 212.37.0.171/49 using source 212.37.9.27
> > > Dec 4 11:21:10.864 MET: TAC+: Opened 212.37.0.171 index=1
> > > Dec 4 11:21:10.864 MET: TAC+: periodic timer started
> > > Dec 4 11:21:10.864 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> > > id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=5
>
> AUTHOR/START
>
> > > queued
> > > Dec 4 11:21:10.868 MET: TAC+: 212.37.0.171 (3753599229)
>
> AUTHOR/START
>
> > > queued
> > > Dec 4 11:21:10.964 MET: TAC+: 212.37.0.171 ESTAB id=3753599229
>
> wrote
>
> > 99
> >
> > > of 99 bytes
> > > Dec 4 11:21:10.964 MET: TAC+: 212.37.0.171 req=620BD880 Qd
> > > id=3753599229 ver=192 handle=0x621DC9D4 (ESTAB) expire=4
>
> AUTHOR/START
>
> > > sent
> > > Dec 4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> > > alloc=12 got=12
> > > Dec 4 11:21:11.064 MET: TAC+: 212.37.0.171 ESTAB read=18 wanted=18
> > > alloc=18 got=6
> > > Dec 4 11:21:11.064 MET: TAC+: 212.37.0.171 received 18 byte reply
>
> for
>
> > > 620BD880
> > > Dec 4 11:21:11.064 MET: TAC+: req=620BD880 Tx id=3753599229 ver=192
> > > handle=0x621DC9D4 (ESTAB) expire=4 AUTHOR/START processed
> > > Dec 4 11:21:11.064 MET: TAC+: (3753599229) AUTHOR/START processed
> > > Dec 4 11:21:11.064 MET: TAC+: periodic timer stopped (queue empty)
> > > Dec 4 11:21:11.064 MET: TAC+: (3753599229): received author
>
> response
>
> > > status = PASS_ADD
> > > Dec 4 11:21:11.064 MET: TAC+: Closing TCP/IP 0x621DC9D4 connection
>
> to
>
> > > 212.37.0.171/49
> > > Dec 4 11:21:11.064 MET: AAA/AUTHOR (3753599229): Post authorization
> > > status = PASS_ADD
> > > "
> > >
> > > New Format
> > > "
> > > Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756):
>
> Port='tty3'
>
> > > list='' service=CMD
> > > Dec 4 11:19:42.357 MET: AAA/AUTHOR/CMD: tty3 (2448089756)
> >
> > user='paddy'
> >
> > > Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > > service=shell
> > > Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > > cmd=show
> > > Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > > cmd-arg=running-config
> > > Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): send AV
> > > cmd-arg=<cr>
> > > Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756): found
>
> list
>
> > > "default"
> > > Dec 4 11:19:42.357 MET: tty3 AAA/AUTHOR/CMD (2448089756):
> > > Method=tacacs+ (tacacs+)
> > > Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): user=paddy
> > > Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> > > service=shell
> > > Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> >
> > cmd=show
> >
> > > Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> > > cmd-arg=running-config
> > > Dec 4 11:19:42.357 MET: AAA/AUTHOR/TAC+: (2448089756): send AV
> > > cmd-arg=<cr>
> > > Dec 4 11:19:42.357 MET: TAC+: using previously set server
> >
> > 212.37.0.171
> >
> > > from group tacacs+
> > > Dec 4 11:19:42.357 MET: TAC+: Opening TCP/IP to 212.37.0.171/49
> > > timeout=5
> > > Dec 4 11:19:42.361 MET: TAC+: Opened TCP/IP handle 0x621E52B0 to
> > > 212.37.0.171/49 using source 212.37.9.27
> > > Dec 4 11:19:42.361 MET: TAC+: Opened 212.37.0.171 index=1
> > > Dec 4 11:19:42.361 MET: TAC+: periodic timer started
> > > Dec 4 11:19:42.361 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> > > id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=5
>
> AUTHOR/START
>
> > > queued
> > > Dec 4 11:19:42.361 MET: TAC+: 212.37.0.171 (2448089756)
>
> AUTHOR/START
>
> > > queued
> > > Dec 4 11:19:42.461 MET: TAC+: 212.37.0.171 ESTAB id=2448089756
>
> wrote
>
> > 99
> >
> > > of 99 bytes
> > > Dec 4 11:19:42.461 MET: TAC+: 212.37.0.171 req=6238E368 Qd
> > > id=2448089756 ver=192 handle=0x621E52B0 (ESTAB) expire=4
>
> AUTHOR/START
>
> > > sent
> > > Dec 4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=12 wanted=12
> > > alloc=12 got=12
> > > Dec 4 11:19:42.561 MET: TAC+: 212.37.0.171 ESTAB read=30 wanted=30
> > > alloc=30 got=18
> > > Dec 4 11:19:42.561 MET: TAC+: 212.37.0.171 received 30 byte reply
>
> for
>
> > > 6238E368
> > > Dec 4 11:19:42.561 MET: TAC+: req=6238E368 Tx id=2448089756 ver=192
> > > handle=0x621E52B0 (ESTAB) expire=4 AUTHOR/START processed
> > > Dec 4 11:19:42.561 MET: TAC+: (2448089756) AUTHOR/START processed
> > > Dec 4 11:19:42.561 MET: TAC+: periodic timer stopped (queue empty)
> > > Dec 4 11:19:42.561 MET: TAC+: (2448089756): received author
>
> response
>
> > > status = PASS_ADD
> > > Dec 4 11:19:42.561 MET: TAC+: Closing TCP/IP 0x621E52B0 connection
>
> to
>
> > > 212.37.0.171/49
> > > Dec 4 11:19:42.561 MET: AAA/AUTHOR (2448089756): Post authorization
> > > status = PASS_ADD
> > > Dec 4 11:19:42.561 MET: AAA/AUTHOR/CMD Cannot replace commands
> > > "
> > >
> > > Notice the last line ?
> > > That seem to screw the whole thing up :(
> > >
> > > Yes, I know the timestamps between cisco and radiator debug differ..
> >
> > one
> >
> > > can say that it has taken me awhile to get this far!
> > >
> > >
> > > Radiator Config
> > >
> > > Old Format
> > > "
> > > # Include local parameters
> > > Include /etc/radiator-test/radius.local.cfg
> > >
> > > <ServerTACACSPLUS>
> > > # Include local tacacs parameters
> > > Include /etc/radiator-test/radius.tacacs.local.cfg
> > >
> > > #
> > > AddToRequest NAS-Identifier=TACACS
> > >
> > > # Groups
> > > GroupMemberAttr RouterGroup
> > > GroupCacheFile %D/tacacs-users.cache
> > >
> > > # Group: SecurityOfficer gives privilige level 15
> > > GroupAuthAttr securityofficer priv-lvl=15
> > > CommandAuth securityofficer permit .*
> > > </ServerTACACSPLUS>
> > >
> > > <Client DEFAULT>
> > > Secret <<--snipped-->>
> > > </Client>
> > >
> > > <Handler Calling-Station-Id =
>
> /(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
>
> > > 62.225.4.102|209.16.117.6|60.2
> > > 50.127.184)/>
> > > AcctLogFileName %L/acct.denied
> > > <AuthBy INTERNAL>
> > > DefaultResult REJECT
> > > </AuthBy>
> > > </Handler>
> > >
> > > <Handler NAS-Port-Id = /tty.*/, User-Name = testuser>
> > > AcctLogFileName %L/acct.admin
> > > <AuthBy DBFILE>
> > > Filename %D/tacacs-users
> > > StripFromReply RouterGroup
> > > AddToReply RouterGroup="securityofficer"
> > > AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
> > > AddToReplyIfNotExist cisco-avpair="idletime=15"
> > > </AuthBy>
> > > </Handler>
> > >
> > > <Handler NAS-Port-Id = /mgmt.*/, User-Name = testuser>
> > > AcctLogFileName %L/acct.admin
> > > <AuthBy DBFILE>
> > > Filename %D/tacacs-users
> > > StripFromReply RouterGroup
> > > AddToReply RouterGroup="securityofficer"
> > > AddToReplyIfNotExist cisco-avpair="priv-lvl=15"
> > > AddToReplyIfNotExist cisco-avpair="idletime=15"
> > > </AuthBy>
> > > </Handler>
> > >
> > > <Handler>
> > > AcctLogFileName %L/acct.user
> > > <AuthBy DBFILE>
> > > Filename %D/tacacs-users
> > > AddToReplyIfNotExist cisco-avpair="idletime=15"
> > > </AuthBy>
> > > </Handler>
> > > "
> > >
> > > New Format
> > > "
> > > # Include local parameters
> > > Include /etc/radiator-test/radius.local.cfg
> > >
> > > <ServerTACACSPLUS>
> > > # Include local tacacs parameters
> > > Include /etc/radiator-test/radius.tacacs.local.cfg
> > >
> > > #
> > > AddToRequest NAS-Identifier=TACACS
> > >
> > > # Groups
> > > GroupMemberAttr RouterGroup
> > > GroupCacheFile %D/tacacs-users.cache
> > >
> > > # Group: SecurityOfficer gives privilige level 15
> > > AuthorizeGroup securityofficer permit service=junos_exec
> > > {local-user-name=admins}
> > > AuthorizeGroup securityofficer permit service=shell cmd\*
> > > {priv-lvl=15}
> > > AuthorizeGroup securityofficer permit .*
> > > </ServerTACACSPLUS>
> > >
> > > <Client DEFAULT>
> > > Secret <<--snipped-->>
> > > </Client>
> > >
> > > <Handler Calling-Station-Id =
>
> /(222.122.13.9|82.198.52.20|217.160.216.229|200.74.221.13|211.218.38.51|
>
> > > 62.225.4.102|209.16.117.6|60.2
> > > 50.127.184)/>
> > > AcctLogFileName %L/acct.denied
> > > <AuthBy INTERNAL>
> > > DefaultResult REJECT
> > > </AuthBy>
> > > </Handler>
> > >
> > > <Handler User-Name = paddy>
> > > AcctLogFileName %L/acct.admin
> > >
> > > # Packet Trace
> > > PacketTrace
> > >
> > > # Explain reject
> > > RejectHasReason
> > >
> > > <Log FILE>
> > > Filename %L/paddy-log
> > > </Log>
> > >
> > > <AuthBy DBFILE>
> > > Filename %D/tacacs-users
> > > AddToReplyIfNotExist cisco-avpair="idletime=15"
> > > </AuthBy>
> > > </Handler>
> > >
> > >
> > > <Handler>
> > > AcctLogFileName %L/acct.user
> > >
> > > # Explain reject
> > > RejectHasReason
> > >
> > > <AuthBy DBFILE>
> > > Filename %D/tacacs-users
> > > AddToReplyIfNotExist cisco-avpair="idletime=15"
> > > </AuthBy>
> > > </Handler>
> > > "
> > >
> > > The included configuration files only keep ports and that kind of
> > > information, nothing that could affect this.
> > >
> > > I've tried looking throw the ServerTACPLUS.pm but I can't really
> >
> > figure
> >
> > > what could be wrong.. quite busy at work to so haven't had much time
> >
> > to
> >
> > > spend on it :P
> > >
> > > Please help ?
> > >
> > > ---
> > > Regards,
> > > Patrik
> > >
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
>
> WWW
>
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474 Fax +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>
> TLS,
>
> > TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list