[RADIATOR] AuthorizeGroup permissions with TACACS

Amanda Myer myer.amanda at acd.net
Sat Jul 12 02:12:26 CDT 2008 

Hello Hugh,

Well.. here is what I've got now and it's still not working right.

I've got it as basic as I can for now, just to see if I can get it to 
work.  I'm just trying to enable "Show" commands for now.

In the radiator config:
        AuthorizeGroup manager permit service=shell cmd\* {priv-lvl=1}
        AuthorizeGroup manager permit service=shell cmd=show cmd-arg=.*  
        AuthorizeGroup manager deny .*

On the cisco router:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

When the user logs in, the "show" command is not available.  When typing 
just "show" it simply says "denied".

I'm sure this is just something silly that I've got wrong, but for the 
life of me I don't know what it is.


Amanda Myer
ACD.net Network Operations
myer.amanda at acd.net
517-999-3231



Hugh Irvine wrote:
>
> Hello Amanda -
>
>
> Here is an example I have been testing recently:
>
>
> # the first line allows the login at priv-lvl=1
>
>         AuthorizeGroup group1 permit service=shell cmd\* {priv-lvl=1}
>
> # the following lines only allow the execution of "show ..." and  
> "ping ...." commands
>
>         AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
>         AuthorizeGroup group1 permit service=shell cmd=ping cmd-arg=.*
>
> # all other attempts to execute commands will be denied
>
>         AuthorizeGroup group1 deny .*
>
>
> See also the example in "goodies/tacacsplusserver.cfg".
>
> Of course the Cisco also needs to be configured for command 
> authorisation.
>
> Here is an example:
>
>
> aaa authentication login default group tacacs+ local enable
> aaa authentication login vty-access group tacacs+ local enable
> aaa authentication login console-access group tacacs+ local enable
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa accounting exec default stop-only group tacacs+
> aaa accounting commands 15 default stop-only group tacacs+
> ip tacacs source-interface Dialer0
> access-list 150 permit udp any host n.n.n.n eq tacacs
> tacacs-server host n.n.n.n key 7 04531E0107
> tacacs-server directed-request
> tacacs-server key 7 000C06010C
>
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
>
>
>
> On 9 Jul 2008, at 04:54, Amanda Myer wrote:
>
>> Hello,
>>
>> I'm trying to pass per command authorizations to my cisco routers 
>> from the radiator TACACS server but it doesn't seem to be working.
>>
>> I'm not sure if I have something configured incorrectly or what, but 
>> this is what I have in the <ServerTACACSPLUS> tag.
>>        AuthorizeGroup manager permit service=shell cmd=show 
>> cmd-arg=.*               AuthorizeGroup manager permit service=shell 
>> cmd=ip cmd-arg.* cmd=configure cmd-arg.*
>>        AuthorizeGroup manager permit service=shell cmd=configure 
>> cmd-arg.*          AuthorizeGroup manager deny .*
>>
>> When I try to login to the cisco router with these settings, it 
>> authenticates the user but then doesn't authorize them for shell 
>> access and disconnects the user.
>>
>> This is what shows in the radiator log:
>>
>> ********************
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request 192, 1, 
>> 5, 0, 2433281923, 15
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authentication 
>> CONTINUE 0, passwordRemoved,
>> Tue Jul  8 15:11:05 2008: DEBUG: TACACSPLUS derived Radius request 
>> packet dump:
>> Code:       Access-Request
>> Identifier: UNDEF
>> Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>> Attributes:
>>        NAS-IP-Address = 207.179.90.131
>>        NAS-Port-Id = "tty3"
>>        Calling-Station-Id = "69.63.233.88"
>>        Service-Type = Login-User
>>        NAS-Identifier = "TACACS"
>>        User-Name = "holcomb.frank"
>>        User-Password = passwordRemoved
>>
>> Tue Jul  8 15:11:05 2008: DEBUG: Handling request with Handler 
>> 'NAS-Identifier=TACACS'
>> Tue Jul  8 15:11:05 2008: DEBUG:  Deleting session for holcomb.frank, 
>> 207.179.90.131,
>> Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL
>> Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL: 
>> ACDEmployees
>> Tue Jul  8 15:11:05 2008: DEBUG: Query is: 'SELECT 
>> ADMIN_EMPLOYEES.PASSWORD, ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION 
>> from Admin_Employees, ADMIN_EMPLOYEES_CISCO_SECURITY where 
>> ADMIN_EMPLOYEES.username ='holcomb.frank' and 
>> ADMIN_EMPLOYEES.stillemployed = 1 AND 
>> ADMIN_EMPLOYEES.CISCOSECURITYLEVEL = ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
>> Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL looks for match with 
>> holcomb.frank [holcomb.frank]
>> Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL ACCEPT: : 
>> holcomb.frank [holcomb.frank]
>> Tue Jul  8 15:11:05 2008: DEBUG: AuthBy SQL result: ACCEPT,
>> Tue Jul  8 15:11:05 2008: DEBUG: Access accepted for holcomb.frank
>> Tue Jul  8 15:11:05 2008: DEBUG: Packet dump:
>> *** Reply to TACACSPLUS request:
>> Code:       Access-Accept
>> Identifier: UNDEF
>> Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>> Attributes:
>>        tacacsGroup = manager
>>
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection result 
>> Access-Accept
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authentication 
>> REPLY 1, 0, , Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection 
>> disconnected from 207.179.90.131:11861
>> Tue Jul  8 15:11:05 2008: DEBUG: New TacacsplusConnection created for 
>> 207.179.90.131:60500
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request 192, 2, 
>> 1, 0, 3484511561, 56
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization 
>> REQUEST 6, 1, 1, 1, holcomb.frank, tty3, 69.63.233.88, 2, 
>> service=shell cmd*
>> Tue Jul  8 15:11:05 2008: DEBUG: AuthorizeGroup rule match found: 
>> permit .* {  }
>> Tue Jul  8 15:11:05 2008: INFO: Authorization permitted for 
>> holcomb.frank, group manager, args service=shell cmd*
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization 
>> RESPONSE 1, , ,
>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection disconnected 
>> from 207.179.90.131:60500
>> ***********************
>>
>> Thanks for any help you can provide!  I'm new to radius and tacacs so 
>> please bear with me.
>>
>> Thanks
>> -Amanda
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>

More information about the radiator mailing list