[RADIATOR] BUG in ServerTACACSPLUS.pm - not processing client related attributes
Hugh Irvine
hugh at open.com.au
Wed Apr 8 06:45:49 CDT 2009
Hello Ranko -
Thanks for your patience - could you please test the latest patch set
for us?
regards
Hugh
On 8 Apr 2009, at 21:18, Ranko Zivojnovic wrote:
> Hello Hugh,
>
> No - the problem is not fixed in the patchset.
>
> Your modified patch calls inet_pton() in the new() in order to find
> the
> client key so it can decrypt the payload. However - that part was
> working
> even without inet_pton() call.
>
> The problem for my setup is happening in dispatch_radius_request()
> where it
> is supposed to use the client settings to manipulate Request/Reply.
>
> If I use the same piece of code you have used in the patch for the
> new()
> function to find the client in dispatch_radius_request() the problem
> nicely
> disappears.
>
> Thanks and best regards,
>
> Ranko
>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: 07 April 2009 10:22
>> To: Ranko Zivojnovic
>> Cc: 'radiator at open.com.au'
>> Subject: Re: [RADIATOR] BUG in ServerTACACSPLUS.pm - not processing
>> client related attributes
>>
>>
>> Hello Ranko -
>>
>> We still have not been able to reproduce the problem, but we have
>> added a modified version of your patch anyway.
>>
>> Would you please download and install the latest Radiator 4.4 patches
>> and test it for us?
>>
>> Please let us know how you get on.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 6 Apr 2009, at 16:23, Ranko Zivojnovic wrote:
>>
>>> Hello Hugh,
>>>
>>> Below is a test configuration and logfiles (some things obfuscated).
>>>
>>> Logfile1 shows the output of the stock 4.4 Radiator - you will note
>>> the
>>> message "WARNING: TacacsplusConnection could not find a Handler".
>>>
>>> Testing showed that $self->{peeraddr} in
>>> ServerTACACSPLUS.pm:dispatch_radius_request() is a text format IP
>>> address
>>> and in order for &Radius::Client::findAddress() to actually find the
>>> client
>>> it must be first converted with inet_pton().
>>>
>>> The simple patch I've sent in my previous message fixes this issue
>>> for me -
>>> but the problem could originate elsewhere.
>>>
>>> Logfile2 shows correct operation with the patch applied.
>>>
>>> If you need any other info - please let me know.
>>>
>>> Best regards,
>>>
>>> Ranko
>>>
>>> ---cut:test.cfg---
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>> Trace 4
>>> BindAddress 10.11.12.13
>>> AuthPort 1645,1812
>>> AcctPort 1646,1813
>>>
>>> <ClientListLDAP>
>>> include %D/ldap.cfg
>>> BaseDN ou=Hosts, dc=example, dc=net
>>> RefreshPeriod 1800
>>> </ClientListLDAP>
>>>
>>> <Handler HostType=TypeA>
>>> #*snip*
>>> </Handler>
>>>
>>> <Handler HostType=TypeB>
>>> #*snip*
>>> </Handler>
>>>
>>> <Handler HostType=TypeC>
>>> #*snip*
>>> </Handler>
>>>
>>> <Handler HostType=CiscoRouter>
>>> AcctLogFileName %L/Cisco.log
>>> <AuthBy GROUP>
>>> AuthByPolicy ContinueWhileReject
>>> <AuthBy GROUP>
>>> AuthByPolicy ContinueWhileAccept
>>> <AuthBy LDAP2>
>>> include %D/ldap.cfg
>>> BaseDN ou=groups, dc=example, dc=net
>>> UsernameAttr memberUid
>>> SearchFilter (&(cn=cisco-admins)(%0=
>>> %1))
>>> NoCheckPassword
>>> </AuthBy>
>>> <AuthBy LDAP2>
>>> include %D/ldap.cfg
>>> BaseDN ou=users, dc=example, dc=net
>>> AddToReply Service-Type =
>>> Administrative-User, Idle-Timeout = 900, tacacsgroup=admins
>>> AuthAttrDef host,NAS-Identifier,check
>>> EncryptedPasswordAttr userPassword
>>> </AuthBy>
>>> </AuthBy>
>>> <AuthBy GROUP>
>>> AuthByPolicy ContinueWhileAccept
>>> <AuthBy LDAP2>
>>> include %D/ldap.cfg
>>> BaseDN ou=groups, dc=example, dc=net
>>> UsernameAttr memberUid
>>> SearchFilter (&(cn=cisco-
>> users)(%0=%1))
>>> NoCheckPassword
>>> </AuthBy>
>>> <AuthBy LDAP2>
>>> include %D/ldap.cfg
>>> BaseDN ou=users, dc=example, dc=net
>>> AddToReply Service-Type = Login-User,
>>> Idle-Timeout = 900, tacacsgroup=versiononly
>>> AuthAttrDef host,NAS-Identifier,check
>>> EncryptedPasswordAttr userPassword
>>> </AuthBy>
>>> </AuthBy>
>>> </AuthBy>
>>> </Handler>
>>>
>>> <ServerTACACSPLUS>
>>> BindAddress 10.11.12.13
>>> GroupMemberAttr tacacsgroup
>>> AuthorizeGroup versiononly permit service=shell cmd=show
>>> cmd-arg=version
>>> AuthorizeGroup versiononly permit service=shell cmd\*
>>> {idletime=15
>>> priv-lvl=1}
>>> AuthorizeGroup versiononly deny .*
>>> AuthorizeGroup admins permit service=shell cmd\* {idletime=15
>>> priv-lvl=15}
>>> AuthorizeGroup admins permit .*
>>> </ServerTACACSPLUS>
>>> ---cut:test.cfg---
>>>
>>> ---cut:logfile1---
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: INFO: Connecting to 127.0.0.1:636
>>> Mon Apr 6 08:02:48 2009: INFO: Attempting to bind to LDAP server
>>> 127.0.0.1:636
>>> Mon Apr 6 08:02:48 2009: DEBUG: Adding Clients from LDAP database
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP SearchFilter:
>>> (objectclass=oscRadiusClient), BaseDN: ou=Hosts, dc=example, dc=net,
>>> attrs:
>>> oscRadiusAddToRequest oscRadiusIgnoreAcctSignature
>>> oscRadiusSNMPCommunity
>>> oscRadiusSecret oscRadiusDefaultReply oscRadiusFramedGroup
>>> oscRadiusUseOldAscendPasswords oscRadiusStripfromRequest
>>> oscRadiusDupInterval oscRadiusAddToRequestIfNotExist
>>> oscRadiusPacketTrace
>>> oscRadiusDynamicReply oscRadiusLivingstonHole
>>> oscRadiusFramedGroupBaseAddress oscRadiusFramedGroupPortOffset
>>> oscRadiusRewriteUsername oscRadiusStripFromReply
>>> oscRadiusPreHandlerHook
>>> oscRadiusNoIgnoreDuplicates oscRadiusNasType
>> oscRadiusIdenticalClients
>>> oscRadiusAddToReply oscRadiusAddToReplyIfNotExist
>>> oscRadiusLivingstonOffs
>>> oscRadiusStatusServerShowClientDetails oscRadiusAllowInReply
>>> oscRadiusClientName oscRadiusFramedGroupMaxPortsPerClassC
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got result for
>>> cn=router1,ou=Hosts,dc=example, dc=net
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got
>>> oscRadiusAddToRequest:
>>> HostType=CiscoRouter
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
>>> XXXXXX
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got
>>> oscRadiusClientName:
>>> router1.example.net
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got result for
>>> cn=router2,ou=Hosts,dc=example, dc=net
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got
>>> oscRadiusAddToRequest:
>>> HostType=CiscoRouter
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
>>> XXXXXX
>>> Mon Apr 6 08:02:48 2009: DEBUG: ClientListLDAP got
>>> oscRadiusClientName:
>>> router2.example.net
>>> *snip*
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:02:48 2009: DEBUG: Creating TACACSPLUS port
>>> 10.11.12.13:49
>>> Mon Apr 6 08:02:48 2009: DEBUG: Finished reading configuration file
>>> '/etc/radiator/test.cfg'
>>> Mon Apr 6 08:02:48 2009: DEBUG: Reading dictionary file
>>> '/etc/radiator/dictionary'
>>> Mon Apr 6 08:02:49 2009: DEBUG: Creating authentication port
>>> 10.11.12.13:1645
>>> Mon Apr 6 08:02:49 2009: DEBUG: Creating authentication port
>>> 10.11.12.13:1812
>>> Mon Apr 6 08:02:49 2009: DEBUG: Creating accounting port
>>> 10.11.12.13:1646
>>> Mon Apr 6 08:02:49 2009: DEBUG: Creating accounting port
>>> 10.11.12.13:1813
>>> Mon Apr 6 08:02:49 2009: NOTICE: Server started: Radiator 4.4 on
>>> radius.example.net
>>> Mon Apr 6 08:03:24 2009: DEBUG: New TacacsplusConnection created
>>> for
>>> 10.11.12.1:54948
>>> Mon Apr 6 08:03:24 2009: DEBUG: TacacsplusConnection request 192,
>>> 1, 1, 0,
>>> 2730182230, 32
>>> Mon Apr 6 08:03:24 2009: DEBUG: TacacsplusConnection Authentication
>>> START
>>> 1, 1, 1 for ranko, tty2, 10.11.12.13
>>> Mon Apr 6 08:03:24 2009: DEBUG: TacacsplusConnection Authentication
>>> REPLY
>>> 5, 1, Password: ,
>>> Mon Apr 6 08:03:24 2009: DEBUG: TacacsplusConnection request 192,
>>> 1, 3, 0,
>>> 2730182230, 13
>>> Mon Apr 6 08:03:24 2009: DEBUG: TacacsplusConnection Authentication
>>> CONTINUE 0, XXXXXX,
>>> Mon Apr 6 08:03:24 2009: DEBUG: TACACSPLUS derived Radius request
>>> packet
>>> dump:
>>> Code: Access-Request
>>> Identifier: UNDEF
>>> Authentic: <231><219>/Q<255>{o<133><160>SK<20>BZ<146><10>
>>> Attributes:
>>> NAS-IP-Address = 10.11.12.1
>>> NAS-Port-Id = "tty2"
>>> Calling-Station-Id = "10.11.12.13"
>>> Service-Type = Login-User
>>> User-Name = "ranko"
>>> User-Password = XXXXXX
>>> OSC-Version-Identifier = "192"
>>>
>>> Mon Apr 6 08:03:24 2009: WARNING: TacacsplusConnection could not
>>> find a
>>> Handler
>>> Mon Apr 6 08:03:29 2009: DEBUG: TacacsplusConnection disconnected
>>> from
>>> 10.11.12.1:54948
>>> Mon Apr 6 08:05:48 2009: NOTICE: SIGTERM received: stopping
>>> ---cut:logfile1---
>>>
>>> ---cut:logfile2---
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: INFO: Connecting to 127.0.0.1:636
>>> Mon Apr 6 08:38:20 2009: INFO: Attempting to bind to LDAP server
>>> 127.0.0.1:636
>>> Mon Apr 6 08:38:20 2009: DEBUG: Adding Clients from LDAP database
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP SearchFilter:
>>> (objectclass=oscRadiusClient), BaseDN: ou=Hosts, dc=example, dc=net,
>>> attrs:
>>> oscRadiusAddToRequest oscRadiusIgnoreAcctSignature
>>> oscRadiusSNMPCommunity
>>> oscRadiusSecret oscRadiusDefaultReply oscRadiusFramedGroup
>>> oscRadiusUseOldAscendPasswords oscRadiusStripfromRequest
>>> oscRadiusDupInterval oscRadiusAddToRequestIfNotExist
>>> oscRadiusPacketTrace
>>> oscRadiusDynamicReply oscRadiusLivingstonHole
>>> oscRadiusFramedGroupBaseAddress oscRadiusFramedGroupPortOffset
>>> oscRadiusRewriteUsername oscRadiusStripFromReply
>>> oscRadiusPreHandlerHook
>>> oscRadiusNoIgnoreDuplicates oscRadiusNasType
>> oscRadiusIdenticalClients
>>> oscRadiusAddToReply oscRadiusAddToReplyIfNotExist
>>> oscRadiusLivingstonOffs
>>> oscRadiusStatusServerShowClientDetails oscRadiusAllowInReply
>>> oscRadiusClientName oscRadiusFramedGroupMaxPortsPerClassC
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got result for
>>> cn=router1,ou=Hosts,dc=example, dc=net
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got
>>> oscRadiusAddToRequest:
>>> HostType=CiscoRouter
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
>>> XXXXXX
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got
>>> oscRadiusClientName:
>>> router1.example.net
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got result for
>>> cn=router2,ou=Hosts,dc=example, dc=net
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got
>>> oscRadiusAddToRequest:
>>> HostType=CiscoRouter
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got oscRadiusSecret:
>>> XXXXXX
>>> Mon Apr 6 08:38:20 2009: DEBUG: ClientListLDAP got
>>> oscRadiusClientName:
>>> router2.example.net
>>> *snip*
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
>>> Mon Apr 6 08:38:20 2009: DEBUG: Creating TACACSPLUS port
>>> 10.11.12.13:49
>>> Mon Apr 6 08:38:20 2009: DEBUG: Finished reading configuration file
>>> '/etc/radiator/test.cfg'
>>> Mon Apr 6 08:38:20 2009: DEBUG: Reading dictionary file
>>> '/etc/radiator/dictionary'
>>> Mon Apr 6 08:38:20 2009: DEBUG: Creating authentication port
>>> 10.11.12.13:1645
>>> Mon Apr 6 08:38:20 2009: DEBUG: Creating authentication port
>>> 10.11.12.13:1812
>>> Mon Apr 6 08:38:20 2009: DEBUG: Creating accounting port
>>> 10.11.12.13:1646
>>> Mon Apr 6 08:38:20 2009: DEBUG: Creating accounting port
>>> 10.11.12.13:1813
>>> Mon Apr 6 08:38:20 2009: NOTICE: Server started: Radiator 4.4 on
>>> radius.example.net
>>> Mon Apr 6 08:38:28 2009: DEBUG: New TacacsplusConnection created
>>> for
>>> 10.12.13.1:51609
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
>>> 1, 1, 0,
>>> 2939512271, 32
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
>>> START
>>> 1, 1, 1 for ranko, tty2, 10.11.12.13
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
>>> REPLY
>>> 5, 1, Password: ,
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
>>> 1, 3, 0,
>>> 2939512271, 13
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
>>> CONTINUE 0, XXXXXX,
>>> Mon Apr 6 08:38:28 2009: DEBUG: TACACSPLUS derived Radius request
>>> packet
>>> dump:
>>> Code: Access-Request
>>> Identifier: UNDEF
>>> Authentic:
>> <221><132>#<211><245><172><30>c7%<232><148><133><22>1<250>
>>> Attributes:
>>> NAS-IP-Address = 10.12.13.1
>>> NAS-Port-Id = "tty2"
>>> Calling-Station-Id = "10.11.12.13"
>>> Service-Type = Login-User
>>> User-Name = "ranko"
>>> User-Password = XXXXXX
>>> OSC-Version-Identifier = "192"
>>> HostType = CiscoRouter
>>>
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling request with Handler
>>> 'HostType=CiscoRouter'
>>> Mon Apr 6 08:38:28 2009: DEBUG: Deleting session for ranko,
>>> 10.12.13.1,
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>> Mon Apr 6 08:38:28 2009: INFO: Connecting to 127.0.0.1:636
>>> Mon Apr 6 08:38:28 2009: INFO: Attempting to bind to LDAP server
>>> 127.0.0.1:636
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got result for
>>> cn=cisco-admins,ou=groups,dc=example, dc=net
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got objectClass: posixGroup
>>> top
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got cn: cisco-admins
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got memberUid: ranko user1
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got gidNumber: 173123
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got creatorsName:
>>> uid=ranko,ou=users,dc=example,dc=net
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got modifiersName:
>>> uid=ranko,ou=users,dc=example,dc=net
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got createTimestamp:
>>> 20080902165300Z
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got modifyTimestamp:
>>> 20080903162147Z
>>> Mon Apr 6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 looks for match
>>> with
>>> ranko [ranko]
>>> Mon Apr 6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 ACCEPT: : ranko
>>> [ranko]
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>> Mon Apr 6 08:38:28 2009: INFO: Connecting to 127.0.0.1:636
>>> Mon Apr 6 08:38:28 2009: INFO: Attempting to bind to LDAP server
>>> 127.0.0.1:636
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got result for
>>> uid=ranko,ou=users,dc=example, dc=net
>>> Mon Apr 6 08:38:28 2009: DEBUG: LDAP got userPassword: XXXXXX
>>> Mon Apr 6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 looks for match
>>> with
>>> ranko [ranko]
>>> Mon Apr 6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 ACCEPT: : ranko
>>> [ranko]
>>> Mon Apr 6 08:38:28 2009: DEBUG: AuthBy GROUP result: ACCEPT,
>>> Mon Apr 6 08:38:28 2009: DEBUG: Access accepted for ranko
>>> Mon Apr 6 08:38:28 2009: DEBUG: Packet dump:
>>> *** Reply to TACACSPLUS request:
>>> Code: Access-Accept
>>> Identifier: UNDEF
>>> Authentic:
>> <221><132>#<211><245><172><30>c7%<232><148><133><22>1<250>
>>> Attributes:
>>> Service-Type = Administrative-User
>>> Idle-Timeout = 900
>>> tacacsgroup = admins
>>>
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection result Access-
>>> Accept
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection Authentication
>>> REPLY
>>> 1, 0, ,
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection disconnected
>>> from
>>> 10.12.13.1:51609
>>> Mon Apr 6 08:38:28 2009: DEBUG: New TacacsplusConnection created
>>> for
>>> 10.12.13.1:47596
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
>>> 2, 1, 0,
>>> 4145764549, 51
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection Authorization
>>> REQUEST
>>> 6, 1, 1, 1, ranko, tty2, 10.11.12.13, 2, service=shell cmd*
>>> Mon Apr 6 08:38:28 2009: DEBUG: AuthorizeGroup rule match found:
>>> permit
>>> service=shell cmd\* { idletime=15 priv-lvl=15 }
>>> Mon Apr 6 08:38:28 2009: INFO: Authorization permitted for ranko,
>>> group
>>> admins, args service=shell cmd*
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection Authorization
>>> RESPONSE
>>> 1, , , idletime=15 priv-lvl=15
>>> Mon Apr 6 08:38:28 2009: DEBUG: TacacsplusConnection disconnected
>>> from
>>> 10.12.13.1:47596
>>> Mon Apr 6 08:38:28 2009: DEBUG: Packet dump:
>>> *** Received from 10.12.13.1 port 1646 ....
>>> Code: Accounting-Request
>>> Identifier: 249
>>> Authentic: <233>%<236>vd<184>Z<207><209><234>ls<154>b%!
>>> Attributes:
>>> Acct-Session-Id = "0000009B"
>>> User-Name = "ranko"
>>> Acct-Authentic = Remote
>>> Acct-Status-Type = Start
>>> NAS-Port = 2
>>> NAS-Port-Id = "tty2"
>>> NAS-Port-Type = Virtual
>>> Service-Type = NAS-Prompt-User
>>> NAS-IP-Address = 10.12.13.1
>>> Acct-Delay-Time = 0
>>>
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling request with Handler
>>> 'HostType=CiscoRouter'
>>> Mon Apr 6 08:38:28 2009: DEBUG: Adding session for ranko,
>>> 10.12.13.1, 2
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>> Mon Apr 6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
>>> Mon Apr 6 08:38:28 2009: DEBUG: AuthBy GROUP result: ACCEPT,
>>> Mon Apr 6 08:38:28 2009: DEBUG: Accounting accepted
>>> Mon Apr 6 08:38:28 2009: DEBUG: Packet dump:
>>> *** Sending to 10.12.13.1 port 1646 ....
>>> Code: Accounting-Response
>>> Identifier: 249
>>> Authentic: <251>|<201>iK<225><163>A-$<140><155><223><140><213><27>
>>> Attributes:
>>>
>>> Mon Apr 6 08:38:32 2009: DEBUG: New TacacsplusConnection created
>>> for
>>> 10.12.13.1:18152
>>> Mon Apr 6 08:38:32 2009: DEBUG: TacacsplusConnection request 192,
>>> 2, 1, 0,
>>> 2167032874, 84
>>> Mon Apr 6 08:38:32 2009: DEBUG: TacacsplusConnection Authorization
>>> REQUEST
>>> 1, 1, 1, 0, ranko, tty2, 10.11.12.13, 4, service=shell cmd=show
>>> cmd-arg=version cmd-arg=<cr>
>>> Mon Apr 6 08:38:32 2009: DEBUG: AuthorizeGroup rule match found:
>>> permit .*
>>> { }
>>> Mon Apr 6 08:38:32 2009: INFO: Authorization permitted for ranko,
>>> group
>>> admins, args service=shell cmd=show cmd-arg=version cmd-arg=<cr>
>>> Mon Apr 6 08:38:32 2009: DEBUG: TacacsplusConnection Authorization
>>> RESPONSE
>>> 1, , ,
>>> Mon Apr 6 08:38:32 2009: DEBUG: TacacsplusConnection disconnected
>>> from
>>> 10.12.13.1:18152
>>> Mon Apr 6 08:38:56 2009: NOTICE: SIGTERM received: stopping
>>> ---cut:logfile2---
>>>
>>> -----Original Message-----
>>> From: Hugh Irvine [mailto:hugh at open.com.au]
>>> Sent: 06 April 2009 06:02
>>> To: Ranko Zivojnovic
>>> Cc: 'radiator at open.com.au'
>>> Subject: Re: [RADIATOR] BUG in ServerTACACSPLUS.pm - not processing
>>> client
>>> related attributes
>>>
>>>
>>> Hello Ranko -
>>>
>>> Our testing here shows correct operation with Radiator 4.4.
>>>
>>> Can you please send us a copy of your configuration file and a trace
>> 4
>>> debug showing what is happening?
>>>
>>> thanks and regards
>>>
>>> Hugh
>>>
>>>
>>> On 6 Apr 2009, at 00:54, Ranko Zivojnovic wrote:
>>>
>>>> Greetings,
>>>>
>>>> Radiator is not processing attributes associated with the client in
>>>> ServerTACACSPLUS.pm (like AddToRequest and similar) due to the
>>>> following bug:
>>>>
>>>> ---cut---
>>>> --- a/Radius/ServerTACACSPLUS.pm 2009-03-10 23:59:01.000000000
>>>> +0200
>>>> +++ b/Radius/ServerTACACSPLUS.pm 2009-04-05 17:23:15.000000000
>>>> +0300
>>>> @@ -554,7 +554,7 @@
>>>> }
>>>>
>>>> # Use Client settings to manipulate Request/Reply
>>>> - my $client = &Radius::Client::findAddress($self->{peeraddr});
>>>> + my $client =
>>>> &Radius::Client::findAddress(Radius::Util::inet_pton($self-
>>>>> {peeraddr}));
>>>>
>>>> $tp->rewriteUsername($client->{RewriteUsername})
>>>> if defined $client->{RewriteUsername};
>>>> ---cut---
>>>>
>>>> Best regards,
>>>>
>>>> Ranko
>>>>
>>>> --
>>>> Ranko Zivojnovic
>>>> IT Director/CTO
>>>>
>>>> SpiderNet Services Public Ltd.
>>>> Nicosia, Cyprus
>>>> Tel: +357 22 844844
>>>> FAX: +357 22 844777
>>>> E-Mail: ranko at spidernet.net
>>>> Web: www.spidernet.net
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database
>>> independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like
>>> systems.
>>>
>>>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list