[RADIATOR] BUG in ServerTACACSPLUS.pm - not processing client related attributes

Ranko Zivojnovic Ranko.Zivojnovic at spidernet.com
Wed Apr 8 06:18:17 CDT 2009


Hello Hugh,

No - the problem is not fixed in the patchset.

Your modified patch calls inet_pton() in the new() in order to find the
client key so it can decrypt the payload. However - that part was working
even without inet_pton() call.

The problem for my setup is happening in dispatch_radius_request() where it
is supposed to use the client settings to manipulate Request/Reply.

If I use the same piece of code you have used in the patch for the new()
function to find the client in dispatch_radius_request() the problem nicely
disappears.

Thanks and best regards,

Ranko

> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: 07 April 2009 10:22
> To: Ranko Zivojnovic
> Cc: 'radiator at open.com.au'
> Subject: Re: [RADIATOR] BUG in ServerTACACSPLUS.pm - not processing
> client related attributes
> 
> 
> Hello Ranko -
> 
> We still have not been able to reproduce the problem, but we have
> added a modified version of your patch anyway.
> 
> Would you please download and install the latest Radiator 4.4 patches
> and test it for us?
> 
> Please let us know how you get on.
> 
> regards
> 
> Hugh
> 
> 
> On 6 Apr 2009, at 16:23, Ranko Zivojnovic wrote:
> 
> > Hello Hugh,
> >
> > Below is a test configuration and logfiles (some things obfuscated).
> >
> > Logfile1 shows the output of the stock 4.4 Radiator - you will note
> > the
> > message "WARNING: TacacsplusConnection could not find a Handler".
> >
> > Testing showed that $self->{peeraddr} in
> > ServerTACACSPLUS.pm:dispatch_radius_request() is a text format IP
> > address
> > and in order for &Radius::Client::findAddress() to actually find the
> > client
> > it must be first converted with inet_pton().
> >
> > The simple patch I've sent in my previous message fixes this issue
> > for me -
> > but the problem could originate elsewhere.
> >
> > Logfile2 shows correct operation with the patch applied.
> >
> > If you need any other info - please let me know.
> >
> > Best regards,
> >
> > Ranko
> >
> > ---cut:test.cfg---
> > LogDir          /var/log/radius
> > DbDir           /etc/radiator
> > Trace           4
> > BindAddress 10.11.12.13
> > AuthPort 1645,1812
> > AcctPort 1646,1813
> >
> > <ClientListLDAP>
> >        include %D/ldap.cfg
> >        BaseDN ou=Hosts, dc=example, dc=net
> >        RefreshPeriod 1800
> > </ClientListLDAP>
> >
> > <Handler HostType=TypeA>
> > #*snip*
> > </Handler>
> >
> > <Handler HostType=TypeB>
> > #*snip*
> > </Handler>
> >
> > <Handler HostType=TypeC>
> > #*snip*
> > </Handler>
> >
> > <Handler HostType=CiscoRouter>
> >        AcctLogFileName %L/Cisco.log
> >        <AuthBy GROUP>
> >                AuthByPolicy ContinueWhileReject
> >                <AuthBy GROUP>
> >                        AuthByPolicy ContinueWhileAccept
> >                        <AuthBy LDAP2>
> >                                include %D/ldap.cfg
> >                                BaseDN ou=groups, dc=example, dc=net
> >                                UsernameAttr memberUid
> >                                SearchFilter (&(cn=cisco-admins)(%0=
> > %1))
> >                                NoCheckPassword
> >                        </AuthBy>
> >                        <AuthBy LDAP2>
> >                                include %D/ldap.cfg
> >                                BaseDN ou=users, dc=example, dc=net
> >                                AddToReply Service-Type =
> > Administrative-User, Idle-Timeout = 900, tacacsgroup=admins
> >                                AuthAttrDef host,NAS-Identifier,check
> >                                EncryptedPasswordAttr userPassword
> >                        </AuthBy>
> >                </AuthBy>
> >                <AuthBy GROUP>
> >                        AuthByPolicy ContinueWhileAccept
> >                        <AuthBy LDAP2>
> >                                include %D/ldap.cfg
> >                                BaseDN ou=groups, dc=example, dc=net
> >                                UsernameAttr memberUid
> >                                SearchFilter (&(cn=cisco-
> users)(%0=%1))
> >                                NoCheckPassword
> >                        </AuthBy>
> >                        <AuthBy LDAP2>
> >                                include %D/ldap.cfg
> >                                BaseDN ou=users, dc=example, dc=net
> >                                AddToReply Service-Type = Login-User,
> > Idle-Timeout = 900, tacacsgroup=versiononly
> >                                AuthAttrDef host,NAS-Identifier,check
> >                                EncryptedPasswordAttr userPassword
> >                        </AuthBy>
> >                </AuthBy>
> >        </AuthBy>
> > </Handler>
> >
> > <ServerTACACSPLUS>
> >        BindAddress 10.11.12.13
> >        GroupMemberAttr tacacsgroup
> >        AuthorizeGroup versiononly permit service=shell cmd=show
> > cmd-arg=version
> >        AuthorizeGroup versiononly permit service=shell cmd\*
> > {idletime=15
> > priv-lvl=1}
> >        AuthorizeGroup versiononly deny .*
> >        AuthorizeGroup admins permit service=shell cmd\* {idletime=15
> > priv-lvl=15}
> >        AuthorizeGroup admins permit .*
> > </ServerTACACSPLUS>
> > ---cut:test.cfg---
> >
> > ---cut:logfile1---
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: INFO: Connecting to 127.0.0.1:636
> > Mon Apr  6 08:02:48 2009: INFO: Attempting to bind to LDAP server
> > 127.0.0.1:636
> > Mon Apr  6 08:02:48 2009: DEBUG: Adding Clients from LDAP database
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP SearchFilter:
> > (objectclass=oscRadiusClient), BaseDN: ou=Hosts, dc=example, dc=net,
> > attrs:
> > oscRadiusAddToRequest oscRadiusIgnoreAcctSignature
> > oscRadiusSNMPCommunity
> > oscRadiusSecret oscRadiusDefaultReply oscRadiusFramedGroup
> > oscRadiusUseOldAscendPasswords oscRadiusStripfromRequest
> > oscRadiusDupInterval oscRadiusAddToRequestIfNotExist
> > oscRadiusPacketTrace
> > oscRadiusDynamicReply oscRadiusLivingstonHole
> > oscRadiusFramedGroupBaseAddress oscRadiusFramedGroupPortOffset
> > oscRadiusRewriteUsername oscRadiusStripFromReply
> > oscRadiusPreHandlerHook
> > oscRadiusNoIgnoreDuplicates oscRadiusNasType
> oscRadiusIdenticalClients
> > oscRadiusAddToReply oscRadiusAddToReplyIfNotExist
> > oscRadiusLivingstonOffs
> > oscRadiusStatusServerShowClientDetails oscRadiusAllowInReply
> > oscRadiusClientName oscRadiusFramedGroupMaxPortsPerClassC
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got result for
> > cn=router1,ou=Hosts,dc=example, dc=net
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> > oscRadiusAddToRequest:
> > HostType=CiscoRouter
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
> > XXXXXX
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> > oscRadiusClientName:
> > router1.example.net
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got result for
> > cn=router2,ou=Hosts,dc=example, dc=net
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> > oscRadiusAddToRequest:
> > HostType=CiscoRouter
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
> > XXXXXX
> > Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> > oscRadiusClientName:
> > router2.example.net
> > *snip*
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:02:48 2009: DEBUG: Creating TACACSPLUS port
> > 10.11.12.13:49
> > Mon Apr  6 08:02:48 2009: DEBUG: Finished reading configuration file
> > '/etc/radiator/test.cfg'
> > Mon Apr  6 08:02:48 2009: DEBUG: Reading dictionary file
> > '/etc/radiator/dictionary'
> > Mon Apr  6 08:02:49 2009: DEBUG: Creating authentication port
> > 10.11.12.13:1645
> > Mon Apr  6 08:02:49 2009: DEBUG: Creating authentication port
> > 10.11.12.13:1812
> > Mon Apr  6 08:02:49 2009: DEBUG: Creating accounting port
> > 10.11.12.13:1646
> > Mon Apr  6 08:02:49 2009: DEBUG: Creating accounting port
> > 10.11.12.13:1813
> > Mon Apr  6 08:02:49 2009: NOTICE: Server started: Radiator 4.4 on
> > radius.example.net
> > Mon Apr  6 08:03:24 2009: DEBUG: New TacacsplusConnection created for
> > 10.11.12.1:54948
> > Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection request 192,
> > 1, 1, 0,
> > 2730182230, 32
> > Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection Authentication
> > START
> > 1, 1, 1 for ranko, tty2, 10.11.12.13
> > Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection Authentication
> > REPLY
> > 5, 1, Password: ,
> > Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection request 192,
> > 1, 3, 0,
> > 2730182230, 13
> > Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection Authentication
> > CONTINUE 0, XXXXXX,
> > Mon Apr  6 08:03:24 2009: DEBUG: TACACSPLUS derived Radius request
> > packet
> > dump:
> > Code:       Access-Request
> > Identifier: UNDEF
> > Authentic:  <231><219>/Q<255>{o<133><160>SK<20>BZ<146><10>
> > Attributes:
> >        NAS-IP-Address = 10.11.12.1
> >        NAS-Port-Id = "tty2"
> >        Calling-Station-Id = "10.11.12.13"
> >        Service-Type = Login-User
> >        User-Name = "ranko"
> >        User-Password = XXXXXX
> >        OSC-Version-Identifier = "192"
> >
> > Mon Apr  6 08:03:24 2009: WARNING: TacacsplusConnection could not
> > find a
> > Handler
> > Mon Apr  6 08:03:29 2009: DEBUG: TacacsplusConnection disconnected
> > from
> > 10.11.12.1:54948
> > Mon Apr  6 08:05:48 2009: NOTICE: SIGTERM received: stopping
> > ---cut:logfile1---
> >
> > ---cut:logfile2---
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: INFO: Connecting to 127.0.0.1:636
> > Mon Apr  6 08:38:20 2009: INFO: Attempting to bind to LDAP server
> > 127.0.0.1:636
> > Mon Apr  6 08:38:20 2009: DEBUG: Adding Clients from LDAP database
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP SearchFilter:
> > (objectclass=oscRadiusClient), BaseDN: ou=Hosts, dc=example, dc=net,
> > attrs:
> > oscRadiusAddToRequest oscRadiusIgnoreAcctSignature
> > oscRadiusSNMPCommunity
> > oscRadiusSecret oscRadiusDefaultReply oscRadiusFramedGroup
> > oscRadiusUseOldAscendPasswords oscRadiusStripfromRequest
> > oscRadiusDupInterval oscRadiusAddToRequestIfNotExist
> > oscRadiusPacketTrace
> > oscRadiusDynamicReply oscRadiusLivingstonHole
> > oscRadiusFramedGroupBaseAddress oscRadiusFramedGroupPortOffset
> > oscRadiusRewriteUsername oscRadiusStripFromReply
> > oscRadiusPreHandlerHook
> > oscRadiusNoIgnoreDuplicates oscRadiusNasType
> oscRadiusIdenticalClients
> > oscRadiusAddToReply oscRadiusAddToReplyIfNotExist
> > oscRadiusLivingstonOffs
> > oscRadiusStatusServerShowClientDetails oscRadiusAllowInReply
> > oscRadiusClientName oscRadiusFramedGroupMaxPortsPerClassC
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got result for
> > cn=router1,ou=Hosts,dc=example, dc=net
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> > oscRadiusAddToRequest:
> > HostType=CiscoRouter
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
> > XXXXXX
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> > oscRadiusClientName:
> > router1.example.net
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got result for
> > cn=router2,ou=Hosts,dc=example, dc=net
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> > oscRadiusAddToRequest:
> > HostType=CiscoRouter
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
> > XXXXXX
> > Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> > oscRadiusClientName:
> > router2.example.net
> > *snip*
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> > Mon Apr  6 08:38:20 2009: DEBUG: Creating TACACSPLUS port
> > 10.11.12.13:49
> > Mon Apr  6 08:38:20 2009: DEBUG: Finished reading configuration file
> > '/etc/radiator/test.cfg'
> > Mon Apr  6 08:38:20 2009: DEBUG: Reading dictionary file
> > '/etc/radiator/dictionary'
> > Mon Apr  6 08:38:20 2009: DEBUG: Creating authentication port
> > 10.11.12.13:1645
> > Mon Apr  6 08:38:20 2009: DEBUG: Creating authentication port
> > 10.11.12.13:1812
> > Mon Apr  6 08:38:20 2009: DEBUG: Creating accounting port
> > 10.11.12.13:1646
> > Mon Apr  6 08:38:20 2009: DEBUG: Creating accounting port
> > 10.11.12.13:1813
> > Mon Apr  6 08:38:20 2009: NOTICE: Server started: Radiator 4.4 on
> > radius.example.net
> > Mon Apr  6 08:38:28 2009: DEBUG: New TacacsplusConnection created for
> > 10.12.13.1:51609
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
> > 1, 1, 0,
> > 2939512271, 32
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
> > START
> > 1, 1, 1 for ranko, tty2, 10.11.12.13
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
> > REPLY
> > 5, 1, Password: ,
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
> > 1, 3, 0,
> > 2939512271, 13
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
> > CONTINUE 0, XXXXXX,
> > Mon Apr  6 08:38:28 2009: DEBUG: TACACSPLUS derived Radius request
> > packet
> > dump:
> > Code:       Access-Request
> > Identifier: UNDEF
> > Authentic:
> <221><132>#<211><245><172><30>c7%<232><148><133><22>1<250>
> > Attributes:
> >        NAS-IP-Address = 10.12.13.1
> >        NAS-Port-Id = "tty2"
> >        Calling-Station-Id = "10.11.12.13"
> >        Service-Type = Login-User
> >        User-Name = "ranko"
> >        User-Password = XXXXXX
> >        OSC-Version-Identifier = "192"
> >        HostType = CiscoRouter
> >
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling request with Handler
> > 'HostType=CiscoRouter'
> > Mon Apr  6 08:38:28 2009: DEBUG:  Deleting session for ranko,
> > 10.12.13.1,
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> > Mon Apr  6 08:38:28 2009: INFO: Connecting to 127.0.0.1:636
> > Mon Apr  6 08:38:28 2009: INFO: Attempting to bind to LDAP server
> > 127.0.0.1:636
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got result for
> > cn=cisco-admins,ou=groups,dc=example, dc=net
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got objectClass: posixGroup top
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got cn: cisco-admins
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got memberUid: ranko user1
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got gidNumber: 173123
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got creatorsName:
> > uid=ranko,ou=users,dc=example,dc=net
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got modifiersName:
> > uid=ranko,ou=users,dc=example,dc=net
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got createTimestamp:
> > 20080902165300Z
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got modifyTimestamp:
> > 20080903162147Z
> > Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 looks for match
> > with
> > ranko [ranko]
> > Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 ACCEPT: : ranko
> > [ranko]
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> > Mon Apr  6 08:38:28 2009: INFO: Connecting to 127.0.0.1:636
> > Mon Apr  6 08:38:28 2009: INFO: Attempting to bind to LDAP server
> > 127.0.0.1:636
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got result for
> > uid=ranko,ou=users,dc=example, dc=net
> > Mon Apr  6 08:38:28 2009: DEBUG: LDAP got userPassword: XXXXXX
> > Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 looks for match
> > with
> > ranko [ranko]
> > Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 ACCEPT: : ranko
> > [ranko]
> > Mon Apr  6 08:38:28 2009: DEBUG: AuthBy GROUP result: ACCEPT,
> > Mon Apr  6 08:38:28 2009: DEBUG: Access accepted for ranko
> > Mon Apr  6 08:38:28 2009: DEBUG: Packet dump:
> > *** Reply to TACACSPLUS request:
> > Code:       Access-Accept
> > Identifier: UNDEF
> > Authentic:
> <221><132>#<211><245><172><30>c7%<232><148><133><22>1<250>
> > Attributes:
> >        Service-Type = Administrative-User
> >        Idle-Timeout = 900
> >        tacacsgroup = admins
> >
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection result Access-
> > Accept
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
> > REPLY
> > 1, 0, ,
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection disconnected
> > from
> > 10.12.13.1:51609
> > Mon Apr  6 08:38:28 2009: DEBUG: New TacacsplusConnection created for
> > 10.12.13.1:47596
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
> > 2, 1, 0,
> > 4145764549, 51
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authorization
> > REQUEST
> > 6, 1, 1, 1, ranko, tty2, 10.11.12.13, 2, service=shell cmd*
> > Mon Apr  6 08:38:28 2009: DEBUG: AuthorizeGroup rule match found:
> > permit
> > service=shell cmd\* { idletime=15 priv-lvl=15 }
> > Mon Apr  6 08:38:28 2009: INFO: Authorization permitted for ranko,
> > group
> > admins, args service=shell cmd*
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authorization
> > RESPONSE
> > 1, , , idletime=15 priv-lvl=15
> > Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection disconnected
> > from
> > 10.12.13.1:47596
> > Mon Apr  6 08:38:28 2009: DEBUG: Packet dump:
> > *** Received from 10.12.13.1 port 1646 ....
> > Code:       Accounting-Request
> > Identifier: 249
> > Authentic:  <233>%<236>vd<184>Z<207><209><234>ls<154>b%!
> > Attributes:
> >        Acct-Session-Id = "0000009B"
> >        User-Name = "ranko"
> >        Acct-Authentic = Remote
> >        Acct-Status-Type = Start
> >        NAS-Port = 2
> >        NAS-Port-Id = "tty2"
> >        NAS-Port-Type = Virtual
> >        Service-Type = NAS-Prompt-User
> >        NAS-IP-Address = 10.12.13.1
> >        Acct-Delay-Time = 0
> >
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling request with Handler
> > 'HostType=CiscoRouter'
> > Mon Apr  6 08:38:28 2009: DEBUG:  Adding session for ranko,
> > 10.12.13.1, 2
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> > Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> > Mon Apr  6 08:38:28 2009: DEBUG: AuthBy GROUP result: ACCEPT,
> > Mon Apr  6 08:38:28 2009: DEBUG: Accounting accepted
> > Mon Apr  6 08:38:28 2009: DEBUG: Packet dump:
> > *** Sending to 10.12.13.1 port 1646 ....
> > Code:       Accounting-Response
> > Identifier: 249
> > Authentic:  <251>|<201>iK<225><163>A-$<140><155><223><140><213><27>
> > Attributes:
> >
> > Mon Apr  6 08:38:32 2009: DEBUG: New TacacsplusConnection created for
> > 10.12.13.1:18152
> > Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection request 192,
> > 2, 1, 0,
> > 2167032874, 84
> > Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection Authorization
> > REQUEST
> > 1, 1, 1, 0, ranko, tty2, 10.11.12.13, 4, service=shell cmd=show
> > cmd-arg=version cmd-arg=<cr>
> > Mon Apr  6 08:38:32 2009: DEBUG: AuthorizeGroup rule match found:
> > permit .*
> > {  }
> > Mon Apr  6 08:38:32 2009: INFO: Authorization permitted for ranko,
> > group
> > admins, args service=shell cmd=show cmd-arg=version cmd-arg=<cr>
> > Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection Authorization
> > RESPONSE
> > 1, , ,
> > Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection disconnected
> > from
> > 10.12.13.1:18152
> > Mon Apr  6 08:38:56 2009: NOTICE: SIGTERM received: stopping
> > ---cut:logfile2---
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: 06 April 2009 06:02
> > To: Ranko Zivojnovic
> > Cc: 'radiator at open.com.au'
> > Subject: Re: [RADIATOR] BUG in ServerTACACSPLUS.pm - not processing
> > client
> > related attributes
> >
> >
> > Hello Ranko -
> >
> > Our testing here shows correct operation with Radiator 4.4.
> >
> > Can you please send us a copy of your configuration file and a trace
> 4
> > debug showing what is happening?
> >
> > thanks and regards
> >
> > Hugh
> >
> >
> > On 6 Apr 2009, at 00:54, Ranko Zivojnovic wrote:
> >
> >> Greetings,
> >>
> >> Radiator is not processing attributes associated with the client in
> >> ServerTACACSPLUS.pm (like AddToRequest and similar) due to the
> >> following bug:
> >>
> >> ---cut---
> >> --- a/Radius/ServerTACACSPLUS.pm   2009-03-10 23:59:01.000000000
> >> +0200
> >> +++ b/Radius/ServerTACACSPLUS.pm   2009-04-05 17:23:15.000000000
> >> +0300
> >> @@ -554,7 +554,7 @@
> >>    }
> >>
> >>    # Use Client settings to manipulate Request/Reply
> >> -    my $client = &Radius::Client::findAddress($self->{peeraddr});
> >> +    my $client =
> >> &Radius::Client::findAddress(Radius::Util::inet_pton($self-
> >>> {peeraddr}));
> >>
> >>    $tp->rewriteUsername($client->{RewriteUsername})
> >>        if defined $client->{RewriteUsername};
> >> ---cut---
> >>
> >> Best regards,
> >>
> >> Ranko
> >>
> >> --
> >> Ranko Zivojnovic
> >> IT Director/CTO
> >>
> >> SpiderNet Services Public Ltd.
> >> Nicosia, Cyprus
> >> Tel:    +357 22 844844
> >> FAX:    +357 22 844777
> >> E-Mail: ranko at spidernet.net
> >> Web:    www.spidernet.net
> >>
> >>
> >> _______________________________________________
> >> radiator mailing list
> >> radiator at open.com.au
> >> http://www.open.com.au/mailman/listinfo/radiator
> >
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> > Have you checked the RadiusExpert wiki:
> > http://www.open.com.au/wiki/index.php/Main_Page
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
> >
> >
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5128 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090408/b49ca77b/attachment-0001.bin>


More information about the radiator mailing list