(RADIATOR) Tacacs+ and cisco-avpair

Hisham Al-Shiha hshiha at medu.net.sa
Tue Jun 5 23:49:18 CDT 2007 

Dear all,

	I searched the archive for a similar case but I couldn't find the
answer. How do I send the privilege level back to the tacacs client?. It
seems that the radius reply is OK but the tacacs doesn't seem to be sent
back to the cisco device. I'm trying to send priv-lvl1 to the client seems
to ignore it and sets priv-lvl 15
	I'm I doing anything wrong here?

	I'm using Radiator 3.15

------------------ C O N F F I L E --------------------
LogDir          /var/log/radius
DbDir           /etc/radiator

# AuthPort
# AcctPort

# Replace any non alphanumeric or @,-,. or underscore with X RewriteUsername
s/[^a-zA-Z0-9_\-\@\.]/X/g

Trace   3

# Listen for TACACS+ requests 49/tcp
<ServerTACACSPLUS>
        Key ****
</ServerTACACSPLUS>

<Client DEFAULT>
        Secret  ****
        DupInterval 0
</Client>

<Handler Request-Type = Accounting-Request>
        PreProcessingHook file:"%D/createavpairs"
        <AuthBy SQL>
                DBSource dbi:mysql:radius:127.0.0.1
                DBUsername ****
                DBAuth ****

        	    # Don't authenticate the user, only do accounting
                AuthSelect
        	    
	    # Format the date to the following 'YYYY-MM-DD HH:MM:SS'
                DateFormat %Y-%m-%d %X

                AccountingTable ACCOUNTING
                AcctColumnDef USERNAME,User-Name
                AcctColumnDef TIME_STAMP,Timestamp,integer-date
                AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
                AcctColumnDef ACCTSESSIONID,Acct-Session-Id
                AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
                AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
,integer
                AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
                AcctColumnDef NASIPADDRESS,NAS-IP-Address
                AcctColumnDef AVPAIR,cmd

        </AuthBy>
</Handler>

<Handler>
        <AuthBy FILE>
                Filename %D/users
        </AuthBy>
        SessionDatabase IgnoreSessions
</Handler>

<AuthBy SYSTEM>
        Identifier SysAuth
</AuthBy>

<SessionDatabase NULL>
  Identifier IgnoreSessions
</SessionDatabase NULL>

------------------- L O G -----------------------------
Tue May 29 15:36:28 2007: DEBUG: New TacacsplusConnection created for
*.*.9.3:62826 Tue May 29 15:36:28 2007: DEBUG: TacacsplusConnection request
192, 1, 1, 0, 154164247, 30 Tue May 29 15:36:28 2007: DEBUG:
TacacsplusConnection Authentication START 1, 1, 2 for msami, tty3, *.*.11.45
Tue May 29 15:36:28 2007: DEBUG: TacacsplusConnection Authentication REPLY
5, 1, Password: , Tue May 29 15:36:30 2007: DEBUG: TacacsplusConnection
request 192, 1, 3, 0, 154164247, 13 Tue May 29 15:36:30 2007: DEBUG:
TacacsplusConnection Authentication CONTINUE 0, *****, Tue May 29 15:36:30
2007: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <5>]A<149><214>N<180><253>2x<217><158>l<128>M<240>
Attributes:
        NAS-IP-Address = *.*.9.3
        NAS-Port-Id = "tty3"
        Calling-Station-Id = "*.*.11.45"
        Service-Type = Administrative-User
        User-Name = "msami"
        User-Password = ******

Tue May 29 15:36:30 2007: DEBUG: Handling request with Handler '' Tue May 29
15:36:30 2007: DEBUG: Handling with Radius::AuthFILE: Tue May 29 15:36:30
2007: DEBUG: Radius::AuthFILE looks for match with msami [msami] Tue May 29
15:36:30 2007: DEBUG: Handling with Radius::AuthSYSTEM: SysAuth Tue May 29
15:36:30 2007: DEBUG: getpwnam got msami,
$1$VzzzO22A$fiGg.FDfDqI79iVah/ndu/, 1001, 100, , , Mohammad Sami,
/home/msami, /bin/bash, Tue May 29 15:36:30 2007: DEBUG: Radius::AuthSYSTEM
looks for match with msami [msami] Tue May 29 15:36:30 2007: DEBUG:
Radius::AuthSYSTEM ACCEPT: : msami [msami] Tue May 29 15:36:30 2007: DEBUG:
Radius::AuthFILE ACCEPT: : msami [msami] Tue May 29 15:36:30 2007: DEBUG:
AuthBy FILE result: ACCEPT, Tue May 29 15:36:30 2007: DEBUG: Access accepted
for msami Tue May 29 15:36:30 2007: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <5>]A<149><214>N<180><253>2x<217><158>l<128>M<240>
Attributes:
        cisco-avpair = "shell:priv-lvl=1"

Tue May 29 15:36:30 2007: DEBUG: TacacsplusConnection result Access-Accept
Tue May 29 15:36:30 2007: DEBUG: TacacsplusConnection Authentication REPLY
1, 0, , Tue May 29 15:36:30 2007: DEBUG: TacacsplusConnection disconnected
from *.*.9.3:62826

Tue May 29 15:36:47 2007: DEBUG: TacacsplusConnection result
Accounting-Response Tue May 29 15:36:47 2007: DEBUG: TacacsplusConnection
Authentication REPLY 2, 0, , Tue May 29 15:36:47 2007: DEBUG:
TacacsplusConnection disconnected from *.*.9.3:56568 Tue May 29 15:36:47
2007: DEBUG: TacacsplusConnection Accounting REPLY 1, , Tue May 29 15:36:48
2007: DEBUG: New TacacsplusConnection created for *.*.9.3:56894 Tue May 29
15:36:48 2007: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 961170503,
135 Tue May 29 15:36:48 2007: DEBUG: TacacsplusConnection Accounting REQUEST
4, 6, 15, 1, 1, msami, tty3, *.*.11.45, 6, task_id=1140881 timezone=RUH
service=shell start_time=1180442078 priv-lvl=15 cmd=show vpdn session <cr>
Tue May 29 15:36:48 2007: DEBUG: TACACSPLUS derived Radius request packet
dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  l<137>Q<15><187><140>g<153><205> ln<226>*<254><175>
Attributes:
        NAS-IP-Address = *.*.9.3
        NAS-Port-Id = "tty3"
        Calling-Station-Id = "*.*.11.45"
        User-Name = "msami"
        Acct-Status-Type = Stop
        cisco-avpair = "task_id=1140881"
        cisco-avpair = "timezone=RUH"
        cisco-avpair = "service=shell"
        cisco-avpair = "start_time=1180442078"
        cisco-avpair = "priv-lvl=15"
        cisco-avpair = "cmd=show vpdn session <cr>"

Tue May 29 15:36:48 2007: DEBUG: Handling request with Handler 'Request-Type
= Accounting-Request' Tue May 29 15:36:48 2007: DEBUG: Handling with
Radius::AuthSQL Tue May 29 15:36:48 2007: DEBUG: Handling accounting with
Radius::AuthSQL Tue May 29 15:36:48 2007: DEBUG: do query is: 'insert into
ACCOUNTING
(ACCTSTATUSTYPE,AVPAIR,CALLINGSTATIONID,NASIPADDRESS,TIME_STAMP,USERNAME)
values ('Stop','show vpdn session <cr>','*.*.11.45','*.*.9.3','2007-05-29
15:36:48','msami')': Tue May 29 15:36:48 2007: DEBUG: AuthBy SQL result:
ACCEPT, Tue May 29 15:36:48 2007: DEBUG: Accounting accepted Tue May 29
15:36:48 2007: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Accounting-Response
Identifier: UNDEF
Authentic:  l<137>Q<15><187><140>g<153><205> ln<226>*<254><175>
Attributes:

Tue May 29 15:36:48 2007: DEBUG: TacacsplusConnection result
Accounting-Response Tue May 29 15:36:48 2007: DEBUG: TacacsplusConnection
Authentication REPLY 2, 0, , Tue May 29 15:36:48 2007: DEBUG:
TacacsplusConnection disconnected from *.*.9.3:56894 Tue May 29 15:36:48
2007: DEBUG: TacacsplusConnection Accounting REPLY 1, ,


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list