[RADIATOR] Cisco http server with tacacs+ authentication problem

Markus Moeller huaraz at moeller.plus.com
Mon Jul 7 15:18:28 CDT 2008 

Hi 

I try to setup tacacs+ authentication/authorization for the http sever on a cisco 7200.  I read (http://www.cisco.com/warp/public/480/http-1.pdf) I need to return a priv-lvl=15 (not sure if during authentication reply or authorization reply).  I tried to add a reply attribute to both, but looking at a decrypted wireshark trace I don't see the reply attribute with the replies. Is that not implemented for tacacs+ requests ?

Thank you
Markus

Config file:

<ServerTACACSPLUS>
        #
        # Attribute for Tacacs Group
        #
        GroupMemberAttr Group-Name
        #
        # cisco group permissions
        #
        AuthorizeGroup ciscoadmin permit service=shell
        AuthorizeGroup ciscoadmin permit service=exec cmd=.* cmd-arg=.* {cisco-avpair="priv-lvl=15"}
</ServerTACACSPLUS>

<AuthBy FILE>
        Identifier UserAuth
        Filename %D/Users
</AuthBy>

<Handler>
  AuthBy UserAuth
  PostProcessingHook file:"/etc/radiator/set_authorize_group.pl"
  AcctLogFileName %L/accounting-%d-%v-%Y.log
</Handler>

Users file:

markus User-Password=markus
    cisco-avpair="priv-lvl=15"


Log output

Mon Jul  7 21:00:21 2008: DEBUG: New TacacsplusConnection created for 192.168.1.200:11198
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 4271424462, 23
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for , tty2, 192.168.1.8
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username: ,
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 4271424462, 11
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication CONTINUE 0, markus,
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password: ,
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 4271424462, 11
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication CONTINUE 0, markus,
Mon Jul  7 21:00:21 2008: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  J<140><156><235><243><225>P<166>6<2><29>Pk<157>B&
Attributes:
        NAS-IP-Address = 192.168.1.200
        NAS-Port-Id = "tty2"
        Calling-Station-Id = "192.168.1.8"
        Service-Type = Login-User
        User-Name = "markus"
        User-Password = markus

Mon Jul  7 21:00:21 2008: DEBUG: Handling request with Handler ''
Mon Jul  7 21:00:21 2008: DEBUG:  Deleting session for markus, 192.168.1.200,
Mon Jul  7 21:00:21 2008: DEBUG: Handling with Radius::AuthFILE: UserAuth
Mon Jul  7 21:00:21 2008: DEBUG: Radius::AuthFILE looks for match with markus [markus]
Mon Jul  7 21:00:21 2008: DEBUG: Radius::AuthFILE ACCEPT: : markus [markus]
Mon Jul  7 21:00:21 2008: DEBUG: AuthBy FILE result: ACCEPT,
Mon Jul  7 21:00:21 2008: DEBUG: Access accepted for markus
Mon Jul  7 21:00:21 2008: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  J<140><156><235><243><225>P<166>6<2><29>Pk<157>B&
Attributes:
        Group-Name = ciscoadmin

Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection result Access-Accept
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection disconnected from 192.168.1.200:11198
Mon Jul  7 21:00:21 2008: DEBUG: New TacacsplusConnection created for 192.168.1.200:11199
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 1922248824, 48
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authorization REQUEST 6, 0, 1, 1, markus, tty2, 192.168.1.8, 2, service=shell cmd*
Mon Jul  7 21:00:21 2008: DEBUG: AuthorizeGroup rule match found: permit service=shell {  }
Mon Jul  7 21:00:21 2008: INFO: Authorization permitted for markus, group ciscoadmin, args service=shell cmd*
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection disconnected from 192.168.1.200:11199


Cisco Tacacs config:

ip http server
ip http authentication aaa

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
tacacs-server host 192.168.1.7
tacacs-server key cisco

Cisco authentication/authorization debug:

1d05h: HTTP: Authentication for url '/' '/' level 15  privless '/'
1d05h: HTTP: Authentication username = 'markus' priv-level = 15 auth-type = aaa
1d05h: AAA: parse name=tty2 idb type=-1 tty=-1
1d05h: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
1d05h: AAA/MEMORY: create_user (0x625866A8) user='' ruser='' port='tty2' rem_addr='192.168.1.8' authen_type=ASCII service=LOGIN priv=0
1d05h: AAA/AUTHEN/START (4271424462): port='tty2' list='' action=LOGIN service=LOGIN
1d05h: AAA/AUTHEN/START (4271424462): using "default" list
1d05h: AAA/AUTHEN/START (4271424462): Method=tacacs+ (tacacs+)
1d05h: TAC+: send AUTHEN/START packet ver=192 id=4271424462
1d05h: TAC+: ver=192 id=4271424462 received AUTHEN status = GETUSER
1d05h: AAA/AUTHEN (4271424462): status = GETUSER
1d05h: AAA/AUTHEN/CONT (4271424462): continue_login (user='(undef)')
1d05h: AAA/AUTHEN (4271424462): status = GETUSER
1d05h: AAA/AUTHEN (4271424462): Method=tacacs+ (tacacs+)
1d05h: TAC+: send AUTHEN/CONT packet id=4271424462
1d05h: TAC+: ver=192 id=4271424462 received AUTHEN status = GETPASS
1d05h: AAA/AUTHEN (4271424462): status = GETPASS
1d05h: AAA/AUTHEN/CONT (4271424462): continue_login (user='markus')
1d05h: AAA/AUTHEN (4271424462): status = GETPASS
1d05h: AAA/AUTHEN (4271424462): Method=tacacs+ (tacacs+)
1d05h: TAC+: send AUTHEN/CONT packet id=4271424462
1d05h: TAC+: ver=192 id=4271424462 received AUTHEN status = PASS
1d05h: AAA/AUTHEN (4271424462): status = PASS
1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): Port='tty2' list='' service=EXEC
1d05h: AAA/AUTHOR/HTTP: tty2 (1922248824) user='markus'
1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): send AV service=shell
1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): send AV cmd*
1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): found list "default"
1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): Method=tacacs+ (tacacs+)
1d05h: AAA/AUTHOR/TAC+: (1922248824): user=markus
1d05h: AAA/AUTHOR/TAC+: (1922248824): send AV service=shell
1d05h: AAA/AUTHOR/TAC+: (1922248824): send AV cmd*
1d05h: TAC+: (1922248824): received author response status = PASS_ADD
1d05h: AAA/AUTHOR (1922248824): Post authorization status = PASS_ADD
1d05h: HTTP: Authentication failed
1d05h: AAA/MEMORY: free_user (0x625866A8) user='markus' ruser='' port='tty2' rem_addr='192.168.1.8' authen_type=ASCII service=LOGIN priv=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080707/bd24e745/attachment-0001.html>

More information about the radiator mailing list