[RADIATOR] ServerTACACSPLUS and Client-Identifier

Steve Rogers sterogers at gmail.com
Thu Apr 23 01:39:26 CDT 2009


Hi Hugh,
We have this in the PostAuthHook code - shown below. Also I've attached a
debug output extract showing the Client Identifier being null. And the
Client definition. If we do a data dumper of $p->{Client} we don't see the
Identifier.

Any further suggestions we could look at?

<Client 192.168.X.X>
        Identifier noncisco
        TACACSPLUSKey XXXXXX
</Client>

sub
{
my $p = ${$_[0]};
my $rp = ${$_[1]};
my $result = ${$_[2]};

my $authGrp;
my $tacAttr = 'tacplusgrp';
 if (($result == $main::ACCEPT) && ($authGrp = $rp->get_attr($tacAttr)))
{
my $clientId = $p->{Client}->{Identifier};
&main::log($main::LOG_DEBUG, "Client Identifier = $clientId");
$authGrp .= '-'.$clientId;
$rp->change_attr($tacAttr, "$authGrp");
&main::log($main::LOG_DEBUG, "TACACS group = $authGrp");
}
}


Thu Apr 23 07:26:19 2009: DEBUG: Handling request with Handler ''
Thu Apr 23 07:26:19 2009: DEBUG:  Deleting session for sr, 192.168.0.99,
Thu Apr 23 07:26:19 2009: DEBUG: Handling with Radius::AuthFILE:
Thu Apr 23 07:26:19 2009: DEBUG: Reading users file /Radiator/users
Thu Apr 23 07:26:19 2009: DEBUG: Radius::AuthFILE looks for match with sr
[sr]
Thu Apr 23 07:26:19 2009: DEBUG: Expiration date converted to: 1264723200
Thu Apr 23 07:26:19 2009: DEBUG: Radius::AuthFILE ACCEPT: : sr [sr]
Thu Apr 23 07:26:19 2009: DEBUG: AuthBy FILE result: ACCEPT,
Thu Apr 23 07:26:19 2009: DEBUG: Client Identifier =
Thu Apr 23 07:26:19 2009: DEBUG: TACACS group = TACACSAdmins-
Thu Apr 23 07:26:19 2009: DEBUG: Access accepted for sr
Thu Apr 23 07:26:19 2009: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  _<240><12><227><155><2><196>2<145><171><144>><194><20>y<227>
Attributes:
        tacplusgrp = TACACSAdmins-

Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection result Access-Accept
Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection Authentication REPLY
1, 0,
 ,
Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
2, 6
3

Cheers
Steve


On Thu, Apr 23, 2009 at 1:51 AM, Hugh Irvine <hugh at open.com.au> wrote:

>
> Hi Steve -
>
> Try this:
>
>        .....
>
>        my $identifer = $p->{Client}->{Identifier};
>
>        .....
>
> regards
>
> Hugh
>
>
>
> On 22 Apr 2009, at 22:14, Steve Rogers wrote:
>
>  Hi,
>>
>> We are using Radiator 4.4 with patches and attempting to get the
>> Client-Identifier and use this in a hook as part of a Handler, but it
>> doesn't seem to be available. Doing a bit of debug, we see the following
>> line from ServerTACACSPLUS.pm and we can retrieve the Client-Identifier at
>> this point but appears that when the module creates the fake radius request
>> and we look at the object passed to the PostAuthHook (${$_[0]} we cant seem
>> to get this.
>>
>> $tp->{Client} = $self; # So you can use Client-Identifier check items
>>
>> Is this possible? Or is there a simple mechanism to use the originating
>> Client-Identifier from the Client that the TACACS request came from?
>>
>> Appreciate any help or advise.
>>
>> Cheers
>> Steve
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (
> www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090423/d971572c/attachment.html>


More information about the radiator mailing list