[RADIATOR] Configuring TACACS+ for V0 clients

Roth, Alfred Alfred.Roth at avocent.com
Tue Aug 26 19:52:41 CDT 2008 

Hi Hugh,
	If I understand the manual correctly, all I have to do is add
the Identifier statement and then users which are not in
/etc/radiator/users will authenticate from /etc/passwd without my adding
a Filename statement to <AuthBy FILE>.  Is that correct?

Regards,

Al

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Tuesday, August 26, 2008 5:28 PM
To: Roth, Alfred
Cc: radiator at open.com.au; Silva, Luis
Subject: Re: [RADIATOR] Configuring TACACS+ for V0 clients


Hello Al -

There is a problem in your configuration file - the AuthBy SYSTEM  
needs an Identifier so it can be referenced from the AuthBy FILE:

.....

<Realm DEFAULT>
         <AuthBy FILE>
                 Filename %D/users
         </AuthBy>
         # Log accounting to a detail file
         AcctLogFileName %L/detail
</Realm>

<AuthBy SYSTEM>
         Identifier System
</AuthBy SYSTEM>


To say what else might be wrong I will need to see the Radiator debug  
showing what is happening.

regards

Hugh


On 27 Aug 2008, at 08:41, Roth, Alfred wrote:

> Hi,
>
>                 We are evaluating Radiator because of its IPv6  
> capability, and have confirmed that it works with our appliances  
> for the most part.  However, we have run into one problem.  We need  
> to be backward compatible with TACACS+ V0 clients, and I have been  
> unable to correctly configure TACACS+ so that we can authenticate  
> with users either from the /etc/radiator/users file or the /etc/ 
> passwd file on our Radiator server.  Here is a copy of our  
> radius.cfg file:
>
> -------------------------------
>
> # radius.cfg
>
> #
>
> # Example Radiator configuration file.
>
> # This very simple file will allow you to get started with
>
> # a simple system. You can then add and change features.
>
> # We suggest you start simple, prove to yourself that it
>
> # works and then develop a more complicated configuration as required.
>
> #
>
> # This example will authenticate from a standard users file in
>
> # DbDir/users and log accounting to LogDir/detail.
>
> #
>
> # It will accept requests from any client and try to handle request
>
> # for any realm.
>
> #
>
> # You should consider this file to be a starting point only
>
> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>
>
>
> #Foreground
>
> LogStdout
>
> LogDir          /var/log/radius
>
> DbDir           /etc/radiator
>
> # Use a low trace level in production systems. Increase
>
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>
> Trace           5
>
>
>
> # Licensing information (Silva & Alfred on Aug 13th)
>
>
>
> LicenseMaxRequests 0
>
> LicenseExpires 2009-08-01
>
> LicenseOwner Avocent Corporation USA
>
> # I removed the license key from this email
>
>
>
> # IP and port configuration (Silva & Alfred on Aug 13th)
>
>
>
> BindAddress 172.26.29.68,127.0.0.1,ipv6:2ffb: 
> 2222:3333:4401:290:fbff:fe81:5f9a,ipv6:::1
>
> AuthPort 1812
>
> AcctPort 1813
>
>
>
> <ServerTACACSPLUS>
>
>     BindAddress 172.26.29.68,127.0.0.1,ipv6:2ffb: 
> 2222:3333:4401:290:fbff:fe81:5f9a,ipv6:::1
>
>     Port 49
>
>     Key cyclades-tacacs
>
> </ServerTACACSPLUS>
>
>
>
> # You will probably want to add other Clients to suit your site,
>
> # one for each NAS you want to work with
>
> <Client DEFAULT>
>
>         Secret  cyclades
>
>         DupInterval 0
>
> </Client>
>
>
>
> <Realm DEFAULT>
>
>         <AuthBy FILE>
>
>                 Filename %D/users
>
>         </AuthBy>
>
> #       <AuthBy UNIX>
>
> #               Identifier System
>
> #               Filename /etc/passwd
>
> #       </AuthBy>
>
>
>
>         # Log accounting to a detail file
>
>         AcctLogFileName %L/detail
>
> </Realm>
>
> <AuthBy SYSTEM>
>
>         Auth-Type System
>
> </AuthBy SYSTEM>
>
> -----------------------------------
>
>
>
> Here are the pertinent users from our users file:
>
>
>
> u_global User-Ppassword = u_global
>
>         Service-Type = Framed-User,
>
>         Framed-Protocol = PPP
>
>
>
>
>
> u_login Auth-Type = System
>
>
>
> ldelpilar       Auth-Type = System
>
>         Service-Type = Framed-User
>
>         Framed-Protocol = PPP
>
>
>
> I am assuming that u_global would authenticate from the users file  
> itself, but u_login and/or ldelpilar would authenticate from /etc/ 
> passwd.  I have added the last two users to /etc/passwd on the  
> Radiator server.  We have the ability to configure our appliance to  
> be either a V0 or V1 Client, and have confirmed that it works with  
> a freeradius RADIUS server.
>
>
>
> Please give me any configuration advice you can, and confirm that  
> Radiator works with both types of TACACS+ client.
>
>
>
> Regards,
>
>
>
> Al Roth
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list