[RADIATOR] AuthorizeGroup permissions with TACACS

Tue Jul 8 13:54:38 CDT 2008

Hello,

I'm trying to pass per command authorizations to my cisco routers from 
the radiator TACACS server but it doesn't seem to be working.

I'm not sure if I have something configured incorrectly or what, but 
this is what I have in the <ServerTACACSPLUS> tag.
        AuthorizeGroup manager permit service=shell cmd=show 
cmd-arg=.*        
        AuthorizeGroup manager permit service=shell cmd=ip cmd-arg.* 
cmd=configure cmd-arg.*
        AuthorizeGroup manager permit service=shell cmd=configure 
cmd-arg.*   
        AuthorizeGroup manager deny .*

When I try to login to the cisco router with these settings, it 
authenticates the user but then doesn't authorize them for shell access 
and disconnects the user.

This is what shows in the radiator log:

********************
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request 192, 1, 5, 
0, 2433281923, 15
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authentication 
CONTINUE 0, passwordRemoved,
Tue Jul  8 15:11:05 2008: DEBUG: TACACSPLUS derived Radius request 
packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
Attributes:
        NAS-IP-Address = 207.179.90.131
        NAS-Port-Id = "tty3"
        Calling-Station-Id = "69.63.233.88"
        Service-Type = Login-User
        NAS-Identifier = "TACACS"
        User-Name = "holcomb.frank"
        User-Password = passwordRemoved

Tue Jul  8 15:11:05 2008: DEBUG: Handling request with Handler 
'NAS-Identifier=TACACS'
Tue Jul  8 15:11:05 2008: DEBUG:  Deleting session for holcomb.frank, 
207.179.90.131,
Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL
Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL: ACDEmployees
Tue Jul  8 15:11:05 2008: DEBUG: Query is: 'SELECT 
ADMIN_EMPLOYEES.PASSWORD, ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION 
from Admin_Employees, ADMIN_EMPLOYEES_CISCO_SECURITY where 
ADMIN_EMPLOYEES.username ='holcomb.frank' and 
ADMIN_EMPLOYEES.stillemployed = 1 AND ADMIN_EMPLOYEES.CISCOSECURITYLEVEL 
= ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL looks for match with 
holcomb.frank [holcomb.frank]
Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL ACCEPT: : holcomb.frank 
[holcomb.frank]
Tue Jul  8 15:11:05 2008: DEBUG: AuthBy SQL result: ACCEPT,
Tue Jul  8 15:11:05 2008: DEBUG: Access accepted for holcomb.frank
Tue Jul  8 15:11:05 2008: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
Attributes:
        tacacsGroup = manager

Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection result Access-Accept
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authentication 
REPLY 1, 0, , 
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection disconnected from 
207.179.90.131:11861
Tue Jul  8 15:11:05 2008: DEBUG: New TacacsplusConnection created for 
207.179.90.131:60500
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request 192, 2, 1, 
0, 3484511561, 56
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization 
REQUEST 6, 1, 1, 1, holcomb.frank, tty3, 69.63.233.88, 2, service=shell cmd*
Tue Jul  8 15:11:05 2008: DEBUG: AuthorizeGroup rule match found: permit 
.* {  }
Tue Jul  8 15:11:05 2008: INFO: Authorization permitted for 
holcomb.frank, group manager, args service=shell cmd*
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization 
RESPONSE 1, , ,
Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection disconnected from 
207.179.90.131:60500
***********************

Thanks for any help you can provide!  I'm new to radius and tacacs so 
please bear with me.

Thanks
-Amanda