(RADIATOR) Client Identifier and TACACS
Markus Moeller
huaraz at moeller.plus.com
Sun Feb 3 18:35:21 CST 2008
OK. That works but isn't very elegant as I need to read the clients file for
each request instead of having it hard coded with the <clients xxx> details
like it is now for Radius.
Markus
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Sunday, February 03, 2008 11:25 PM
Subject: Re: (RADIATOR) Client Identifier and TACACS
>
> Hello Markus -
>
> You can use a PreHandlerHook in the ServerTACACSPLUS clause to do
> whatever you need to.
>
> See the examples in "goodies/hooks.txt".
>
> regards
>
> Hugh
>
>
>
> On 4 Feb 2008, at 10:14, Markus Moeller wrote:
>
>> It helps understand why it doesn't work, but doesn't give me another
>> option ;-)
>>
>> Is there any other simple way to add an Attribute depending on the
>> client IP/Name ?
>> Right now I read in the client ip, radius secret/tacacs key and location
>> details from a file and I thought I could use the same file for radius
>> and tacacs clients. Is there a lookup option from file somewhere so that
>> I can read a file and map to an attribute BEFORE selecting a handler ?
>>
>> Or can I do some if then else inside the handler to select some other
>> Auth Method ?
>>
>> Thank you
>> Markus
>>
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Sunday, February 03, 2008 9:35 PM
>> Subject: Re: (RADIATOR) Client Identifier and TACACS
>>
>>
>>>
>>> Hello Markus -
>>>
>>> There is some confusion here due to the way TACACS+ is processed by
>>> Radiator.
>>>
>>> In simple terms, the <ServerTACACSPLUS> clause for TACACS+ acts as the
>>> <Client ...> clause for RADIUS.
>>>
>>> In other words, the <Client ...> clause(s) is used for RADIUS
>>> requests, and the <ServerTACACSPLUS> clause is used for TACACS+
>>> requests.
>>>
>>> There is an extension to the <Client ...> clause only to allow
>>> different TACACSPLUSKey's to be defined for different devices.
>>>
>>> However, all TACACS+ requests are received by the <ServerTACACSPLUS>
>>> clause.
>>>
>>> hope that helps
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 4 Feb 2008, at 01:26, Markus Moeller wrote:
>>>
>>>> I have the following configuration :
>>>>
>>>> .
>>>> <ServerTACACSPLUS>
>>>> .
>>>> .
>>>> </ServerTACACSPLUS>
>>>> .
>>>> <Client 192.168.1.1>
>>>> TACACSPLUSkey test
>>>> Identifier Location1
>>>> </Client>
>>>> <Client 192.168.10.1>
>>>> TACACSPLUSkey test2
>>>> Identifier Location1
>>>> </Client>
>>>> ...
>>>>
>>>> <Handler Client-Identifier=Location1>
>>>> .
>>>> AuthBy Server1
>>>> .
>>>> </Handler>
>>>>
>>>> <Handler>
>>>> .
>>>> AuthBy GlobalServer
>>>> .
>>>> </Handler>
>>>>
>>>>
>>>> but I see on the debug that always the Handler with GlobalServer is
>>>> selected not the one with Client-identifier. Can I use the Identifier
>>>> only with Radius not with TACACS+ ?
>>>>
>>>> Sun Feb 3 14:16:28 2008: DEBUG: TACACSPLUS derived Radius request
>>>> packet dump:
>>>> Code: Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: <229><11>kl<238><235><230>^<217>?<228>3l<253><243><128>
>>>> Attributes:
>>>> NAS-IP-Address = 192.168.1.1
>>>> NAS-Port-Id = "tty18"
>>>> Calling-Station-Id = "192.168.20.1"
>>>> Service-Type = Login-User
>>>> Request-Protocol = TACACS+
>>>> User-Name = "fred"
>>>> User-Password = test
>>>>
>>>> Sun Feb 3 14:16:28 2008: DEBUG: Handling request with Handler ''
>>>>
>>>> Is there a way to debug more ?
>>>>
>>>> Thank you
>>>> Markus
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/ archives/
>>> radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list