[RADIATOR] Experiences with using Radiator to act as TACACS server?

ehodge at mmm.com ehodge at mmm.com
Tue Nov 18 12:39:06 CST 2008 

Hi everyone,

My coworkers and I are trying to configure Radiator to act as a TACACS+
server, converting TACACS+ requests into RADIUS requests.

Our main goal is to use Radiator for admin authentication attempts to Cisco
devices: switches, routers, IOS wireless access points.

We want the Radiator/TACACS to return a privilege level of 15, so that
users enter read-write mode immediately upon login.

We have the following configuration piece added to Radiator:

   <ServerTACACSPLUS>
      Key    1qaz8ik,4rfv3edc6yhn5tgb7ujm2wsx
      Port   49
      AuthorizationAdd  aironet:admin-capability=ident+admin+write
      AuthorizationAdd  service=shell cmd\* {priv-lvl=15}
   </ServerTACACSPLUS>

I'm currently testing with the IOS wireless AP's web interface login.  When
running debugs on the AP and viewing the Radiator logs, it appears that the
AP receives a "PASS", but it seems to receive the value in a format that it
can't process, because I'm prompted for a web login all over again.  Here's
a piece of the AP debug:

   *Mar  1 00:06:14.000: TPLUS: Queuing AAA Authorization request 0 for
   processing
   *Mar  1 00:06:14.000: TPLUS: processing authorization request id 0
   *Mar  1 00:06:14.001: TPLUS: Inappropriate protocol: 23
   *Mar  1 00:06:14.001: TPLUS: Sending AV service=shell
   *Mar  1 00:06:14.001: TPLUS: Sending AV cmd*
   *Mar  1 00:06:14.001: TPLUS: Authorization request created for
   0(User0001)
   *Mar  1 00:06:14.002: TPLUS: Using server 10.0.0.4
   *Mar  1 00:06:14.002: TPLUS(00000000)/0/NB_WAIT/BBB9BC: Started 5 sec
   timeout
   *Mar  1 00:06:14.004: TPLUS(00000000)/0/NB_WAIT: socket event 2
   *Mar  1 00:06:14.004: TPLUS(00000000)/0/NB_WAIT: wrote entire 46 bytes
   request
   *Mar  1 00:06:14.004: TPLUS(00000000)/0/READ: socket event 1
   *Mar  1 00:06:14.004: TPLUS(00000000)/0/READ: Would block while reading
   *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: socket event 1
   *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: read entire 12 header
   bytes (expect 39 bytes data)
   *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: socket event 1
   *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: read entire 51 bytes
   response
   *Mar  1 00:06:14.008: TPLUS(00000000)/0/BBB9BC: Processing the reply
   packet
   *Mar  1 00:06:14.009: TPLUS (00000000): Got response service = INVALID
   value Converted to NO_TYPE
   *Mar  1 00:06:14.009: TPLUS: Processed AV service=shell cmd*
   {priv-lvl=15}
   *Mar  1 00:06:14.009: TPLUS: received authorization response for 0: PASS

And a piece of the TACACS log:

   Fri Nov 14 01:47:30 2008: DEBUG: STEP1: completed; bound to LDAP as
   utility user
   Fri Nov 14 01:47:30 2008: DEBUG: STEP2: completed; have distinguished
   name of user.
   Fri Nov 14 01:47:30 2008: DEBUG: STEP3: completed; bound to LDAP as
   user.
   Fri Nov 14 01:47:30 2008: DEBUG: STEP4: found user in group GROUPOPS
   Fri Nov 14 01:47:30 2008: DEBUG: STEP4: completed; searched 1 groups for
   user membership.
   Fri Nov 14 01:47:30 2008: DEBUG: AuthBy ADAM result: ACCEPT,
   Fri Nov 14 01:47:30 2008: DEBUG: Access accepted for User0001
   Fri Nov 14 01:47:30 2008: DEBUG: Packet dump:
   *** Reply to TACACSPLUS request:
   Code:       Access-Accept
   Identifier: UNDEF
   Authentic:  <223><139>s<145>"l<152><147>S<141><165><226>$<137><11>P
   Attributes:

   Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection result
   Access-Accept
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authentication
   REPLY 1, 0, ,
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection disconnected from
   10.0.0.2:11003
   Fri Nov 14 01:47:30 2008: DEBUG: New TacacsplusConnection created for
   10.0.0.2:11004
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection request 192, 2, 1,
   0, 409174207, 34
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request packet dump: <dump
   removed>
   Fri Nov 14 01:47:30 2008: DEBUG: Decrypting TacacsPlus request
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request decrypted body: <
   removed >
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authorization
   REQUEST 1, 1, 0, 0, User0001, , , 2, service=shell cmd*
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authorization
   RESPONSE 1, , , service=shell cmd* {priv-lvl=15}
   Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection disconnected from
   10.0.0.2:11004

Has anyone gone through this process for their Cisco network devices?
Would you mind sharing your TACACS config piece?  We're wondering if we
formatted the config incorrectly, we're pretty new to TACACS...

And even more specifically, has anyone tried to make this work for the
Cisco IOS wireless AP's web interface - could you make admin authentication
work for the web login??

Thanks!

Regards,

Emily

More information about the radiator mailing list