[RADIATOR] Experiences with using Radiator to act as TACACS server?

Hugh Irvine hugh at open.com.au
Tue Nov 18 16:32:57 CST 2008


Hello again -

It has been pointed out to me that you might want to simply use  
AuthorizationAdd without groups, and in that case your second line is  
incorrect.

The AuthorizationAdd does not support regexps.

See section 5.83.5 in the manual.

Apologies for any confusion.

regards

Hugh


On 19 Nov 2008, at 09:22, Hugh Irvine wrote:

>
> Hello Emily -
>
> I think you want AuthorizeGroup rather than AuthorizationAdd, and  
> you will also need to specify the attribute that will be used to  
> carry the group information.
>
> See sections 5.83.9 and 5.83.10 in the Radiator 4.3.1 reference  
> manual ("doc/ref.pdf").
>
> There is also an example configuration file in "goodies/ 
> tacacsplusserver.cfg" in the Radiator distribution.
>
> regards
>
> Hugh
>
>
>
> On 19 Nov 2008, at 05:39, ehodge at mmm.com wrote:
>
>>
>> Hi everyone,
>>
>> My coworkers and I are trying to configure Radiator to act as a  
>> TACACS+
>> server, converting TACACS+ requests into RADIUS requests.
>>
>> Our main goal is to use Radiator for admin authentication attempts  
>> to Cisco
>> devices: switches, routers, IOS wireless access points.
>>
>> We want the Radiator/TACACS to return a privilege level of 15, so  
>> that
>> users enter read-write mode immediately upon login.
>>
>> We have the following configuration piece added to Radiator:
>>
>>  <ServerTACACSPLUS>
>>     Key    1qaz8ik,4rfv3edc6yhn5tgb7ujm2wsx
>>     Port   49
>>     AuthorizationAdd  aironet:admin-capability=ident+admin+write
>>     AuthorizationAdd  service=shell cmd\* {priv-lvl=15}
>>  </ServerTACACSPLUS>
>>
>> I'm currently testing with the IOS wireless AP's web interface  
>> login.  When
>> running debugs on the AP and viewing the Radiator logs, it appears  
>> that the
>> AP receives a "PASS", but it seems to receive the value in a format  
>> that it
>> can't process, because I'm prompted for a web login all over  
>> again.  Here's
>> a piece of the AP debug:
>>
>>  *Mar  1 00:06:14.000: TPLUS: Queuing AAA Authorization request 0 for
>>  processing
>>  *Mar  1 00:06:14.000: TPLUS: processing authorization request id 0
>>  *Mar  1 00:06:14.001: TPLUS: Inappropriate protocol: 23
>>  *Mar  1 00:06:14.001: TPLUS: Sending AV service=shell
>>  *Mar  1 00:06:14.001: TPLUS: Sending AV cmd*
>>  *Mar  1 00:06:14.001: TPLUS: Authorization request created for
>>  0(User0001)
>>  *Mar  1 00:06:14.002: TPLUS: Using server 10.0.0.4
>>  *Mar  1 00:06:14.002: TPLUS(00000000)/0/NB_WAIT/BBB9BC: Started 5  
>> sec
>>  timeout
>>  *Mar  1 00:06:14.004: TPLUS(00000000)/0/NB_WAIT: socket event 2
>>  *Mar  1 00:06:14.004: TPLUS(00000000)/0/NB_WAIT: wrote entire 46  
>> bytes
>>  request
>>  *Mar  1 00:06:14.004: TPLUS(00000000)/0/READ: socket event 1
>>  *Mar  1 00:06:14.004: TPLUS(00000000)/0/READ: Would block while  
>> reading
>>  *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: socket event 1
>>  *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: read entire 12 header
>>  bytes (expect 39 bytes data)
>>  *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: socket event 1
>>  *Mar  1 00:06:14.008: TPLUS(00000000)/0/READ: read entire 51 bytes
>>  response
>>  *Mar  1 00:06:14.008: TPLUS(00000000)/0/BBB9BC: Processing the reply
>>  packet
>>  *Mar  1 00:06:14.009: TPLUS (00000000): Got response service =  
>> INVALID
>>  value Converted to NO_TYPE
>>  *Mar  1 00:06:14.009: TPLUS: Processed AV service=shell cmd*
>>  {priv-lvl=15}
>>  *Mar  1 00:06:14.009: TPLUS: received authorization response for  
>> 0: PASS
>>
>> And a piece of the TACACS log:
>>
>>  Fri Nov 14 01:47:30 2008: DEBUG: STEP1: completed; bound to LDAP as
>>  utility user
>>  Fri Nov 14 01:47:30 2008: DEBUG: STEP2: completed; have  
>> distinguished
>>  name of user.
>>  Fri Nov 14 01:47:30 2008: DEBUG: STEP3: completed; bound to LDAP as
>>  user.
>>  Fri Nov 14 01:47:30 2008: DEBUG: STEP4: found user in group GROUPOPS
>>  Fri Nov 14 01:47:30 2008: DEBUG: STEP4: completed; searched 1  
>> groups for
>>  user membership.
>>  Fri Nov 14 01:47:30 2008: DEBUG: AuthBy ADAM result: ACCEPT,
>>  Fri Nov 14 01:47:30 2008: DEBUG: Access accepted for User0001
>>  Fri Nov 14 01:47:30 2008: DEBUG: Packet dump:
>>  *** Reply to TACACSPLUS request:
>>  Code:       Access-Accept
>>  Identifier: UNDEF
>>  Authentic:  <223><139>s<145>"l<152><147>S<141><165><226>$<137><11>P
>>  Attributes:
>>
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection result
>>  Access-Accept
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authentication
>>  REPLY 1, 0, ,
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection disconnected  
>> from
>>  10.0.0.2:11003
>>  Fri Nov 14 01:47:30 2008: DEBUG: New TacacsplusConnection created  
>> for
>>  10.0.0.2:11004
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection request 192,  
>> 2, 1,
>>  0, 409174207, 34
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request packet dump:  
>> <dump
>>  removed>
>>  Fri Nov 14 01:47:30 2008: DEBUG: Decrypting TacacsPlus request
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request decrypted  
>> body: <
>>  removed >
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authorization
>>  REQUEST 1, 1, 0, 0, User0001, , , 2, service=shell cmd*
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authorization
>>  RESPONSE 1, , , service=shell cmd* {priv-lvl=15}
>>  Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection disconnected  
>> from
>>  10.0.0.2:11004
>>
>> Has anyone gone through this process for their Cisco network devices?
>> Would you mind sharing your TACACS config piece?  We're wondering  
>> if we
>> formatted the config incorrectly, we're pretty new to TACACS...
>>
>> And even more specifically, has anyone tried to make this work for  
>> the
>> Cisco IOS wireless AP's web interface - could you make admin  
>> authentication
>> work for the web login??
>>
>> Thanks!
>>
>> Regards,
>>
>> Emily
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list