[RADIATOR] AuthorizeGroup permissions with TACACS

Hugh Irvine hugh at open.com.au
Sat Jul 12 03:04:18 CDT 2008 

Hello Amanda -

I really need to see a copy of your Radiator configuration file  
together with a trace 4 debug showing what is happening.

thanks and regards

Hugh


On 12 Jul 2008, at 17:12, Amanda Myer wrote:

> Hello Hugh,
>
> Well.. here is what I've got now and it's still not working right.
>
> I've got it as basic as I can for now, just to see if I can get it  
> to work.  I'm just trying to enable "Show" commands for now.
>
> In the radiator config:
>        AuthorizeGroup manager permit service=shell cmd\* {priv-lvl=1}
>        AuthorizeGroup manager permit service=shell cmd=show cmd- 
> arg=.*         AuthorizeGroup manager deny .*
>
> On the cisco router:
> aaa authentication login default group tacacs+ local
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ local if-authenticated
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
>
> When the user logs in, the "show" command is not available.  When  
> typing just "show" it simply says "denied".
>
> I'm sure this is just something silly that I've got wrong, but for  
> the life of me I don't know what it is.
>
>
> Amanda Myer
> ACD.net Network Operations
> myer.amanda at acd.net
> 517-999-3231
>
>
>
> Hugh Irvine wrote:
>>
>> Hello Amanda -
>>
>>
>> Here is an example I have been testing recently:
>>
>>
>> # the first line allows the login at priv-lvl=1
>>
>>         AuthorizeGroup group1 permit service=shell cmd\* {priv-lvl=1}
>>
>> # the following lines only allow the execution of "show ..." and   
>> "ping ...." commands
>>
>>         AuthorizeGroup group1 permit service=shell cmd=show cmd- 
>> arg=.*
>>         AuthorizeGroup group1 permit service=shell cmd=ping cmd- 
>> arg=.*
>>
>> # all other attempts to execute commands will be denied
>>
>>         AuthorizeGroup group1 deny .*
>>
>>
>> See also the example in "goodies/tacacsplusserver.cfg".
>>
>> Of course the Cisco also needs to be configured for command  
>> authorisation.
>>
>> Here is an example:
>>
>>
>> aaa authentication login default group tacacs+ local enable
>> aaa authentication login vty-access group tacacs+ local enable
>> aaa authentication login console-access group tacacs+ local enable
>> aaa authorization exec default group tacacs+ if-authenticated
>> aaa authorization commands 1 default group tacacs+ if-authenticated
>> aaa authorization commands 15 default group tacacs+ if-authenticated
>> aaa accounting exec default stop-only group tacacs+
>> aaa accounting commands 15 default stop-only group tacacs+
>> ip tacacs source-interface Dialer0
>> access-list 150 permit udp any host n.n.n.n eq tacacs
>> tacacs-server host n.n.n.n key 7 04531E0107
>> tacacs-server directed-request
>> tacacs-server key 7 000C06010C
>>
>>
>>
>> hope that helps
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>>
>> On 9 Jul 2008, at 04:54, Amanda Myer wrote:
>>
>>> Hello,
>>>
>>> I'm trying to pass per command authorizations to my cisco routers  
>>> from the radiator TACACS server but it doesn't seem to be working.
>>>
>>> I'm not sure if I have something configured incorrectly or what,  
>>> but this is what I have in the <ServerTACACSPLUS> tag.
>>>        AuthorizeGroup manager permit service=shell cmd=show cmd- 
>>> arg=.*               AuthorizeGroup manager permit service=shell  
>>> cmd=ip cmd-arg.* cmd=configure cmd-arg.*
>>>        AuthorizeGroup manager permit service=shell cmd=configure  
>>> cmd-arg.*          AuthorizeGroup manager deny .*
>>>
>>> When I try to login to the cisco router with these settings, it  
>>> authenticates the user but then doesn't authorize them for shell  
>>> access and disconnects the user.
>>>
>>> This is what shows in the radiator log:
>>>
>>> ********************
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request  
>>> 192, 1, 5, 0, 2433281923, 15
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection  
>>> Authentication CONTINUE 0, passwordRemoved,
>>> Tue Jul  8 15:11:05 2008: DEBUG: TACACSPLUS derived Radius  
>>> request packet dump:
>>> Code:       Access-Request
>>> Identifier: UNDEF
>>> Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>>> Attributes:
>>>        NAS-IP-Address = 207.179.90.131
>>>        NAS-Port-Id = "tty3"
>>>        Calling-Station-Id = "69.63.233.88"
>>>        Service-Type = Login-User
>>>        NAS-Identifier = "TACACS"
>>>        User-Name = "holcomb.frank"
>>>        User-Password = passwordRemoved
>>>
>>> Tue Jul  8 15:11:05 2008: DEBUG: Handling request with Handler  
>>> 'NAS-Identifier=TACACS'
>>> Tue Jul  8 15:11:05 2008: DEBUG:  Deleting session for  
>>> holcomb.frank, 207.179.90.131,
>>> Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL
>>> Tue Jul  8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL:  
>>> ACDEmployees
>>> Tue Jul  8 15:11:05 2008: DEBUG: Query is: 'SELECT  
>>> ADMIN_EMPLOYEES.PASSWORD,  
>>> ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION from Admin_Employees,  
>>> ADMIN_EMPLOYEES_CISCO_SECURITY where ADMIN_EMPLOYEES.username  
>>> ='holcomb.frank' and ADMIN_EMPLOYEES.stillemployed = 1 AND  
>>> ADMIN_EMPLOYEES.CISCOSECURITYLEVEL =  
>>> ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
>>> Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL looks for match  
>>> with holcomb.frank [holcomb.frank]
>>> Tue Jul  8 15:11:05 2008: DEBUG: Radius::AuthSQL ACCEPT: :  
>>> holcomb.frank [holcomb.frank]
>>> Tue Jul  8 15:11:05 2008: DEBUG: AuthBy SQL result: ACCEPT,
>>> Tue Jul  8 15:11:05 2008: DEBUG: Access accepted for holcomb.frank
>>> Tue Jul  8 15:11:05 2008: DEBUG: Packet dump:
>>> *** Reply to TACACSPLUS request:
>>> Code:       Access-Accept
>>> Identifier: UNDEF
>>> Authentic:  <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>>> Attributes:
>>>        tacacsGroup = manager
>>>
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection result  
>>> Access-Accept
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection  
>>> Authentication REPLY 1, 0, , Tue Jul  8 15:11:05 2008: DEBUG:  
>>> TacacsplusConnection disconnected from 207.179.90.131:11861
>>> Tue Jul  8 15:11:05 2008: DEBUG: New TacacsplusConnection created  
>>> for 207.179.90.131:60500
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection request  
>>> 192, 2, 1, 0, 3484511561, 56
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection  
>>> Authorization REQUEST 6, 1, 1, 1, holcomb.frank, tty3,  
>>> 69.63.233.88, 2, service=shell cmd*
>>> Tue Jul  8 15:11:05 2008: DEBUG: AuthorizeGroup rule match found:  
>>> permit .* {  }
>>> Tue Jul  8 15:11:05 2008: INFO: Authorization permitted for  
>>> holcomb.frank, group manager, args service=shell cmd*
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection  
>>> Authorization RESPONSE 1, , ,
>>> Tue Jul  8 15:11:05 2008: DEBUG: TacacsplusConnection  
>>> disconnected from 207.179.90.131:60500
>>> ***********************
>>>
>>> Thanks for any help you can provide!  I'm new to radius and  
>>> tacacs so please bear with me.
>>>
>>> Thanks
>>> -Amanda
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list