(RADIATOR) Client Identifier and TACACS
Markus Moeller
huaraz at moeller.plus.com
Sun Feb 3 17:14:07 CST 2008
It helps understand why it doesn't work, but doesn't give me another option
;-)
Is there any other simple way to add an Attribute depending on the client
IP/Name ?
Right now I read in the client ip, radius secret/tacacs key and location
details from a file and I thought I could use the same file for radius and
tacacs clients. Is there a lookup option from file somewhere so that I can
read a file and map to an attribute BEFORE selecting a handler ?
Or can I do some if then else inside the handler to select some other Auth
Method ?
Thank you
Markus
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Sunday, February 03, 2008 9:35 PM
Subject: Re: (RADIATOR) Client Identifier and TACACS
>
> Hello Markus -
>
> There is some confusion here due to the way TACACS+ is processed by
> Radiator.
>
> In simple terms, the <ServerTACACSPLUS> clause for TACACS+ acts as the
> <Client ...> clause for RADIUS.
>
> In other words, the <Client ...> clause(s) is used for RADIUS requests,
> and the <ServerTACACSPLUS> clause is used for TACACS+ requests.
>
> There is an extension to the <Client ...> clause only to allow different
> TACACSPLUSKey's to be defined for different devices.
>
> However, all TACACS+ requests are received by the <ServerTACACSPLUS>
> clause.
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 4 Feb 2008, at 01:26, Markus Moeller wrote:
>
>> I have the following configuration :
>>
>> .
>> <ServerTACACSPLUS>
>> .
>> .
>> </ServerTACACSPLUS>
>> .
>> <Client 192.168.1.1>
>> TACACSPLUSkey test
>> Identifier Location1
>> </Client>
>> <Client 192.168.10.1>
>> TACACSPLUSkey test2
>> Identifier Location1
>> </Client>
>> ...
>>
>> <Handler Client-Identifier=Location1>
>> .
>> AuthBy Server1
>> .
>> </Handler>
>>
>> <Handler>
>> .
>> AuthBy GlobalServer
>> .
>> </Handler>
>>
>>
>> but I see on the debug that always the Handler with GlobalServer is
>> selected not the one with Client-identifier. Can I use the Identifier
>> only with Radius not with TACACS+ ?
>>
>> Sun Feb 3 14:16:28 2008: DEBUG: TACACSPLUS derived Radius request
>> packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: <229><11>kl<238><235><230>^<217>?<228>3l<253><243><128>
>> Attributes:
>> NAS-IP-Address = 192.168.1.1
>> NAS-Port-Id = "tty18"
>> Calling-Station-Id = "192.168.20.1"
>> Service-Type = Login-User
>> Request-Protocol = TACACS+
>> User-Name = "fred"
>> User-Password = test
>>
>> Sun Feb 3 14:16:28 2008: DEBUG: Handling request with Handler ''
>>
>> Is there a way to debug more ?
>>
>> Thank you
>> Markus
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list