[RADIATOR] AuthorizeGroup permissions with TACACS
Amanda Myer
myer.amanda at acd.net
Sat Jul 12 03:56:05 CDT 2008
Here is the output from the level 4 trace on radiator:
*************************************
Sat Jul 12 05:16:43 2008: DEBUG: include /etc/radiator/zhone.cfg
Sat Jul 12 05:16:43 2008: ERR: Could not resolve an address for Client
10.106.1.n
Sat Jul 12 05:16:43 2008: WARNING: Could not find AuthBy clause with
Identifier ZhoneAccounting
Sat Jul 12 05:16:43 2008: DEBUG: include /etc/radiator/tacacsplusserver.cfg
Sat Jul 12 05:16:44 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
Sat Jul 12 05:16:44 2008: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Sat Jul 12 05:16:44 2008: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Sat Jul 12 05:16:44 2008: DEBUG: Creating authentication port 0.0.0.0:1645
Sat Jul 12 05:16:44 2008: DEBUG: Creating accounting port 0.0.0.0:1646
Sat Jul 12 05:16:44 2008: NOTICE: Server started: Radiator 3.14 on
radius01.acd.net
Sat Jul 12 05:16:54 2008: DEBUG: New TacacsplusConnection created for
207.179.90.131:31057
Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection request 192, 1, 1,
0, 1109816927, 24
Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection Authentication
START 1, 1, 1 for , tty3, 69.63.233.88
Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Sat Jul 12 05:16:54 2008: DEBUG: New TacacsplusConnection created for
207.179.90.131:21820
Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection request 192, 1, 1,
0, 2332082003, 27
Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection Authentication
START 1, 1, 1 for , tty4, 207.179.118.130
Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection disconnected from
207.179.90.131:21820
Sat Jul 12 05:16:59 2008: DEBUG: TacacsplusConnection request 192, 1, 3,
0, 1109816927, 18
Sat Jul 12 05:16:59 2008: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, holcomb.frank,
Sat Jul 12 05:16:59 2008: DEBUG: TacacsplusConnection Authentication
REPLY 5, 1, Password: ,
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection request 192, 1, 5,
0, 1109816927, 15
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, removedForSecurity,
Sat Jul 12 05:17:02 2008: DEBUG: TACACSPLUS derived Radius request
packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: 'a<4><205><146><135><255><161>N<163>}<18><23>7<190><127>
Attributes:
NAS-IP-Address = 207.179.90.131
NAS-Port-Id = "tty3"
Calling-Station-Id = "69.63.233.88"
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "holcomb.frank"
User-Password = removedForSecurity
Sat Jul 12 05:17:02 2008: DEBUG: Handling request with Handler
'NAS-Identifier=TACACS'
Sat Jul 12 05:17:02 2008: DEBUG: Deleting session for holcomb.frank,
207.179.90.131,
Sat Jul 12 05:17:02 2008: DEBUG: Handling with Radius::AuthSQL
Sat Jul 12 05:17:02 2008: DEBUG: Handling with Radius::AuthSQL: ACDEmployees
Sat Jul 12 05:17:02 2008: DEBUG: Query is: 'SELECT
ADMIN_EMPLOYEES.PASSWORD, ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION
from Admin_Employees, ADMIN_EMPLOYEES_CISCO_SECURITY where
ADMIN_EMPLOYEES.username ='holcomb.frank' and
ADMIN_EMPLOYEES.stillemployed = 1 AND ADMIN_EMPLOYEES.CISCOSECURITYLEVEL
= ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
Sat Jul 12 05:17:02 2008: DEBUG: Radius::AuthSQL looks for match with
holcomb.frank [holcomb.frank]
Sat Jul 12 05:17:02 2008: DEBUG: Radius::AuthSQL ACCEPT: : holcomb.frank
[holcomb.frank]
Sat Jul 12 05:17:02 2008: DEBUG: AuthBy SQL result: ACCEPT,
Sat Jul 12 05:17:02 2008: DEBUG: Access accepted for holcomb.frank
Sat Jul 12 05:17:02 2008: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: 'a<4><205><146><135><255><161>N<163>}<18><23>7<190><127>
Attributes:
tacacsGroup = manager
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection result Access-Accept
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, ,
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection disconnected from
207.179.90.131:31057
Sat Jul 12 05:17:02 2008: DEBUG: New TacacsplusConnection created for
207.179.90.131:11414
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection request 192, 2, 1,
0, 2914689011, 56
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 1, 1, holcomb.frank, tty3, 69.63.233.88, 2, service=shell cmd*
Sat Jul 12 05:17:02 2008: DEBUG: AuthorizeGroup rule match found: permit
service=shell cmd\* { priv-lvl=1 }
Sat Jul 12 05:17:02 2008: INFO: Authorization permitted for
holcomb.frank, group manager, args service=shell cmd*
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection Authorization
RESPONSE 1, , , priv-lvl=1
Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection disconnected from
207.179.90.131:11414
Sat Jul 12 05:17:05 2008: DEBUG: New TacacsplusConnection created for
207.179.90.131:43641
Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection request 192, 2, 1,
0, 39416169, 89
Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection Authorization
REQUEST 1, 1, 1, 0, holcomb.frank, tty3, 69.63.233.88, 4, service=shell
cmd=connect cmd-arg=show cmd-arg=<cr>
Sat Jul 12 05:17:05 2008: DEBUG: AuthorizeGroup rule match found: deny
.* { }
Sat Jul 12 05:17:05 2008: INFO: Authorization denied for holcomb.frank,
group manager, args service=shell cmd=connect cmd-arg=show cmd-arg=<cr>
Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection Authorization
RESPONSE 16, denied, ,
Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection disconnected from
207.179.90.131:43641
*************************************
Here is the config on radiator:
*************************************
LogDir /var/log/radius
DbDir /etc/radiator
Trace 4
<ServerTACACSPLUS>
Key cisco
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsGroup
AuthorizeGroup securityofficer permit service=shell cmd\*
{priv-lvl=15}
AuthorizeGroup manager permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroup user permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroup manager permit service=shell cmd=show cmd-arg=.*
AuthorizeGroup manager deny .*
</ServerTACACSPLUS>
# ======================
# Queries for ACD Employees
# ======================
#
<AuthBy SQL>
Identifier ACDEmployees
DBSource dbi:Sybase:server=MASIADOS;database=support7
DBUsername radiator
DBAuth removedForSecurity
FailureBackoffTime 60
AuthSelect SELECT ADMIN_EMPLOYEES.PASSWORD,
ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION \
from Admin_Employees,
ADMIN_EMPLOYEES_CISCO_SECURITY \
where ADMIN_EMPLOYEES.username ='%U' and
ADMIN_EMPLOYEES.stillemployed = 1 \
AND ADMIN_EMPLOYEES.CISCOSECURITYLEVEL =
ADMIN_EMPLOYEES_CISCO_SECURITY.ID
NoDefault
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, tacacsGroup, reply
</AuthBy>
<Handler NAS-Identifier=TACACS>
AuthBy ACDEmployees
</Handler>
*************************************
And here are the config lines on the cisco router:
*************************************
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa session-id common
*************************************
Thanks so much for the help!
Amanda Myer
ACD.net Network Operations
myer.amanda at acd.net
517-999-3231
Hugh Irvine wrote:
>
> Hello Amanda -
>
> I really need to see a copy of your Radiator configuration file
> together with a trace 4 debug showing what is happening.
>
> thanks and regards
>
> Hugh
>
>
> On 12 Jul 2008, at 17:12, Amanda Myer wrote:
>
>> Hello Hugh,
>>
>> Well.. here is what I've got now and it's still not working right.
>>
>> I've got it as basic as I can for now, just to see if I can get it to
>> work. I'm just trying to enable "Show" commands for now.
>>
>> In the radiator config:
>> AuthorizeGroup manager permit service=shell cmd\* {priv-lvl=1}
>> AuthorizeGroup manager permit service=shell cmd=show
>> cmd-arg=.* AuthorizeGroup manager deny .*
>>
>> On the cisco router:
>> aaa authentication login default group tacacs+ local
>> aaa authentication enable default group tacacs+ enable
>> aaa authorization exec default group tacacs+ local if-authenticated
>> aaa authorization commands 1 default group tacacs+ if-authenticated
>> aaa authorization commands 15 default group tacacs+ if-authenticated
>>
>> When the user logs in, the "show" command is not available. When
>> typing just "show" it simply says "denied".
>>
>> I'm sure this is just something silly that I've got wrong, but for
>> the life of me I don't know what it is.
>>
>>
>> Amanda Myer
>> ACD.net Network Operations
>> myer.amanda at acd.net
>> 517-999-3231
>>
>>
>>
>> Hugh Irvine wrote:
>>>
>>> Hello Amanda -
>>>
>>>
>>> Here is an example I have been testing recently:
>>>
>>>
>>> # the first line allows the login at priv-lvl=1
>>>
>>> AuthorizeGroup group1 permit service=shell cmd\* {priv-lvl=1}
>>>
>>> # the following lines only allow the execution of "show ..." and
>>> "ping ...." commands
>>>
>>> AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
>>> AuthorizeGroup group1 permit service=shell cmd=ping cmd-arg=.*
>>>
>>> # all other attempts to execute commands will be denied
>>>
>>> AuthorizeGroup group1 deny .*
>>>
>>>
>>> See also the example in "goodies/tacacsplusserver.cfg".
>>>
>>> Of course the Cisco also needs to be configured for command
>>> authorisation.
>>>
>>> Here is an example:
>>>
>>>
>>> aaa authentication login default group tacacs+ local enable
>>> aaa authentication login vty-access group tacacs+ local enable
>>> aaa authentication login console-access group tacacs+ local enable
>>> aaa authorization exec default group tacacs+ if-authenticated
>>> aaa authorization commands 1 default group tacacs+ if-authenticated
>>> aaa authorization commands 15 default group tacacs+ if-authenticated
>>> aaa accounting exec default stop-only group tacacs+
>>> aaa accounting commands 15 default stop-only group tacacs+
>>> ip tacacs source-interface Dialer0
>>> access-list 150 permit udp any host n.n.n.n eq tacacs
>>> tacacs-server host n.n.n.n key 7 04531E0107
>>> tacacs-server directed-request
>>> tacacs-server key 7 000C06010C
>>>
>>>
>>>
>>> hope that helps
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>>
>>>
>>>
>>> On 9 Jul 2008, at 04:54, Amanda Myer wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm trying to pass per command authorizations to my cisco routers
>>>> from the radiator TACACS server but it doesn't seem to be working.
>>>>
>>>> I'm not sure if I have something configured incorrectly or what,
>>>> but this is what I have in the <ServerTACACSPLUS> tag.
>>>> AuthorizeGroup manager permit service=shell cmd=show
>>>> cmd-arg=.* AuthorizeGroup manager permit
>>>> service=shell cmd=ip cmd-arg.* cmd=configure cmd-arg.*
>>>> AuthorizeGroup manager permit service=shell cmd=configure
>>>> cmd-arg.* AuthorizeGroup manager deny .*
>>>>
>>>> When I try to login to the cisco router with these settings, it
>>>> authenticates the user but then doesn't authorize them for shell
>>>> access and disconnects the user.
>>>>
>>>> This is what shows in the radiator log:
>>>>
>>>> ********************
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection request 192,
>>>> 1, 5, 0, 2433281923, 15
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection
>>>> Authentication CONTINUE 0, passwordRemoved,
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TACACSPLUS derived Radius request
>>>> packet dump:
>>>> Code: Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>>>> Attributes:
>>>> NAS-IP-Address = 207.179.90.131
>>>> NAS-Port-Id = "tty3"
>>>> Calling-Station-Id = "69.63.233.88"
>>>> Service-Type = Login-User
>>>> NAS-Identifier = "TACACS"
>>>> User-Name = "holcomb.frank"
>>>> User-Password = passwordRemoved
>>>>
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Handling request with Handler
>>>> 'NAS-Identifier=TACACS'
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Deleting session for
>>>> holcomb.frank, 207.179.90.131,
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL:
>>>> ACDEmployees
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Query is: 'SELECT
>>>> ADMIN_EMPLOYEES.PASSWORD,
>>>> ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION from Admin_Employees,
>>>> ADMIN_EMPLOYEES_CISCO_SECURITY where ADMIN_EMPLOYEES.username
>>>> ='holcomb.frank' and ADMIN_EMPLOYEES.stillemployed = 1 AND
>>>> ADMIN_EMPLOYEES.CISCOSECURITYLEVEL =
>>>> ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Radius::AuthSQL looks for match
>>>> with holcomb.frank [holcomb.frank]
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Radius::AuthSQL ACCEPT: :
>>>> holcomb.frank [holcomb.frank]
>>>> Tue Jul 8 15:11:05 2008: DEBUG: AuthBy SQL result: ACCEPT,
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Access accepted for holcomb.frank
>>>> Tue Jul 8 15:11:05 2008: DEBUG: Packet dump:
>>>> *** Reply to TACACSPLUS request:
>>>> Code: Access-Accept
>>>> Identifier: UNDEF
>>>> Authentic: <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>>>> Attributes:
>>>> tacacsGroup = manager
>>>>
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection result
>>>> Access-Accept
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection
>>>> Authentication REPLY 1, 0, , Tue Jul 8 15:11:05 2008: DEBUG:
>>>> TacacsplusConnection disconnected from 207.179.90.131:11861
>>>> Tue Jul 8 15:11:05 2008: DEBUG: New TacacsplusConnection created
>>>> for 207.179.90.131:60500
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection request 192,
>>>> 2, 1, 0, 3484511561, 56
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization
>>>> REQUEST 6, 1, 1, 1, holcomb.frank, tty3, 69.63.233.88, 2,
>>>> service=shell cmd*
>>>> Tue Jul 8 15:11:05 2008: DEBUG: AuthorizeGroup rule match found:
>>>> permit .* { }
>>>> Tue Jul 8 15:11:05 2008: INFO: Authorization permitted for
>>>> holcomb.frank, group manager, args service=shell cmd*
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection Authorization
>>>> RESPONSE 1, , ,
>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection disconnected
>>>> from 207.179.90.131:60500
>>>> ***********************
>>>>
>>>> Thanks for any help you can provide! I'm new to radius and tacacs
>>>> so please bear with me.
>>>>
>>>> Thanks
>>>> -Amanda
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
More information about the radiator
mailing list