[RADIATOR] AuthorizeGroup permissions with TACACS

Hugh Irvine hugh at open.com.au
Tue Jul 8 23:32:33 CDT 2008 

Hello Amanda -


Here is an example I have been testing recently:


# the first line allows the login at priv-lvl=1

         AuthorizeGroup group1 permit service=shell cmd\* {priv-lvl=1}

# the following lines only allow the execution of "show ..." and   
"ping ...." commands

         AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
         AuthorizeGroup group1 permit service=shell cmd=ping cmd-arg=.*

# all other attempts to execute commands will be denied

         AuthorizeGroup group1 deny .*


See also the example in "goodies/tacacsplusserver.cfg".

Of course the Cisco also needs to be configured for command  
authorisation.

Here is an example:


aaa authentication login default group tacacs+ local enable
aaa authentication login vty-access group tacacs+ local enable
aaa authentication login console-access group tacacs+ local enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
ip tacacs source-interface Dialer0
access-list 150 permit udp any host n.n.n.n eq tacacs
tacacs-server host n.n.n.n key 7 04531E0107
tacacs-server directed-request
tacacs-server key 7 000C06010C



hope that helps

regards

Hugh





On 9 Jul 2008, at 04:54, Amanda Myer wrote:

> Hello,
>
> I'm trying to pass per command authorizations to my cisco routers  
> from the radiator TACACS server but it doesn't seem to be working.
>
> I'm not sure if I have something configured incorrectly or what,  
> but this is what I have in the <ServerTACACSPLUS> tag.
>        AuthorizeGroup manager permit service=shell cmd=show cmd- 
> arg=.*               AuthorizeGroup manager permit service=shell  
> cmd=ip cmd-arg.* cmd=configure cmd-arg.*
>        AuthorizeGroup manager permit service=shell cmd=configure  
> cmd-arg.*          AuthorizeGroup manager deny .*
>
> When I try to login to the cisco router with these settings, it  
> authenticates the user but then doesn't authorize them for shell  
> access and disconnects the user.
>
> This is what shows in the radiator log:
>
> ********************
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request 192,  
> 1, 5, 0, 2433281923, 15
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection  
> Authentication CONTINUE 0, passwordRemoved,
> Tue Jul  8 15:11:05 2008: DEBUG: TACACSPLUS derived Radius request  
> packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
> Attributes:
>        NAS-IP-Address = 207.179.90.131
>        NAS-Port-Id = "tty3"
>        Calling-Station-Id = "69.63.233.88"
>        Service-Type = Login-User
>        NAS-Identifier = "TACACS"
>        User-Name = "holcomb.frank"
>        User-Password = passwordRemoved
>
> Tue Jul  8 15:11:05 2008: DEBUG: Handling request with Handler 'NAS- 
> Identifier=TACACS'
> Tue Jul  8 15:11:05 2008: DEBUG:  Deleting session for  
> holcomb.frank, 207.179.90.131,
> Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL
> Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL:  
> ACDEmployees
> Tue Jul  8 15:11:05 2008: DEBUG: Query is: 'SELECT  
> ADMIN_EMPLOYEES.PASSWORD,  
> ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION from Admin_Employees,  
> ADMIN_EMPLOYEES_CISCO_SECURITY where ADMIN_EMPLOYEES.username  
> ='holcomb.frank' and ADMIN_EMPLOYEES.stillemployed = 1 AND  
> ADMIN_EMPLOYEES.CISCOSECURITYLEVEL =  
> ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
> Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL looks for match  
> with holcomb.frank [holcomb.frank]
> Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL ACCEPT: :  
> holcomb.frank [holcomb.frank]
> Tue Jul  8 15:11:05 2008: DEBUG: AuthBy SQL result: ACCEPT,
> Tue Jul  8 15:11:05 2008: DEBUG: Access accepted for holcomb.frank
> Tue Jul  8 15:11:05 2008: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
> Attributes:
>        tacacsGroup = manager
>
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection result Access- 
> Accept
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection  
> Authentication REPLY 1, 0, , Tue Jul  8 15:11:05 2008: DEBUG:  
> TacacsplusConnection disconnected from 207.179.90.131:11861
> Tue Jul  8 15:11:05 2008: DEBUG: New TacacsplusConnection created  
> for 207.179.90.131:60500
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request 192,  
> 2, 1, 0, 3484511561, 56
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization  
> REQUEST 6, 1, 1, 1, holcomb.frank, tty3, 69.63.233.88, 2,  
> service=shell cmd*
> Tue Jul  8 15:11:05 2008: DEBUG: AuthorizeGroup rule match found:  
> permit .* {  }
> Tue Jul  8 15:11:05 2008: INFO: Authorization permitted for  
> holcomb.frank, group manager, args service=shell cmd*
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization  
> RESPONSE 1, , ,
> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection disconnected  
> from 207.179.90.131:60500
> ***********************
>
> Thanks for any help you can provide!  I'm new to radius and tacacs  
> so please bear with me.
>
> Thanks
> -Amanda
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list