(RADIATOR) Client Identifier and TACACS

Hugh Irvine hugh at open.com.au
Sun Feb 3 20:24:43 CST 2008 

Hello Markus -

You don't need to read the file for every request, you just need to  
look at the corresponding Client structure in memory.

Otherwise you can use a StartupHook to read things into memory and  
access the data there.

There are a few things we would like to do with the Client clause(s),  
but it will probably need to wait until Radiator 5.

regards

Hugh



On 4 Feb 2008, at 11:35, Markus Moeller wrote:

> OK. That works but isn't very elegant as I need to read the clients  
> file for each request instead of having it hard coded with the  
> <clients xxx> details like it is now for Radius.
>
> Markus
>
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Sunday, February 03, 2008 11:25 PM
> Subject: Re: (RADIATOR) Client Identifier and TACACS
>
>
>>
>> Hello Markus -
>>
>> You can use a PreHandlerHook in the ServerTACACSPLUS clause to do  
>> whatever you need to.
>>
>> See the examples in "goodies/hooks.txt".
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 4 Feb 2008, at 10:14, Markus Moeller wrote:
>>
>>> It helps understand why it doesn't work, but doesn't give me   
>>> another option ;-)
>>>
>>> Is there any other simple way to add an Attribute depending on   
>>> the client IP/Name ?
>>> Right now I read in the client ip, radius secret/tacacs key and   
>>> location details from a file and I thought I could use the same   
>>> file for radius and tacacs clients. Is there a lookup option  
>>> from  file somewhere so that I can read a file and map to an  
>>> attribute  BEFORE selecting a handler ?
>>>
>>> Or can I do some if then else inside the handler to select some   
>>> other Auth Method ?
>>>
>>> Thank you
>>> Markus
>>>
>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> Cc: <radiator at open.com.au>
>>> Sent: Sunday, February 03, 2008 9:35 PM
>>> Subject: Re: (RADIATOR) Client Identifier and TACACS
>>>
>>>
>>>>
>>>> Hello Markus -
>>>>
>>>> There is some confusion here due to the way TACACS+ is  
>>>> processed  by Radiator.
>>>>
>>>> In simple terms, the <ServerTACACSPLUS> clause for TACACS+ acts   
>>>> as  the <Client ...> clause for RADIUS.
>>>>
>>>> In other words, the <Client ...> clause(s) is used for RADIUS  
>>>> requests, and the <ServerTACACSPLUS> clause is used for TACACS+  
>>>> requests.
>>>>
>>>> There is an extension to the <Client ...> clause only to allow  
>>>> different TACACSPLUSKey's to be defined for different devices.
>>>>
>>>> However, all TACACS+ requests are received by the   
>>>> <ServerTACACSPLUS> clause.
>>>>
>>>> hope that helps
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 4 Feb 2008, at 01:26, Markus Moeller wrote:
>>>>
>>>>> I have the following configuration :
>>>>>
>>>>> .
>>>>> <ServerTACACSPLUS>
>>>>> .
>>>>> .
>>>>> </ServerTACACSPLUS>
>>>>> .
>>>>> <Client 192.168.1.1>
>>>>>     TACACSPLUSkey test
>>>>>     Identifier Location1
>>>>> </Client>
>>>>> <Client 192.168.10.1>
>>>>>     TACACSPLUSkey test2
>>>>>     Identifier Location1
>>>>> </Client>
>>>>> ...
>>>>>
>>>>> <Handler Client-Identifier=Location1>
>>>>> .
>>>>>   AuthBy Server1
>>>>> .
>>>>> </Handler>
>>>>>
>>>>> <Handler>
>>>>> .
>>>>>  AuthBy GlobalServer
>>>>> .
>>>>> </Handler>
>>>>>
>>>>>
>>>>> but I see on the debug that always the Handler with  
>>>>> GlobalServer  is selected not the one with Client-identifier.  
>>>>> Can I use the   Identifier only with Radius not with TACACS+  ?
>>>>>
>>>>> Sun Feb  3 14:16:28 2008: DEBUG: TACACSPLUS derived Radius   
>>>>> request packet dump:
>>>>> Code:       Access-Request
>>>>> Identifier: UNDEF
>>>>> Authentic:  <229><11>kl<238><235><230>^<217>? 
>>>>> <228>3l<253><243><128>
>>>>> Attributes:
>>>>>         NAS-IP-Address = 192.168.1.1
>>>>>         NAS-Port-Id = "tty18"
>>>>>         Calling-Station-Id = "192.168.20.1"
>>>>>         Service-Type = Login-User
>>>>>         Request-Protocol = TACACS+
>>>>>         User-Name = "fred"
>>>>>         User-Password = test
>>>>>
>>>>> Sun Feb  3 14:16:28 2008: DEBUG: Handling request with Handler ''
>>>>>
>>>>> Is there a way to debug more ?
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/  
>>>> archives/ radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,  
>>>> extensible,
>>>> flexible with hardware, software, platform and database  
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>> systems.
>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list