[RADIATOR] BUG in ServerTACACSPLUS.pm - not processing client related attributes

Ranko Zivojnovic Ranko.Zivojnovic at spidernet.com
Wed Apr 8 07:05:08 CDT 2009


Yep - now it works :)

Thanks and best regards,

Ranko

> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: 08 April 2009 14:46
> To: Ranko Zivojnovic
> Cc: 'radiator at open.com.au'
> Subject: Re: [RADIATOR] BUG in ServerTACACSPLUS.pm - not processing
> client related attributes
> 
> 
> Hello Ranko -
> 
> Thanks for your patience - could you please test the latest patch set
> for us?
> 
> regards
> 
> Hugh
> 
> 
> On 8 Apr 2009, at 21:18, Ranko Zivojnovic wrote:
> 
> > Hello Hugh,
> >
> > No - the problem is not fixed in the patchset.
> >
> > Your modified patch calls inet_pton() in the new() in order to find
> > the
> > client key so it can decrypt the payload. However - that part was
> > working
> > even without inet_pton() call.
> >
> > The problem for my setup is happening in dispatch_radius_request()
> > where it
> > is supposed to use the client settings to manipulate Request/Reply.
> >
> > If I use the same piece of code you have used in the patch for the
> > new()
> > function to find the client in dispatch_radius_request() the problem
> > nicely
> > disappears.
> >
> > Thanks and best regards,
> >
> > Ranko
> >
> >> -----Original Message-----
> >> From: Hugh Irvine [mailto:hugh at open.com.au]
> >> Sent: 07 April 2009 10:22
> >> To: Ranko Zivojnovic
> >> Cc: 'radiator at open.com.au'
> >> Subject: Re: [RADIATOR] BUG in ServerTACACSPLUS.pm - not processing
> >> client related attributes
> >>
> >>
> >> Hello Ranko -
> >>
> >> We still have not been able to reproduce the problem, but we have
> >> added a modified version of your patch anyway.
> >>
> >> Would you please download and install the latest Radiator 4.4
> patches
> >> and test it for us?
> >>
> >> Please let us know how you get on.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 6 Apr 2009, at 16:23, Ranko Zivojnovic wrote:
> >>
> >>> Hello Hugh,
> >>>
> >>> Below is a test configuration and logfiles (some things
> obfuscated).
> >>>
> >>> Logfile1 shows the output of the stock 4.4 Radiator - you will note
> >>> the
> >>> message "WARNING: TacacsplusConnection could not find a Handler".
> >>>
> >>> Testing showed that $self->{peeraddr} in
> >>> ServerTACACSPLUS.pm:dispatch_radius_request() is a text format IP
> >>> address
> >>> and in order for &Radius::Client::findAddress() to actually find
> the
> >>> client
> >>> it must be first converted with inet_pton().
> >>>
> >>> The simple patch I've sent in my previous message fixes this issue
> >>> for me -
> >>> but the problem could originate elsewhere.
> >>>
> >>> Logfile2 shows correct operation with the patch applied.
> >>>
> >>> If you need any other info - please let me know.
> >>>
> >>> Best regards,
> >>>
> >>> Ranko
> >>>
> >>> ---cut:test.cfg---
> >>> LogDir          /var/log/radius
> >>> DbDir           /etc/radiator
> >>> Trace           4
> >>> BindAddress 10.11.12.13
> >>> AuthPort 1645,1812
> >>> AcctPort 1646,1813
> >>>
> >>> <ClientListLDAP>
> >>>       include %D/ldap.cfg
> >>>       BaseDN ou=Hosts, dc=example, dc=net
> >>>       RefreshPeriod 1800
> >>> </ClientListLDAP>
> >>>
> >>> <Handler HostType=TypeA>
> >>> #*snip*
> >>> </Handler>
> >>>
> >>> <Handler HostType=TypeB>
> >>> #*snip*
> >>> </Handler>
> >>>
> >>> <Handler HostType=TypeC>
> >>> #*snip*
> >>> </Handler>
> >>>
> >>> <Handler HostType=CiscoRouter>
> >>>       AcctLogFileName %L/Cisco.log
> >>>       <AuthBy GROUP>
> >>>               AuthByPolicy ContinueWhileReject
> >>>               <AuthBy GROUP>
> >>>                       AuthByPolicy ContinueWhileAccept
> >>>                       <AuthBy LDAP2>
> >>>                               include %D/ldap.cfg
> >>>                               BaseDN ou=groups, dc=example, dc=net
> >>>                               UsernameAttr memberUid
> >>>                               SearchFilter (&(cn=cisco-admins)(%0=
> >>> %1))
> >>>                               NoCheckPassword
> >>>                       </AuthBy>
> >>>                       <AuthBy LDAP2>
> >>>                               include %D/ldap.cfg
> >>>                               BaseDN ou=users, dc=example, dc=net
> >>>                               AddToReply Service-Type =
> >>> Administrative-User, Idle-Timeout = 900, tacacsgroup=admins
> >>>                               AuthAttrDef host,NAS-Identifier,check
> >>>                               EncryptedPasswordAttr userPassword
> >>>                       </AuthBy>
> >>>               </AuthBy>
> >>>               <AuthBy GROUP>
> >>>                       AuthByPolicy ContinueWhileAccept
> >>>                       <AuthBy LDAP2>
> >>>                               include %D/ldap.cfg
> >>>                               BaseDN ou=groups, dc=example, dc=net
> >>>                               UsernameAttr memberUid
> >>>                               SearchFilter (&(cn=cisco-
> >> users)(%0=%1))
> >>>                               NoCheckPassword
> >>>                       </AuthBy>
> >>>                       <AuthBy LDAP2>
> >>>                               include %D/ldap.cfg
> >>>                               BaseDN ou=users, dc=example, dc=net
> >>>                               AddToReply Service-Type = Login-User,
> >>> Idle-Timeout = 900, tacacsgroup=versiononly
> >>>                               AuthAttrDef host,NAS-Identifier,check
> >>>                               EncryptedPasswordAttr userPassword
> >>>                       </AuthBy>
> >>>               </AuthBy>
> >>>       </AuthBy>
> >>> </Handler>
> >>>
> >>> <ServerTACACSPLUS>
> >>>       BindAddress 10.11.12.13
> >>>       GroupMemberAttr tacacsgroup
> >>>       AuthorizeGroup versiononly permit service=shell cmd=show
> >>> cmd-arg=version
> >>>       AuthorizeGroup versiononly permit service=shell cmd\*
> >>> {idletime=15
> >>> priv-lvl=1}
> >>>       AuthorizeGroup versiononly deny .*
> >>>       AuthorizeGroup admins permit service=shell cmd\* {idletime=15
> >>> priv-lvl=15}
> >>>       AuthorizeGroup admins permit .*
> >>> </ServerTACACSPLUS>
> >>> ---cut:test.cfg---
> >>>
> >>> ---cut:logfile1---
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: INFO: Connecting to 127.0.0.1:636
> >>> Mon Apr  6 08:02:48 2009: INFO: Attempting to bind to LDAP server
> >>> 127.0.0.1:636
> >>> Mon Apr  6 08:02:48 2009: DEBUG: Adding Clients from LDAP database
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP SearchFilter:
> >>> (objectclass=oscRadiusClient), BaseDN: ou=Hosts, dc=example,
> dc=net,
> >>> attrs:
> >>> oscRadiusAddToRequest oscRadiusIgnoreAcctSignature
> >>> oscRadiusSNMPCommunity
> >>> oscRadiusSecret oscRadiusDefaultReply oscRadiusFramedGroup
> >>> oscRadiusUseOldAscendPasswords oscRadiusStripfromRequest
> >>> oscRadiusDupInterval oscRadiusAddToRequestIfNotExist
> >>> oscRadiusPacketTrace
> >>> oscRadiusDynamicReply oscRadiusLivingstonHole
> >>> oscRadiusFramedGroupBaseAddress oscRadiusFramedGroupPortOffset
> >>> oscRadiusRewriteUsername oscRadiusStripFromReply
> >>> oscRadiusPreHandlerHook
> >>> oscRadiusNoIgnoreDuplicates oscRadiusNasType
> >> oscRadiusIdenticalClients
> >>> oscRadiusAddToReply oscRadiusAddToReplyIfNotExist
> >>> oscRadiusLivingstonOffs
> >>> oscRadiusStatusServerShowClientDetails oscRadiusAllowInReply
> >>> oscRadiusClientName oscRadiusFramedGroupMaxPortsPerClassC
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got result for
> >>> cn=router1,ou=Hosts,dc=example, dc=net
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusAddToRequest:
> >>> HostType=CiscoRouter
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> oscRadiusSecret:
> >>> XXXXXX
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusClientName:
> >>> router1.example.net
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got result for
> >>> cn=router2,ou=Hosts,dc=example, dc=net
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusAddToRequest:
> >>> HostType=CiscoRouter
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> oscRadiusSecret:
> >>> XXXXXX
> >>> Mon Apr  6 08:02:48 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusClientName:
> >>> router2.example.net
> >>> *snip*
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:02:48 2009: DEBUG: Creating TACACSPLUS port
> >>> 10.11.12.13:49
> >>> Mon Apr  6 08:02:48 2009: DEBUG: Finished reading configuration
> file
> >>> '/etc/radiator/test.cfg'
> >>> Mon Apr  6 08:02:48 2009: DEBUG: Reading dictionary file
> >>> '/etc/radiator/dictionary'
> >>> Mon Apr  6 08:02:49 2009: DEBUG: Creating authentication port
> >>> 10.11.12.13:1645
> >>> Mon Apr  6 08:02:49 2009: DEBUG: Creating authentication port
> >>> 10.11.12.13:1812
> >>> Mon Apr  6 08:02:49 2009: DEBUG: Creating accounting port
> >>> 10.11.12.13:1646
> >>> Mon Apr  6 08:02:49 2009: DEBUG: Creating accounting port
> >>> 10.11.12.13:1813
> >>> Mon Apr  6 08:02:49 2009: NOTICE: Server started: Radiator 4.4 on
> >>> radius.example.net
> >>> Mon Apr  6 08:03:24 2009: DEBUG: New TacacsplusConnection created
> >>> for
> >>> 10.11.12.1:54948
> >>> Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection request 192,
> >>> 1, 1, 0,
> >>> 2730182230, 32
> >>> Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection
> Authentication
> >>> START
> >>> 1, 1, 1 for ranko, tty2, 10.11.12.13
> >>> Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection
> Authentication
> >>> REPLY
> >>> 5, 1, Password: ,
> >>> Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection request 192,
> >>> 1, 3, 0,
> >>> 2730182230, 13
> >>> Mon Apr  6 08:03:24 2009: DEBUG: TacacsplusConnection
> Authentication
> >>> CONTINUE 0, XXXXXX,
> >>> Mon Apr  6 08:03:24 2009: DEBUG: TACACSPLUS derived Radius request
> >>> packet
> >>> dump:
> >>> Code:       Access-Request
> >>> Identifier: UNDEF
> >>> Authentic:  <231><219>/Q<255>{o<133><160>SK<20>BZ<146><10>
> >>> Attributes:
> >>>       NAS-IP-Address = 10.11.12.1
> >>>       NAS-Port-Id = "tty2"
> >>>       Calling-Station-Id = "10.11.12.13"
> >>>       Service-Type = Login-User
> >>>       User-Name = "ranko"
> >>>       User-Password = XXXXXX
> >>>       OSC-Version-Identifier = "192"
> >>>
> >>> Mon Apr  6 08:03:24 2009: WARNING: TacacsplusConnection could not
> >>> find a
> >>> Handler
> >>> Mon Apr  6 08:03:29 2009: DEBUG: TacacsplusConnection disconnected
> >>> from
> >>> 10.11.12.1:54948
> >>> Mon Apr  6 08:05:48 2009: NOTICE: SIGTERM received: stopping
> >>> ---cut:logfile1---
> >>>
> >>> ---cut:logfile2---
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: INFO: Connecting to 127.0.0.1:636
> >>> Mon Apr  6 08:38:20 2009: INFO: Attempting to bind to LDAP server
> >>> 127.0.0.1:636
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Adding Clients from LDAP database
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP SearchFilter:
> >>> (objectclass=oscRadiusClient), BaseDN: ou=Hosts, dc=example,
> dc=net,
> >>> attrs:
> >>> oscRadiusAddToRequest oscRadiusIgnoreAcctSignature
> >>> oscRadiusSNMPCommunity
> >>> oscRadiusSecret oscRadiusDefaultReply oscRadiusFramedGroup
> >>> oscRadiusUseOldAscendPasswords oscRadiusStripfromRequest
> >>> oscRadiusDupInterval oscRadiusAddToRequestIfNotExist
> >>> oscRadiusPacketTrace
> >>> oscRadiusDynamicReply oscRadiusLivingstonHole
> >>> oscRadiusFramedGroupBaseAddress oscRadiusFramedGroupPortOffset
> >>> oscRadiusRewriteUsername oscRadiusStripFromReply
> >>> oscRadiusPreHandlerHook
> >>> oscRadiusNoIgnoreDuplicates oscRadiusNasType
> >> oscRadiusIdenticalClients
> >>> oscRadiusAddToReply oscRadiusAddToReplyIfNotExist
> >>> oscRadiusLivingstonOffs
> >>> oscRadiusStatusServerShowClientDetails oscRadiusAllowInReply
> >>> oscRadiusClientName oscRadiusFramedGroupMaxPortsPerClassC
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got result for
> >>> cn=router1,ou=Hosts,dc=example, dc=net
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusAddToRequest:
> >>> HostType=CiscoRouter
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> oscRadiusSecret:
> >>> XXXXXX
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusClientName:
> >>> router1.example.net
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got result for
> >>> cn=router2,ou=Hosts,dc=example, dc=net
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusAddToRequest:
> >>> HostType=CiscoRouter
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> oscRadiusSecret:
> >>> XXXXXX
> >>> Mon Apr  6 08:38:20 2009: DEBUG: ClientListLDAP got
> >>> oscRadiusClientName:
> >>> router2.example.net
> >>> *snip*
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: include /etc/radiator/ldap.cfg
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Creating TACACSPLUS port
> >>> 10.11.12.13:49
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Finished reading configuration
> file
> >>> '/etc/radiator/test.cfg'
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Reading dictionary file
> >>> '/etc/radiator/dictionary'
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Creating authentication port
> >>> 10.11.12.13:1645
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Creating authentication port
> >>> 10.11.12.13:1812
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Creating accounting port
> >>> 10.11.12.13:1646
> >>> Mon Apr  6 08:38:20 2009: DEBUG: Creating accounting port
> >>> 10.11.12.13:1813
> >>> Mon Apr  6 08:38:20 2009: NOTICE: Server started: Radiator 4.4 on
> >>> radius.example.net
> >>> Mon Apr  6 08:38:28 2009: DEBUG: New TacacsplusConnection created
> >>> for
> >>> 10.12.13.1:51609
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
> >>> 1, 1, 0,
> >>> 2939512271, 32
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection
> Authentication
> >>> START
> >>> 1, 1, 1 for ranko, tty2, 10.11.12.13
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection
> Authentication
> >>> REPLY
> >>> 5, 1, Password: ,
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
> >>> 1, 3, 0,
> >>> 2939512271, 13
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection
> Authentication
> >>> CONTINUE 0, XXXXXX,
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TACACSPLUS derived Radius request
> >>> packet
> >>> dump:
> >>> Code:       Access-Request
> >>> Identifier: UNDEF
> >>> Authentic:
> >> <221><132>#<211><245><172><30>c7%<232><148><133><22>1<250>
> >>> Attributes:
> >>>       NAS-IP-Address = 10.12.13.1
> >>>       NAS-Port-Id = "tty2"
> >>>       Calling-Station-Id = "10.11.12.13"
> >>>       Service-Type = Login-User
> >>>       User-Name = "ranko"
> >>>       User-Password = XXXXXX
> >>>       OSC-Version-Identifier = "192"
> >>>       HostType = CiscoRouter
> >>>
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling request with Handler
> >>> 'HostType=CiscoRouter'
> >>> Mon Apr  6 08:38:28 2009: DEBUG:  Deleting session for ranko,
> >>> 10.12.13.1,
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> >>> Mon Apr  6 08:38:28 2009: INFO: Connecting to 127.0.0.1:636
> >>> Mon Apr  6 08:38:28 2009: INFO: Attempting to bind to LDAP server
> >>> 127.0.0.1:636
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got result for
> >>> cn=cisco-admins,ou=groups,dc=example, dc=net
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got objectClass: posixGroup
> >>> top
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got cn: cisco-admins
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got memberUid: ranko user1
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got gidNumber: 173123
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got creatorsName:
> >>> uid=ranko,ou=users,dc=example,dc=net
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got modifiersName:
> >>> uid=ranko,ou=users,dc=example,dc=net
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got createTimestamp:
> >>> 20080902165300Z
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got modifyTimestamp:
> >>> 20080903162147Z
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 looks for match
> >>> with
> >>> ranko [ranko]
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 ACCEPT: : ranko
> >>> [ranko]
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> >>> Mon Apr  6 08:38:28 2009: INFO: Connecting to 127.0.0.1:636
> >>> Mon Apr  6 08:38:28 2009: INFO: Attempting to bind to LDAP server
> >>> 127.0.0.1:636
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got result for
> >>> uid=ranko,ou=users,dc=example, dc=net
> >>> Mon Apr  6 08:38:28 2009: DEBUG: LDAP got userPassword: XXXXXX
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 looks for match
> >>> with
> >>> ranko [ranko]
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Radius::AuthLDAP2 ACCEPT: : ranko
> >>> [ranko]
> >>> Mon Apr  6 08:38:28 2009: DEBUG: AuthBy GROUP result: ACCEPT,
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Access accepted for ranko
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Packet dump:
> >>> *** Reply to TACACSPLUS request:
> >>> Code:       Access-Accept
> >>> Identifier: UNDEF
> >>> Authentic:
> >> <221><132>#<211><245><172><30>c7%<232><148><133><22>1<250>
> >>> Attributes:
> >>>       Service-Type = Administrative-User
> >>>       Idle-Timeout = 900
> >>>       tacacsgroup = admins
> >>>
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection result
> Access-
> >>> Accept
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection
> Authentication
> >>> REPLY
> >>> 1, 0, ,
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection disconnected
> >>> from
> >>> 10.12.13.1:51609
> >>> Mon Apr  6 08:38:28 2009: DEBUG: New TacacsplusConnection created
> >>> for
> >>> 10.12.13.1:47596
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection request 192,
> >>> 2, 1, 0,
> >>> 4145764549, 51
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authorization
> >>> REQUEST
> >>> 6, 1, 1, 1, ranko, tty2, 10.11.12.13, 2, service=shell cmd*
> >>> Mon Apr  6 08:38:28 2009: DEBUG: AuthorizeGroup rule match found:
> >>> permit
> >>> service=shell cmd\* { idletime=15 priv-lvl=15 }
> >>> Mon Apr  6 08:38:28 2009: INFO: Authorization permitted for ranko,
> >>> group
> >>> admins, args service=shell cmd*
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection Authorization
> >>> RESPONSE
> >>> 1, , , idletime=15 priv-lvl=15
> >>> Mon Apr  6 08:38:28 2009: DEBUG: TacacsplusConnection disconnected
> >>> from
> >>> 10.12.13.1:47596
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Packet dump:
> >>> *** Received from 10.12.13.1 port 1646 ....
> >>> Code:       Accounting-Request
> >>> Identifier: 249
> >>> Authentic:  <233>%<236>vd<184>Z<207><209><234>ls<154>b%!
> >>> Attributes:
> >>>       Acct-Session-Id = "0000009B"
> >>>       User-Name = "ranko"
> >>>       Acct-Authentic = Remote
> >>>       Acct-Status-Type = Start
> >>>       NAS-Port = 2
> >>>       NAS-Port-Id = "tty2"
> >>>       NAS-Port-Type = Virtual
> >>>       Service-Type = NAS-Prompt-User
> >>>       NAS-IP-Address = 10.12.13.1
> >>>       Acct-Delay-Time = 0
> >>>
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling request with Handler
> >>> 'HostType=CiscoRouter'
> >>> Mon Apr  6 08:38:28 2009: DEBUG:  Adding session for ranko,
> >>> 10.12.13.1, 2
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthGROUP:
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Handling with Radius::AuthLDAP2:
> >>> Mon Apr  6 08:38:28 2009: DEBUG: AuthBy GROUP result: ACCEPT,
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Accounting accepted
> >>> Mon Apr  6 08:38:28 2009: DEBUG: Packet dump:
> >>> *** Sending to 10.12.13.1 port 1646 ....
> >>> Code:       Accounting-Response
> >>> Identifier: 249
> >>> Authentic:  <251>|<201>iK<225><163>A-$<140><155><223><140><213><27>
> >>> Attributes:
> >>>
> >>> Mon Apr  6 08:38:32 2009: DEBUG: New TacacsplusConnection created
> >>> for
> >>> 10.12.13.1:18152
> >>> Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection request 192,
> >>> 2, 1, 0,
> >>> 2167032874, 84
> >>> Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection Authorization
> >>> REQUEST
> >>> 1, 1, 1, 0, ranko, tty2, 10.11.12.13, 4, service=shell cmd=show
> >>> cmd-arg=version cmd-arg=<cr>
> >>> Mon Apr  6 08:38:32 2009: DEBUG: AuthorizeGroup rule match found:
> >>> permit .*
> >>> {  }
> >>> Mon Apr  6 08:38:32 2009: INFO: Authorization permitted for ranko,
> >>> group
> >>> admins, args service=shell cmd=show cmd-arg=version cmd-arg=<cr>
> >>> Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection Authorization
> >>> RESPONSE
> >>> 1, , ,
> >>> Mon Apr  6 08:38:32 2009: DEBUG: TacacsplusConnection disconnected
> >>> from
> >>> 10.12.13.1:18152
> >>> Mon Apr  6 08:38:56 2009: NOTICE: SIGTERM received: stopping
> >>> ---cut:logfile2---
> >>>
> >>> -----Original Message-----
> >>> From: Hugh Irvine [mailto:hugh at open.com.au]
> >>> Sent: 06 April 2009 06:02
> >>> To: Ranko Zivojnovic
> >>> Cc: 'radiator at open.com.au'
> >>> Subject: Re: [RADIATOR] BUG in ServerTACACSPLUS.pm - not processing
> >>> client
> >>> related attributes
> >>>
> >>>
> >>> Hello Ranko -
> >>>
> >>> Our testing here shows correct operation with Radiator 4.4.
> >>>
> >>> Can you please send us a copy of your configuration file and a
> trace
> >> 4
> >>> debug showing what is happening?
> >>>
> >>> thanks and regards
> >>>
> >>> Hugh
> >>>
> >>>
> >>> On 6 Apr 2009, at 00:54, Ranko Zivojnovic wrote:
> >>>
> >>>> Greetings,
> >>>>
> >>>> Radiator is not processing attributes associated with the client
> in
> >>>> ServerTACACSPLUS.pm (like AddToRequest and similar) due to the
> >>>> following bug:
> >>>>
> >>>> ---cut---
> >>>> --- a/Radius/ServerTACACSPLUS.pm   2009-03-10 23:59:01.000000000
> >>>> +0200
> >>>> +++ b/Radius/ServerTACACSPLUS.pm   2009-04-05 17:23:15.000000000
> >>>> +0300
> >>>> @@ -554,7 +554,7 @@
> >>>>   }
> >>>>
> >>>>   # Use Client settings to manipulate Request/Reply
> >>>> -    my $client = &Radius::Client::findAddress($self->{peeraddr});
> >>>> +    my $client =
> >>>> &Radius::Client::findAddress(Radius::Util::inet_pton($self-
> >>>>> {peeraddr}));
> >>>>
> >>>>   $tp->rewriteUsername($client->{RewriteUsername})
> >>>>       if defined $client->{RewriteUsername};
> >>>> ---cut---
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Ranko
> >>>>
> >>>> --
> >>>> Ranko Zivojnovic
> >>>> IT Director/CTO
> >>>>
> >>>> SpiderNet Services Public Ltd.
> >>>> Nicosia, Cyprus
> >>>> Tel:    +357 22 844844
> >>>> FAX:    +357 22 844777
> >>>> E-Mail: ranko at spidernet.net
> >>>> Web:    www.spidernet.net
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> radiator mailing list
> >>>> radiator at open.com.au
> >>>> http://www.open.com.au/mailman/listinfo/radiator
> >>>
> >>>
> >>>
> >>> NB:
> >>>
> >>> Have you read the reference manual ("doc/ref.html")?
> >>> Have you searched the mailing list archive
> >>> (www.open.com.au/archives/radiator)?
> >>> Have you had a quick look on Google (www.google.com)?
> >>> Have you included a copy of your configuration file (no secrets),
> >>> together with a trace 4 debug showing what is happening?
> >>> Have you checked the RadiusExpert wiki:
> >>> http://www.open.com.au/wiki/index.php/Main_Page
> >>>
> >>> --
> >>> Radiator: the most portable, flexible and configurable RADIUS
> server
> >>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >>> Includes support for reliable RADIUS transport (RadSec),
> >>> and DIAMETER translation agent.
> >>> -
> >>> Nets: internetwork inventory and management - graphical,
> extensible,
> >>> flexible with hardware, software, platform and database
> >>> independence.
> >>> -
> >>> CATool: Private Certificate Authority for Unix and Unix-like
> >>> systems.
> >>>
> >>>
> >>
> >>
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive
> >> (www.open.com.au/archives/radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >> Have you checked the RadiusExpert wiki:
> >> http://www.open.com.au/wiki/index.php/Main_Page
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> Includes support for reliable RADIUS transport (RadSec),
> >> and DIAMETER translation agent.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database
> independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like
> systems.
> >>
> >
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5128 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090408/3a41f43d/attachment-0001.bin>


More information about the radiator mailing list