[RADIATOR] Configuring TACACS+ for V0 clients

Hugh Irvine hugh at open.com.au
Tue Aug 26 23:36:00 CDT 2008 

Hello Al -

There are a number of different ways to configure multiple  
authentication schemes, one of which is what you are using currently.

You can also use an AuthByPolicy:

.....

<Realm DEFAULT>

	AuthByPolicy ContinueUntilAccept
          <AuthBy FILE>
                  Filename %D/users
          </AuthBy>
	<AuthBy SYSTEM>
         	.....
	</AuthBy SYSTEM>

          # Log accounting to a detail file
          AcctLogFileName %L/detail

</Realm>


In what you are doing currently, the "Auth-Type = System" check item  
in the AuthBy FILE means to refer to the AuthBy clause with the  
"Identifier System" in it.

If you want to match all users not explicitly defined in the AuthBy  
FILE, you can use a DEFAULT entry (or use the construct I show above):


u_global User-Ppassword = u_global
         Service-Type = Framed-User,
         Framed-Protocol = PPP

DEFAULT       Auth-Type = System
         Service-Type = Framed-User
         Framed-Protocol = PPP


hope that helps

regards

Hugh


On 27 Aug 2008, at 10:52, Roth, Alfred wrote:

> Hi Hugh,
> 	If I understand the manual correctly, all I have to do is add
> the Identifier statement and then users which are not in
> /etc/radiator/users will authenticate from /etc/passwd without my  
> adding
> a Filename statement to <AuthBy FILE>.  Is that correct?
>
> Regards,
>
> Al
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Tuesday, August 26, 2008 5:28 PM
> To: Roth, Alfred
> Cc: radiator at open.com.au; Silva, Luis
> Subject: Re: [RADIATOR] Configuring TACACS+ for V0 clients
>
>
> Hello Al -
>
> There is a problem in your configuration file - the AuthBy SYSTEM
> needs an Identifier so it can be referenced from the AuthBy FILE:
>
> .....
>
> <Realm DEFAULT>
>          <AuthBy FILE>
>                  Filename %D/users
>          </AuthBy>
>          # Log accounting to a detail file
>          AcctLogFileName %L/detail
> </Realm>
>
> <AuthBy SYSTEM>
>          Identifier System
> </AuthBy SYSTEM>
>
>
> To say what else might be wrong I will need to see the Radiator debug
> showing what is happening.
>
> regards
>
> Hugh
>
>
> On 27 Aug 2008, at 08:41, Roth, Alfred wrote:
>
>> Hi,
>>
>>                 We are evaluating Radiator because of its IPv6
>> capability, and have confirmed that it works with our appliances
>> for the most part.  However, we have run into one problem.  We need
>> to be backward compatible with TACACS+ V0 clients, and I have been
>> unable to correctly configure TACACS+ so that we can authenticate
>> with users either from the /etc/radiator/users file or the /etc/
>> passwd file on our Radiator server.  Here is a copy of our
>> radius.cfg file:
>>
>> -------------------------------
>>
>> # radius.cfg
>>
>> #
>>
>> # Example Radiator configuration file.
>>
>> # This very simple file will allow you to get started with
>>
>> # a simple system. You can then add and change features.
>>
>> # We suggest you start simple, prove to yourself that it
>>
>> # works and then develop a more complicated configuration as  
>> required.
>>
>> #
>>
>> # This example will authenticate from a standard users file in
>>
>> # DbDir/users and log accounting to LogDir/detail.
>>
>> #
>>
>> # It will accept requests from any client and try to handle request
>>
>> # for any realm.
>>
>> #
>>
>> # You should consider this file to be a starting point only
>>
>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>
>>
>>
>> #Foreground
>>
>> LogStdout
>>
>> LogDir          /var/log/radius
>>
>> DbDir           /etc/radiator
>>
>> # Use a low trace level in production systems. Increase
>>
>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>
>> Trace           5
>>
>>
>>
>> # Licensing information (Silva & Alfred on Aug 13th)
>>
>>
>>
>> LicenseMaxRequests 0
>>
>> LicenseExpires 2009-08-01
>>
>> LicenseOwner Avocent Corporation USA
>>
>> # I removed the license key from this email
>>
>>
>>
>> # IP and port configuration (Silva & Alfred on Aug 13th)
>>
>>
>>
>> BindAddress 172.26.29.68,127.0.0.1,ipv6:2ffb:
>> 2222:3333:4401:290:fbff:fe81:5f9a,ipv6:::1
>>
>> AuthPort 1812
>>
>> AcctPort 1813
>>
>>
>>
>> <ServerTACACSPLUS>
>>
>>     BindAddress 172.26.29.68,127.0.0.1,ipv6:2ffb:
>> 2222:3333:4401:290:fbff:fe81:5f9a,ipv6:::1
>>
>>     Port 49
>>
>>     Key cyclades-tacacs
>>
>> </ServerTACACSPLUS>
>>
>>
>>
>> # You will probably want to add other Clients to suit your site,
>>
>> # one for each NAS you want to work with
>>
>> <Client DEFAULT>
>>
>>         Secret  cyclades
>>
>>         DupInterval 0
>>
>> </Client>
>>
>>
>>
>> <Realm DEFAULT>
>>
>>         <AuthBy FILE>
>>
>>                 Filename %D/users
>>
>>         </AuthBy>
>>
>> #       <AuthBy UNIX>
>>
>> #               Identifier System
>>
>> #               Filename /etc/passwd
>>
>> #       </AuthBy>
>>
>>
>>
>>         # Log accounting to a detail file
>>
>>         AcctLogFileName %L/detail
>>
>> </Realm>
>>
>> <AuthBy SYSTEM>
>>
>>         Auth-Type System
>>
>> </AuthBy SYSTEM>
>>
>> -----------------------------------
>>
>>
>>
>> Here are the pertinent users from our users file:
>>
>>
>>
>> u_global User-Ppassword = u_global
>>
>>         Service-Type = Framed-User,
>>
>>         Framed-Protocol = PPP
>>
>>
>>
>>
>>
>> u_login Auth-Type = System
>>
>>
>>
>> ldelpilar       Auth-Type = System
>>
>>         Service-Type = Framed-User
>>
>>         Framed-Protocol = PPP
>>
>>
>>
>> I am assuming that u_global would authenticate from the users file
>> itself, but u_login and/or ldelpilar would authenticate from /etc/
>> passwd.  I have added the last two users to /etc/passwd on the
>> Radiator server.  We have the ability to configure our appliance to
>> be either a V0 or V1 Client, and have confirmed that it works with
>> a freeradius RADIUS server.
>>
>>
>>
>> Please give me any configuration advice you can, and confirm that
>> Radiator works with both types of TACACS+ client.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Al Roth
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list