[RADIATOR] AuthorizeGroup permissions with TACACS
Hugh Irvine
hugh at open.com.au
Sat Jul 12 18:53:27 CDT 2008
Hello Amanda -
The debug showing the command is this:
Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection Authorization
REQUEST 1, 1, 1, 0, holcomb.frank, tty3, 69.63.233.88, 4,
service=shell cmd=connect cmd-arg=show cmd-arg=<cr>
therefore the AuthorizeGroup should look more like this:
<ServerTACACSPLUS>
Key cisco
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsGroup
AuthorizeGroup securityofficer permit service=shell cmd\*
{priv-lvl=15}
AuthorizeGroup manager permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroup user permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroup manager permit service=shell cmd=connect cmd-
arg=show
AuthorizeGroup manager deny .*
</ServerTACACSPLUS>
I don't know what the user is actually doing on the Cisco to generate
this command, so you should probably check that this makes sense.
hope that helps
regards
Hugh
On 12 Jul 2008, at 18:56, Amanda Myer wrote:
> Here is the output from the level 4 trace on radiator:
>
> *************************************
> Sat Jul 12 05:16:43 2008: DEBUG: include /etc/radiator/zhone.cfg
> Sat Jul 12 05:16:43 2008: ERR: Could not resolve an address for
> Client 10.106.1.n
> Sat Jul 12 05:16:43 2008: WARNING: Could not find AuthBy clause
> with Identifier ZhoneAccounting
> Sat Jul 12 05:16:43 2008: DEBUG: include /etc/radiator/
> tacacsplusserver.cfg
> Sat Jul 12 05:16:44 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
> Sat Jul 12 05:16:44 2008: DEBUG: Finished reading configuration
> file '/etc/radiator/radius.cfg'
> Sat Jul 12 05:16:44 2008: DEBUG: Reading dictionary file '/etc/
> radiator/dictionary'
> Sat Jul 12 05:16:44 2008: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Sat Jul 12 05:16:44 2008: DEBUG: Creating accounting port 0.0.0.0:1646
> Sat Jul 12 05:16:44 2008: NOTICE: Server started: Radiator 3.14 on
> radius01.acd.net
> Sat Jul 12 05:16:54 2008: DEBUG: New TacacsplusConnection created
> for 207.179.90.131:31057
> Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection request 192,
> 1, 1, 0, 1109816927, 24
> Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection
> Authentication START 1, 1, 1 for , tty3, 69.63.233.88
> Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection
> Authentication REPLY 4, 0, Username: , Sat Jul 12 05:16:54 2008:
> DEBUG: New TacacsplusConnection created for 207.179.90.131:21820
> Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection request 192,
> 1, 1, 0, 2332082003, 27
> Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection
> Authentication START 1, 1, 1 for , tty4, 207.179.118.130
> Sat Jul 12 05:16:54 2008: DEBUG: TacacsplusConnection
> Authentication REPLY 4, 0, Username: , Sat Jul 12 05:16:54 2008:
> DEBUG: TacacsplusConnection disconnected from 207.179.90.131:21820
> Sat Jul 12 05:16:59 2008: DEBUG: TacacsplusConnection request 192,
> 1, 3, 0, 1109816927, 18
> Sat Jul 12 05:16:59 2008: DEBUG: TacacsplusConnection
> Authentication CONTINUE 0, holcomb.frank,
> Sat Jul 12 05:16:59 2008: DEBUG: TacacsplusConnection
> Authentication REPLY 5, 1, Password: , Sat Jul 12 05:17:02 2008:
> DEBUG: TacacsplusConnection request 192, 1, 5, 0, 1109816927, 15
> Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection
> Authentication CONTINUE 0, removedForSecurity,
> Sat Jul 12 05:17:02 2008: DEBUG: TACACSPLUS derived Radius request
> packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: 'a<4><205><146><135><255><161>N<163>}<18><23>7<190><127>
> Attributes:
> NAS-IP-Address = 207.179.90.131
> NAS-Port-Id = "tty3"
> Calling-Station-Id = "69.63.233.88"
> Service-Type = Login-User
> NAS-Identifier = "TACACS"
> User-Name = "holcomb.frank"
> User-Password = removedForSecurity
>
> Sat Jul 12 05:17:02 2008: DEBUG: Handling request with Handler 'NAS-
> Identifier=TACACS'
> Sat Jul 12 05:17:02 2008: DEBUG: Deleting session for
> holcomb.frank, 207.179.90.131,
> Sat Jul 12 05:17:02 2008: DEBUG: Handling with Radius::AuthSQL
> Sat Jul 12 05:17:02 2008: DEBUG: Handling with Radius::AuthSQL:
> ACDEmployees
> Sat Jul 12 05:17:02 2008: DEBUG: Query is: 'SELECT
> ADMIN_EMPLOYEES.PASSWORD,
> ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION from Admin_Employees,
> ADMIN_EMPLOYEES_CISCO_SECURITY where ADMIN_EMPLOYEES.username
> ='holcomb.frank' and ADMIN_EMPLOYEES.stillemployed = 1 AND
> ADMIN_EMPLOYEES.CISCOSECURITYLEVEL =
> ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
> Sat Jul 12 05:17:02 2008: DEBUG: Radius::AuthSQL looks for match
> with holcomb.frank [holcomb.frank]
> Sat Jul 12 05:17:02 2008: DEBUG: Radius::AuthSQL ACCEPT: :
> holcomb.frank [holcomb.frank]
> Sat Jul 12 05:17:02 2008: DEBUG: AuthBy SQL result: ACCEPT,
> Sat Jul 12 05:17:02 2008: DEBUG: Access accepted for holcomb.frank
> Sat Jul 12 05:17:02 2008: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: 'a<4><205><146><135><255><161>N<163>}<18><23>7<190><127>
> Attributes:
> tacacsGroup = manager
>
> Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection result Access-
> Accept
> Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection
> Authentication REPLY 1, 0, , Sat Jul 12 05:17:02 2008: DEBUG:
> TacacsplusConnection disconnected from 207.179.90.131:31057
> Sat Jul 12 05:17:02 2008: DEBUG: New TacacsplusConnection created
> for 207.179.90.131:11414
> Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection request 192,
> 2, 1, 0, 2914689011, 56
> Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, holcomb.frank, tty3, 69.63.233.88, 2,
> service=shell cmd*
> Sat Jul 12 05:17:02 2008: DEBUG: AuthorizeGroup rule match found:
> permit service=shell cmd\* { priv-lvl=1 }
> Sat Jul 12 05:17:02 2008: INFO: Authorization permitted for
> holcomb.frank, group manager, args service=shell cmd*
> Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , , priv-lvl=1
> Sat Jul 12 05:17:02 2008: DEBUG: TacacsplusConnection disconnected
> from 207.179.90.131:11414
> Sat Jul 12 05:17:05 2008: DEBUG: New TacacsplusConnection created
> for 207.179.90.131:43641
> Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection request 192,
> 2, 1, 0, 39416169, 89
> Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection Authorization
> REQUEST 1, 1, 1, 0, holcomb.frank, tty3, 69.63.233.88, 4,
> service=shell cmd=connect cmd-arg=show cmd-arg=<cr>
> Sat Jul 12 05:17:05 2008: DEBUG: AuthorizeGroup rule match found:
> deny .* { }
> Sat Jul 12 05:17:05 2008: INFO: Authorization denied for
> holcomb.frank, group manager, args service=shell cmd=connect cmd-
> arg=show cmd-arg=<cr>
> Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection Authorization
> RESPONSE 16, denied, ,
> Sat Jul 12 05:17:05 2008: DEBUG: TacacsplusConnection disconnected
> from 207.179.90.131:43641
> *************************************
>
> Here is the config on radiator:
> *************************************
> LogDir /var/log/radius
> DbDir /etc/radiator
> Trace 4
> <ServerTACACSPLUS>
> Key cisco
> AddToRequest NAS-Identifier=TACACS
>
> GroupMemberAttr tacacsGroup
>
> AuthorizeGroup securityofficer permit service=shell cmd\*
> {priv-lvl=15}
> AuthorizeGroup manager permit service=shell cmd\* {priv-lvl=1}
> AuthorizeGroup user permit service=shell cmd\* {priv-lvl=1}
>
> AuthorizeGroup manager permit service=shell cmd=show cmd-arg=.*
> AuthorizeGroup manager deny .*
>
> </ServerTACACSPLUS>
>
> # ======================
> # Queries for ACD Employees
> # ======================
> #
> <AuthBy SQL>
> Identifier ACDEmployees
> DBSource dbi:Sybase:server=MASIADOS;database=support7
> DBUsername radiator
> DBAuth removedForSecurity
> FailureBackoffTime 60
>
> AuthSelect SELECT ADMIN_EMPLOYEES.PASSWORD,
> ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION \
> from Admin_Employees,
> ADMIN_EMPLOYEES_CISCO_SECURITY \
> where ADMIN_EMPLOYEES.username ='%U'
> and ADMIN_EMPLOYEES.stillemployed = 1 \
> AND
> ADMIN_EMPLOYEES.CISCOSECURITYLEVEL = ADMIN_EMPLOYEES_CISCO_SECURITY.ID
>
> NoDefault
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, tacacsGroup, reply
> </AuthBy>
>
> <Handler NAS-Identifier=TACACS>
> AuthBy ACDEmployees
> </Handler>
> *************************************
>
> And here are the config lines on the cisco router:
> *************************************
> aaa new-model
> aaa authentication login default group tacacs+ local
> aaa authorization exec default group tacacs+ local if-authenticated
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa session-id common
> *************************************
>
> Thanks so much for the help!
>
>
>
>
> Amanda Myer
> ACD.net Network Operations
> myer.amanda at acd.net
> 517-999-3231
>
>
>
> Hugh Irvine wrote:
>>
>> Hello Amanda -
>>
>> I really need to see a copy of your Radiator configuration file
>> together with a trace 4 debug showing what is happening.
>>
>> thanks and regards
>>
>> Hugh
>>
>>
>> On 12 Jul 2008, at 17:12, Amanda Myer wrote:
>>
>>> Hello Hugh,
>>>
>>> Well.. here is what I've got now and it's still not working right.
>>>
>>> I've got it as basic as I can for now, just to see if I can get
>>> it to work. I'm just trying to enable "Show" commands for now.
>>>
>>> In the radiator config:
>>> AuthorizeGroup manager permit service=shell cmd\* {priv-
>>> lvl=1}
>>> AuthorizeGroup manager permit service=shell cmd=show cmd-
>>> arg=.* AuthorizeGroup manager deny .*
>>>
>>> On the cisco router:
>>> aaa authentication login default group tacacs+ local
>>> aaa authentication enable default group tacacs+ enable
>>> aaa authorization exec default group tacacs+ local if-authenticated
>>> aaa authorization commands 1 default group tacacs+ if-authenticated
>>> aaa authorization commands 15 default group tacacs+ if-authenticated
>>>
>>> When the user logs in, the "show" command is not available. When
>>> typing just "show" it simply says "denied".
>>>
>>> I'm sure this is just something silly that I've got wrong, but
>>> for the life of me I don't know what it is.
>>>
>>>
>>> Amanda Myer
>>> ACD.net Network Operations
>>> myer.amanda at acd.net
>>> 517-999-3231
>>>
>>>
>>>
>>> Hugh Irvine wrote:
>>>>
>>>> Hello Amanda -
>>>>
>>>>
>>>> Here is an example I have been testing recently:
>>>>
>>>>
>>>> # the first line allows the login at priv-lvl=1
>>>>
>>>> AuthorizeGroup group1 permit service=shell cmd\* {priv-
>>>> lvl=1}
>>>>
>>>> # the following lines only allow the execution of "show ..."
>>>> and "ping ...." commands
>>>>
>>>> AuthorizeGroup group1 permit service=shell cmd=show cmd-
>>>> arg=.*
>>>> AuthorizeGroup group1 permit service=shell cmd=ping cmd-
>>>> arg=.*
>>>>
>>>> # all other attempts to execute commands will be denied
>>>>
>>>> AuthorizeGroup group1 deny .*
>>>>
>>>>
>>>> See also the example in "goodies/tacacsplusserver.cfg".
>>>>
>>>> Of course the Cisco also needs to be configured for command
>>>> authorisation.
>>>>
>>>> Here is an example:
>>>>
>>>>
>>>> aaa authentication login default group tacacs+ local enable
>>>> aaa authentication login vty-access group tacacs+ local enable
>>>> aaa authentication login console-access group tacacs+ local enable
>>>> aaa authorization exec default group tacacs+ if-authenticated
>>>> aaa authorization commands 1 default group tacacs+ if-authenticated
>>>> aaa authorization commands 15 default group tacacs+ if-
>>>> authenticated
>>>> aaa accounting exec default stop-only group tacacs+
>>>> aaa accounting commands 15 default stop-only group tacacs+
>>>> ip tacacs source-interface Dialer0
>>>> access-list 150 permit udp any host n.n.n.n eq tacacs
>>>> tacacs-server host n.n.n.n key 7 04531E0107
>>>> tacacs-server directed-request
>>>> tacacs-server key 7 000C06010C
>>>>
>>>>
>>>>
>>>> hope that helps
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 9 Jul 2008, at 04:54, Amanda Myer wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'm trying to pass per command authorizations to my cisco
>>>>> routers from the radiator TACACS server but it doesn't seem to
>>>>> be working.
>>>>>
>>>>> I'm not sure if I have something configured incorrectly or
>>>>> what, but this is what I have in the <ServerTACACSPLUS> tag.
>>>>> AuthorizeGroup manager permit service=shell cmd=show cmd-
>>>>> arg=.* AuthorizeGroup manager permit
>>>>> service=shell cmd=ip cmd-arg.* cmd=configure cmd-arg.*
>>>>> AuthorizeGroup manager permit service=shell
>>>>> cmd=configure cmd-arg.* AuthorizeGroup manager deny .*
>>>>>
>>>>> When I try to login to the cisco router with these settings, it
>>>>> authenticates the user but then doesn't authorize them for
>>>>> shell access and disconnects the user.
>>>>>
>>>>> This is what shows in the radiator log:
>>>>>
>>>>> ********************
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection request
>>>>> 192, 1, 5, 0, 2433281923, 15
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection
>>>>> Authentication CONTINUE 0, passwordRemoved,
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TACACSPLUS derived Radius
>>>>> request packet dump:
>>>>> Code: Access-Request
>>>>> Identifier: UNDEF
>>>>> Authentic: <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>>>>> Attributes:
>>>>> NAS-IP-Address = 207.179.90.131
>>>>> NAS-Port-Id = "tty3"
>>>>> Calling-Station-Id = "69.63.233.88"
>>>>> Service-Type = Login-User
>>>>> NAS-Identifier = "TACACS"
>>>>> User-Name = "holcomb.frank"
>>>>> User-Password = passwordRemoved
>>>>>
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Handling request with Handler
>>>>> 'NAS-Identifier=TACACS'
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Deleting session for
>>>>> holcomb.frank, 207.179.90.131,
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Handling with Radius::AuthSQL:
>>>>> ACDEmployees
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Query is: 'SELECT
>>>>> ADMIN_EMPLOYEES.PASSWORD,
>>>>> ADMIN_EMPLOYEES_CISCO_SECURITY.DESCRIPTION from
>>>>> Admin_Employees, ADMIN_EMPLOYEES_CISCO_SECURITY where
>>>>> ADMIN_EMPLOYEES.username ='holcomb.frank' and
>>>>> ADMIN_EMPLOYEES.stillemployed = 1 AND
>>>>> ADMIN_EMPLOYEES.CISCOSECURITYLEVEL =
>>>>> ADMIN_EMPLOYEES_CISCO_SECURITY.ID':
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Radius::AuthSQL looks for
>>>>> match with holcomb.frank [holcomb.frank]
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Radius::AuthSQL ACCEPT: :
>>>>> holcomb.frank [holcomb.frank]
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: AuthBy SQL result: ACCEPT,
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Access accepted for holcomb.frank
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: Packet dump:
>>>>> *** Reply to TACACSPLUS request:
>>>>> Code: Access-Accept
>>>>> Identifier: UNDEF
>>>>> Authentic: <16><227>v<219><199>Pq'<144>"a"<143>#<239><204>
>>>>> Attributes:
>>>>> tacacsGroup = manager
>>>>>
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection result
>>>>> Access-Accept
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection
>>>>> Authentication REPLY 1, 0, , Tue Jul 8 15:11:05 2008: DEBUG:
>>>>> TacacsplusConnection disconnected from 207.179.90.131:11861
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: New TacacsplusConnection
>>>>> created for 207.179.90.131:60500
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection request
>>>>> 192, 2, 1, 0, 3484511561, 56
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection
>>>>> Authorization REQUEST 6, 1, 1, 1, holcomb.frank, tty3,
>>>>> 69.63.233.88, 2, service=shell cmd*
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: AuthorizeGroup rule match
>>>>> found: permit .* { }
>>>>> Tue Jul 8 15:11:05 2008: INFO: Authorization permitted for
>>>>> holcomb.frank, group manager, args service=shell cmd*
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection
>>>>> Authorization RESPONSE 1, , ,
>>>>> Tue Jul 8 15:11:05 2008: DEBUG: TacacsplusConnection
>>>>> disconnected from 207.179.90.131:60500
>>>>> ***********************
>>>>>
>>>>> Thanks for any help you can provide! I'm new to radius and
>>>>> tacacs so please bear with me.
>>>>>
>>>>> Thanks
>>>>> -Amanda
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list