(RADIATOR) enable privilege levels for TACACS+ server
Markus Moeller
huaraz at moeller.plus.com
Tue Jan 29 18:33:51 CST 2008
My config is:
LogDir /var/log/radius
DbDir /etc/raddb
<ServerTACACSPLUS>
Key cisco
GroupMemberAttr TEST-GROUP
AuthorizeGroup all permit service=shell
AuthorizeGroup all permit service=exec cmd=.* cmd-arg=.*
AuthorizeGroup console deny service=shell
AuthorizeGroup reject permitreplace service=exec status=fail
AuthorizeGroup readonly permit service=shell cmd=enable cmd-args=.*
AuthorizeGroup readonly permit service=shell cmd=exit cmd-args=.*
AuthorizeGroup readonly deny service=shell cmd=show cmd-args=run.*
AuthorizeGroup readonly deny service=shell cmd=show cmd-args=start.*
AuthorizeGroup readonly permit service=shell cmd=show cmd-args=.*
AuthorizeGroup readonly permit service=shell cmd=write
cmd-args=terminal
AuthorizeGroup readonly deny service=shell
AddToRequest Request-Protocol=TACACS+
</ServerTACACSPLUS>
<Client DEFAULT>
Secret thesharedsecret
</Client>
<Client localhost>
Secret mysecret
DupInterval 0
</Client>
<AuthBy PAM>
Identifier PAMAuthentication
Service radiusd
</AuthBy>
<AuthBy LDAP2>
Identifier LDAPAuthorisation
Host 192.168.3.1
Port 636
AuthDN uid=ldapAdmin,dc=example,dc=com
AuthPassword pass
BaseDN dc=example,dc=com
SearchFilter (%0=%1)
UsernameAttr uid
PasswordAttr
NoCheckPassword
HoldServerConnection
AuthAttrDef radiusaccount,R-ACCOUNT,request
AuthAttrDef tacacsaccount,T-ACCOUNT,request
AuthAttrDef tacacsgroup,TEST-GROUP,reply
UseSSL
SSLCAPath /etc/certs
SSLVerify none
Version 3
</AuthBy>
<AuthBy FILE>
Identifier UserFilter
Filename %D/users
</AuthBy>
<Handler Service-Type=Administrative-User>
AuthBy UserFilter
AcctLogFileName %L/detail
</Handler>
<Handler User-Name=admin>
AuthBy UserFilter
AcctLogFileName %L/detail
</Handler>
<Handler>
AuthByPolicy ContinueUntilReject
AuthBy LDAPAuthorisation
AuthBy UserFilter
AuthBy PAMAuthentication
AcctLogFileName %L/detail
</Handler>
and users is:
admin User-Password={clear}pass1
TEST-GROUP=all
DEFAULT
Service-Type=Administrative-User,Privilege-Level=15,User-Password={clear}cisco
TEST-GROUP=all
DEFAULT
Service-Type=Administrative-User,Privilege-Level=5,User-Password={clear}notcisco
TEST-GROUP=readonly
DEFAULT T-ACCOUNT="Y",Request-Protocol="TACACS+"
DEFAULT R-ACCOUNT="Y",Request-Protocol=
TACACS+ Requests/Replies when using enable
Decrypted Request
Action: Inbound Login
Privilege Level: 15
Authentication type: ASCII
Service: ENABLE
User len: 6
User: fred
Port len: 5
Port: tty18
Remaddr len: 12
Remote Address: 192.168.1.1
Data: 0 (not used)
Decrypted Reply
Status: 0x5 (Send Password)
Flags: 0x01 (NoEcho)
Server message length: 10
Server message: Password:
Data length: 0
Decrypted Request
Flags: 0x00
User length: 6
User: XXX
Data length: 0
Decrypted Reply
Status: 0x2 (Authentication Failed)
Flags: 0x00
Server message length: 14
Server message: Request Denied
Data length: 0
Received Radiator logging ( a change from Service-Type = Login-User to
Service-Type = Administrative-User)
Attributes:
NAS-IP-Address = 192.168.2.1
NAS-Port-Id = "tty18"
Calling-Station-Id = "192.168.1.1"
Service-Type = Administrative-User
User-Name = "fred"
User-Password = XXX
I also tried enable 5 which in tacacs means user enable5 and in the TACACS
request you get
Privilege Level: 5
Authentication type: ASCII
Service: ENABLE
but Radiator still logs the same Attribute list ( so no differentiation
between enable 1, enable 5 or enable 15 ...)
Attributes:
NAS-IP-Address = 192.168.2.1
NAS-Port-Id = "tty18"
Calling-Station-Id = "192.168.1.1"
Service-Type = Administrative-User
User-Name = "fred"
User-Password = XXX
Markus
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, January 29, 2008 10:40 PM
Subject: Re: (RADIATOR) enable privilege levels for TACACS+ server
>
> Hello Markus -
>
> Could you please send me a copy of your configuration file together with
> a trace 4 debug from Radiator showing what is happening?
>
> regards
>
> Hugh
>
>
> On 30 Jan 2008, at 09:17, Markus Moeller wrote:
>
>> I try to run in addition to the Radius server the TACACS+ server. On
>> cisco router you can get into different privilege leves by using enable
>> # where # is a number between 1 and 15. On a normal TACACS+ server this
>> corresponds to users enable# e.g. 15 different users and passwords.
>>
>> The Tacacs+ client sends among others the following AV pairs
>>
>> Service = ENABLE
>> Privilege Level = #
>> User-name = fred
>> User-password = fred
>>
>> In the Radiator log I can only see among others the following
>> attributes:
>>
>> Service-Type = Administrative-Login
>> User-name = fred
>> User-password = fred
>>
>> The Service Type changes from User-Login to Administrative-Login but I
>> can't identify the privilege level attribute ?
>>
>> How can I get access to the privilege level attribute from TACACS+ ?
>>
>> Thank you
>> Markus
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Radiator.log
Type: application/octet-stream
Size: 13539 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080130/a1291431/attachment.obj>
More information about the radiator
mailing list