(RADIATOR) Tacacs+ and cisco-avpair

Hugh Irvine hugh at open.com.au
Wed Jun 6 00:50:12 CDT 2007


Hello Hisham -

According to the debug log the following is the result of the RADIUS  
component of processing the request:

> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <5>]A<149><214>N<180><253>2x<217><158>l<128>M<240>
> Attributes:
>         cisco-avpair = "shell:priv-lvl=1"


Normally TACACS command authorization is done within Radiator  
according to the GroupMemberAttr and AuthorizeGroup definitions in  
the Server TACACSPLUS clause.

See section 5.76 in the Radiator 3.17.1 reference manual ("doc/ 
ref.html") and "goodies/tacacsplusserver.cfg".

Note that this also requires Cisco configuration to enable command  
authorization.

What exactly are you wanting to do?

regards

Hugh


On 6 Jun 2007, at 14:49, Hisham Al-Shiha wrote:

>
> Dear all,
>
> 	I searched the archive for a similar case but I couldn't find the
> answer. How do I send the privilege level back to the tacacs  
> client?. It
> seems that the radius reply is OK but the tacacs doesn't seem to be  
> sent
> back to the cisco device. I'm trying to send priv-lvl1 to the  
> client seems
> to ignore it and sets priv-lvl 15
> 	I'm I doing anything wrong here?
>
> 	I'm using Radiator 3.15
>
> ------------------ C O N F F I L E --------------------
> LogDir          /var/log/radius
> DbDir           /etc/radiator
>
> # AuthPort
> # AcctPort
>
> # Replace any non alphanumeric or @,-,. or underscore with X  
> RewriteUsername
> s/[^a-zA-Z0-9_\-\@\.]/X/g
>
> Trace   3
>
> # Listen for TACACS+ requests 49/tcp
> <ServerTACACSPLUS>
>         Key ****
> </ServerTACACSPLUS>
>
> <Client DEFAULT>
>         Secret  ****
>         DupInterval 0
> </Client>
>
> <Handler Request-Type = Accounting-Request>
>         PreProcessingHook file:"%D/createavpairs"
>         <AuthBy SQL>
>                 DBSource dbi:mysql:radius:127.0.0.1
>                 DBUsername ****
>                 DBAuth ****
>
>         	    # Don't authenticate the user, only do accounting
>                 AuthSelect
>         	
> 	    # Format the date to the following 'YYYY-MM-DD HH:MM:SS'
>                 DateFormat %Y-%m-%d %X
>
>                 AccountingTable ACCOUNTING
>                 AcctColumnDef USERNAME,User-Name
>                 AcctColumnDef TIME_STAMP,Timestamp,integer-date
>                 AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef ACCTSESSIONTIME,Acct-Session- 
> Time,integer
>                 AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> ,integer
>                 AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
>                 AcctColumnDef NASIPADDRESS,NAS-IP-Address
>                 AcctColumnDef AVPAIR,cmd
>
>         </AuthBy>
> </Handler>
>
> <Handler>
>         <AuthBy FILE>
>                 Filename %D/users
>         </AuthBy>
>         SessionDatabase IgnoreSessions
> </Handler>
>
> <AuthBy SYSTEM>
>         Identifier SysAuth
> </AuthBy>
>
> <SessionDatabase NULL>
>   Identifier IgnoreSessions
> </SessionDatabase NULL>
>
> ------------------- L O G -----------------------------
> Tue May 29 15:36:28 2007: DEBUG: New TacacsplusConnection created for
> *.*.9.3:62826 Tue May 29 15:36:28 2007: DEBUG: TacacsplusConnection  
> request
> 192, 1, 1, 0, 154164247, 30 Tue May 29 15:36:28 2007: DEBUG:
> TacacsplusConnection Authentication START 1, 1, 2 for msami, tty3,  
> *.*.11.45
> Tue May 29 15:36:28 2007: DEBUG: TacacsplusConnection  
> Authentication REPLY
> 5, 1, Password: , Tue May 29 15:36:30 2007: DEBUG:  
> TacacsplusConnection
> request 192, 1, 3, 0, 154164247, 13 Tue May 29 15:36:30 2007: DEBUG:
> TacacsplusConnection Authentication CONTINUE 0, *****, Tue May 29  
> 15:36:30
> 2007: DEBUG: TACACSPLUS derived Radius request packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <5>]A<149><214>N<180><253>2x<217><158>l<128>M<240>
> Attributes:
>         NAS-IP-Address = *.*.9.3
>         NAS-Port-Id = "tty3"
>         Calling-Station-Id = "*.*.11.45"
>         Service-Type = Administrative-User
>         User-Name = "msami"
>         User-Password = ******
>
> Tue May 29 15:36:30 2007: DEBUG: Handling request with Handler ''  
> Tue May 29
> 15:36:30 2007: DEBUG: Handling with Radius::AuthFILE: Tue May 29  
> 15:36:30
> 2007: DEBUG: Radius::AuthFILE looks for match with msami [msami]  
> Tue May 29
> 15:36:30 2007: DEBUG: Handling with Radius::AuthSYSTEM: SysAuth Tue  
> May 29
> 15:36:30 2007: DEBUG: getpwnam got msami,
> $1$VzzzO22A$fiGg.FDfDqI79iVah/ndu/, 1001, 100, , , Mohammad Sami,
> /home/msami, /bin/bash, Tue May 29 15:36:30 2007: DEBUG:  
> Radius::AuthSYSTEM
> looks for match with msami [msami] Tue May 29 15:36:30 2007: DEBUG:
> Radius::AuthSYSTEM ACCEPT: : msami [msami] Tue May 29 15:36:30  
> 2007: DEBUG:
> Radius::AuthFILE ACCEPT: : msami [msami] Tue May 29 15:36:30 2007:  
> DEBUG:
> AuthBy FILE result: ACCEPT, Tue May 29 15:36:30 2007: DEBUG: Access  
> accepted
> for msami Tue May 29 15:36:30 2007: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <5>]A<149><214>N<180><253>2x<217><158>l<128>M<240>
> Attributes:
>         cisco-avpair = "shell:priv-lvl=1"
>
> Tue May 29 15:36:30 2007: DEBUG: TacacsplusConnection result Access- 
> Accept
> Tue May 29 15:36:30 2007: DEBUG: TacacsplusConnection  
> Authentication REPLY
> 1, 0, , Tue May 29 15:36:30 2007: DEBUG: TacacsplusConnection  
> disconnected
> from *.*.9.3:62826
>
> Tue May 29 15:36:47 2007: DEBUG: TacacsplusConnection result
> Accounting-Response Tue May 29 15:36:47 2007: DEBUG:  
> TacacsplusConnection
> Authentication REPLY 2, 0, , Tue May 29 15:36:47 2007: DEBUG:
> TacacsplusConnection disconnected from *.*.9.3:56568 Tue May 29  
> 15:36:47
> 2007: DEBUG: TacacsplusConnection Accounting REPLY 1, , Tue May 29  
> 15:36:48
> 2007: DEBUG: New TacacsplusConnection created for *.*.9.3:56894 Tue  
> May 29
> 15:36:48 2007: DEBUG: TacacsplusConnection request 192, 3, 1, 0,  
> 961170503,
> 135 Tue May 29 15:36:48 2007: DEBUG: TacacsplusConnection  
> Accounting REQUEST
> 4, 6, 15, 1, 1, msami, tty3, *.*.11.45, 6, task_id=1140881  
> timezone=RUH
> service=shell start_time=1180442078 priv-lvl=15 cmd=show vpdn  
> session <cr>
> Tue May 29 15:36:48 2007: DEBUG: TACACSPLUS derived Radius request  
> packet
> dump:
> Code:       Accounting-Request
> Identifier: UNDEF
> Authentic:  l<137>Q<15><187><140>g<153><205> ln<226>*<254><175>
> Attributes:
>         NAS-IP-Address = *.*.9.3
>         NAS-Port-Id = "tty3"
>         Calling-Station-Id = "*.*.11.45"
>         User-Name = "msami"
>         Acct-Status-Type = Stop
>         cisco-avpair = "task_id=1140881"
>         cisco-avpair = "timezone=RUH"
>         cisco-avpair = "service=shell"
>         cisco-avpair = "start_time=1180442078"
>         cisco-avpair = "priv-lvl=15"
>         cisco-avpair = "cmd=show vpdn session <cr>"
>
> Tue May 29 15:36:48 2007: DEBUG: Handling request with Handler  
> 'Request-Type
> = Accounting-Request' Tue May 29 15:36:48 2007: DEBUG: Handling with
> Radius::AuthSQL Tue May 29 15:36:48 2007: DEBUG: Handling  
> accounting with
> Radius::AuthSQL Tue May 29 15:36:48 2007: DEBUG: do query is:  
> 'insert into
> ACCOUNTING
> (ACCTSTATUSTYPE,AVPAIR,CALLINGSTATIONID,NASIPADDRESS,TIME_STAMP,USERNA 
> ME)
> values ('Stop','show vpdn session <cr>','*.*.11.45','*.*. 
> 9.3','2007-05-29
> 15:36:48','msami')': Tue May 29 15:36:48 2007: DEBUG: AuthBy SQL  
> result:
> ACCEPT, Tue May 29 15:36:48 2007: DEBUG: Accounting accepted Tue  
> May 29
> 15:36:48 2007: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Accounting-Response
> Identifier: UNDEF
> Authentic:  l<137>Q<15><187><140>g<153><205> ln<226>*<254><175>
> Attributes:
>
> Tue May 29 15:36:48 2007: DEBUG: TacacsplusConnection result
> Accounting-Response Tue May 29 15:36:48 2007: DEBUG:  
> TacacsplusConnection
> Authentication REPLY 2, 0, , Tue May 29 15:36:48 2007: DEBUG:
> TacacsplusConnection disconnected from *.*.9.3:56894 Tue May 29  
> 15:36:48
> 2007: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list