[RADIATOR] Cisco http server with tacacs+ authentication problem

Hugh Irvine hugh at open.com.au
Mon Jul 7 18:13:31 CDT 2008 

Hello Markus -

Here is an example I have been testing recently:


	# the first line allows the login at priv-lvl=1

         AuthorizeGroup group1 permit service=shell cmd\* {priv-lvl=1}

	# the following lines only allow the execution of "show ..." and  
"ping ...." commands

         AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
         AuthorizeGroup group1 permit service=shell cmd=ping cmd-arg=.*

	# all other attempts to execute commands will be denied

         AuthorizeGroup group1 deny .*


See also the example in "goodies/tacacsplusserver.cfg".

hope that helps

regards

Hugh



On 8 Jul 2008, at 06:18, Markus Moeller wrote:

> Hi
>
> I try to setup tacacs+ authentication/authorization for the http  
> sever on a cisco 7200.  I read (http://www.cisco.com/warp/public/ 
> 480/http-1.pdf) I need to return a priv-lvl=15 (not sure if during  
> authentication reply or authorization reply).  I tried to add a  
> reply attribute to both, but looking at a decrypted wireshark trace  
> I don't see the reply attribute with the replies. Is that not  
> implemented for tacacs+ requests ?
>
> Thank you
> Markus
>
> Config file:
>
> <ServerTACACSPLUS>
>         #
>         # Attribute for Tacacs Group
>         #
>         GroupMemberAttr Group-Name
>         #
>         # cisco group permissions
>         #
>         AuthorizeGroup ciscoadmin permit service=shell
>         AuthorizeGroup ciscoadmin permit service=exec cmd=.* cmd- 
> arg=.* {cisco-avpair="priv-lvl=15"}
> </ServerTACACSPLUS>
>
> <AuthBy FILE>
>         Identifier UserAuth
>         Filename %D/Users
> </AuthBy>
>
> <Handler>
>   AuthBy UserAuth
>   PostProcessingHook file:"/etc/radiator/set_authorize_group.pl"
>   AcctLogFileName %L/accounting-%d-%v-%Y.log
> </Handler>
>
> Users file:
>
> markus User-Password=markus
>     cisco-avpair="priv-lvl=15"
>
>
> Log output
>
> Mon Jul  7 21:00:21 2008: DEBUG: New TacacsplusConnection created  
> for 192.168.1.200:11198
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192,  
> 1, 1, 0, 4271424462, 23
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection  
> Authentication START 1, 1, 1 for , tty2, 192.168.1.8
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection  
> Authentication REPLY 4, 0, Username: ,
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192,  
> 1, 3, 0, 4271424462, 11
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection  
> Authentication CONTINUE 0, markus,
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection  
> Authentication REPLY 5, 1, Password: ,
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192,  
> 1, 5, 0, 4271424462, 11
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection  
> Authentication CONTINUE 0, markus,
> Mon Jul  7 21:00:21 2008: DEBUG: TACACSPLUS derived Radius request  
> packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  J<140><156><235><243><225>P<166>6<2><29>Pk<157>B&
> Attributes:
>         NAS-IP-Address = 192.168.1.200
>         NAS-Port-Id = "tty2"
>         Calling-Station-Id = "192.168.1.8"
>         Service-Type = Login-User
>         User-Name = "markus"
>         User-Password = markus
>
> Mon Jul  7 21:00:21 2008: DEBUG: Handling request with Handler ''
> Mon Jul  7 21:00:21 2008: DEBUG:  Deleting session for markus,  
> 192.168.1.200,
> Mon Jul  7 21:00:21 2008: DEBUG: Handling with Radius::AuthFILE:  
> UserAuth
> Mon Jul  7 21:00:21 2008: DEBUG: Radius::AuthFILE looks for match  
> with markus [markus]
> Mon Jul  7 21:00:21 2008: DEBUG: Radius::AuthFILE ACCEPT: : markus  
> [markus]
> Mon Jul  7 21:00:21 2008: DEBUG: AuthBy FILE result: ACCEPT,
> Mon Jul  7 21:00:21 2008: DEBUG: Access accepted for markus
> Mon Jul  7 21:00:21 2008: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  J<140><156><235><243><225>P<166>6<2><29>Pk<157>B&
> Attributes:
>         Group-Name = ciscoadmin
>
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection result Access- 
> Accept
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection  
> Authentication REPLY 1, 0, ,
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection disconnected  
> from 192.168.1.200:11198
> Mon Jul  7 21:00:21 2008: DEBUG: New TacacsplusConnection created  
> for 192.168.1.200:11199
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection request 192,  
> 2, 1, 0, 1922248824, 48
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authorization  
> REQUEST 6, 0, 1, 1, markus, tty2, 192.168.1.8, 2, service=shell cmd*
> Mon Jul  7 21:00:21 2008: DEBUG: AuthorizeGroup rule match found:  
> permit service=shell {  }
> Mon Jul  7 21:00:21 2008: INFO: Authorization permitted for markus,  
> group ciscoadmin, args service=shell cmd*
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection Authorization  
> RESPONSE 1, , ,
> Mon Jul  7 21:00:21 2008: DEBUG: TacacsplusConnection disconnected  
> from 192.168.1.200:11199
>
> Cisco Tacacs config:
>
> ip http server
> ip http authentication aaa
> aaa new-model
> aaa authentication login default group tacacs+ local
> aaa authentication enable default group tacacs+ enable
> aaa authorization console
> aaa authorization config-commands
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default stop-only group tacacs+
> aaa accounting commands 1 default stop-only group tacacs+
> aaa accounting commands 15 default stop-only group tacacs+
> aaa accounting network default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
> tacacs-server host 192.168.1.7
> tacacs-server key cisco
> Cisco authentication/authorization debug:
>
> 1d05h: HTTP: Authentication for url '/' '/' level 15  privless '/'
> 1d05h: HTTP: Authentication username = 'markus' priv-level = 15  
> auth-type = aaa
> 1d05h: AAA: parse name=tty2 idb type=-1 tty=-1
> 1d05h: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0  
> port=2 channel=0
> 1d05h: AAA/MEMORY: create_user (0x625866A8) user='' ruser=''  
> port='tty2' rem_addr='192.168.1.8' authen_type=ASCII service=LOGIN  
> priv=0
> 1d05h: AAA/AUTHEN/START (4271424462): port='tty2' list=''  
> action=LOGIN service=LOGIN
> 1d05h: AAA/AUTHEN/START (4271424462): using "default" list
> 1d05h: AAA/AUTHEN/START (4271424462): Method=tacacs+ (tacacs+)
> 1d05h: TAC+: send AUTHEN/START packet ver=192 id=4271424462
> 1d05h: TAC+: ver=192 id=4271424462 received AUTHEN status = GETUSER
> 1d05h: AAA/AUTHEN (4271424462): status = GETUSER
> 1d05h: AAA/AUTHEN/CONT (4271424462): continue_login (user='(undef)')
> 1d05h: AAA/AUTHEN (4271424462): status = GETUSER
> 1d05h: AAA/AUTHEN (4271424462): Method=tacacs+ (tacacs+)
> 1d05h: TAC+: send AUTHEN/CONT packet id=4271424462
> 1d05h: TAC+: ver=192 id=4271424462 received AUTHEN status = GETPASS
> 1d05h: AAA/AUTHEN (4271424462): status = GETPASS
> 1d05h: AAA/AUTHEN/CONT (4271424462): continue_login (user='markus')
> 1d05h: AAA/AUTHEN (4271424462): status = GETPASS
> 1d05h: AAA/AUTHEN (4271424462): Method=tacacs+ (tacacs+)
> 1d05h: TAC+: send AUTHEN/CONT packet id=4271424462
> 1d05h: TAC+: ver=192 id=4271424462 received AUTHEN status = PASS
> 1d05h: AAA/AUTHEN (4271424462): status = PASS
> 1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): Port='tty2' list=''  
> service=EXEC
> 1d05h: AAA/AUTHOR/HTTP: tty2 (1922248824) user='markus'
> 1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): send AV service=shell
> 1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): send AV cmd*
> 1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): found list "default"
> 1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): Method=tacacs+ (tacacs+)
> 1d05h: AAA/AUTHOR/TAC+: (1922248824): user=markus
> 1d05h: AAA/AUTHOR/TAC+: (1922248824): send AV service=shell
> 1d05h: AAA/AUTHOR/TAC+: (1922248824): send AV cmd*
> 1d05h: TAC+: (1922248824): received author response status = PASS_ADD
> 1d05h: AAA/AUTHOR (1922248824): Post authorization status = PASS_ADD
> 1d05h: HTTP: Authentication failed
> 1d05h: AAA/MEMORY: free_user (0x625866A8) user='markus' ruser=''  
> port='tty2' rem_addr='192.168.1.8' authen_type=ASCII service=LOGIN  
> priv=0
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list