(RADIATOR) Client Identifier and TACACS

Hugh Irvine hugh at open.com.au
Sun Feb 3 17:25:34 CST 2008 

Hello Markus -

You can use a PreHandlerHook in the ServerTACACSPLUS clause to do  
whatever you need to.

See the examples in "goodies/hooks.txt".

regards

Hugh



On 4 Feb 2008, at 10:14, Markus Moeller wrote:

> It helps understand why it doesn't work, but doesn't give me  
> another option ;-)
>
> Is there any other simple way to add an Attribute depending on  the  
> client IP/Name ?
> Right now I read in the client ip, radius secret/tacacs key and  
> location details from a file and I thought I could use the same  
> file for radius and tacacs clients. Is there a lookup option from  
> file somewhere so that I can read a file and map to an attribute  
> BEFORE selecting a handler ?
>
> Or can I do some if then else inside the handler to select some  
> other Auth Method ?
>
> Thank you
> Markus
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Sunday, February 03, 2008 9:35 PM
> Subject: Re: (RADIATOR) Client Identifier and TACACS
>
>
>>
>> Hello Markus -
>>
>> There is some confusion here due to the way TACACS+ is processed  
>> by Radiator.
>>
>> In simple terms, the <ServerTACACSPLUS> clause for TACACS+ acts  
>> as  the <Client ...> clause for RADIUS.
>>
>> In other words, the <Client ...> clause(s) is used for RADIUS   
>> requests, and the <ServerTACACSPLUS> clause is used for TACACS+   
>> requests.
>>
>> There is an extension to the <Client ...> clause only to allow   
>> different TACACSPLUSKey's to be defined for different devices.
>>
>> However, all TACACS+ requests are received by the  
>> <ServerTACACSPLUS> clause.
>>
>> hope that helps
>>
>> regards
>>
>> Hugh
>>
>>
>> On 4 Feb 2008, at 01:26, Markus Moeller wrote:
>>
>>> I have the following configuration :
>>>
>>> .
>>> <ServerTACACSPLUS>
>>> .
>>> .
>>> </ServerTACACSPLUS>
>>> .
>>> <Client 192.168.1.1>
>>>     TACACSPLUSkey test
>>>     Identifier Location1
>>> </Client>
>>> <Client 192.168.10.1>
>>>     TACACSPLUSkey test2
>>>     Identifier Location1
>>> </Client>
>>> ...
>>>
>>> <Handler Client-Identifier=Location1>
>>> .
>>>   AuthBy Server1
>>> .
>>> </Handler>
>>>
>>> <Handler>
>>> .
>>>  AuthBy GlobalServer
>>> .
>>> </Handler>
>>>
>>>
>>> but I see on the debug that always the Handler with GlobalServer  
>>> is selected not the one with Client-identifier. Can I use the   
>>> Identifier only with Radius not with TACACS+  ?
>>>
>>> Sun Feb  3 14:16:28 2008: DEBUG: TACACSPLUS derived Radius  
>>> request packet dump:
>>> Code:       Access-Request
>>> Identifier: UNDEF
>>> Authentic:  <229><11>kl<238><235><230>^<217>?<228>3l<253><243><128>
>>> Attributes:
>>>         NAS-IP-Address = 192.168.1.1
>>>         NAS-Port-Id = "tty18"
>>>         Calling-Station-Id = "192.168.20.1"
>>>         Service-Type = Login-User
>>>         Request-Protocol = TACACS+
>>>         User-Name = "fred"
>>>         User-Password = test
>>>
>>> Sun Feb  3 14:16:28 2008: DEBUG: Handling request with Handler ''
>>>
>>> Is there a way to debug more ?
>>>
>>> Thank you
>>> Markus
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list