[RADIATOR] ServerTACACSPLUS and Client-Identifier

Alexander Hartmaier alexander.hartmaier at t-systems.at
Thu Apr 23 02:48:02 CDT 2009 

Afaik the tacacs part of Radiator doesn't need and also doesn't care
about Client sections because the Tacacs key is per server and not per
client.

--
BR Alex


Am Donnerstag, den 23.04.2009, 08:39 +0200 schrieb Steve Rogers:
> Hi Hugh,
>
>
> We have this in the PostAuthHook code - shown below. Also I've
> attached a debug output extract showing the Client Identifier being
> null. And the Client definition. If we do a data dumper of
> $p->{Client} we don't see the Identifier.
>
>
> Any further suggestions we could look at?
>
>
> <Client 192.168.X.X>
>         Identifier noncisco
>         TACACSPLUSKey XXXXXX
> </Client>
>
>
> sub
> {
> my $p = ${$_[0]};
> my $rp = ${$_[1]};
> my $result = ${$_[2]};
>
>
> my $authGrp;
> my $tacAttr = 'tacplusgrp';
>
> if (($result == $main::ACCEPT) && ($authGrp =
> $rp->get_attr($tacAttr)))
> {
> my $clientId = $p->{Client}->{Identifier};
> &main::log($main::LOG_DEBUG, "Client Identifier = $clientId");
> $authGrp .= '-'.$clientId;
> $rp->change_attr($tacAttr, "$authGrp");
> &main::log($main::LOG_DEBUG, "TACACS group = $authGrp");
> }
> }
>
>
>
>
> Thu Apr 23 07:26:19 2009: DEBUG: Handling request with Handler ''
> Thu Apr 23 07:26:19 2009: DEBUG:  Deleting session for sr,
> 192.168.0.99,
> Thu Apr 23 07:26:19 2009: DEBUG: Handling with Radius::AuthFILE:
> Thu Apr 23 07:26:19 2009: DEBUG: Reading users file /Radiator/users
> Thu Apr 23 07:26:19 2009: DEBUG: Radius::AuthFILE looks for match with
> sr [sr]
> Thu Apr 23 07:26:19 2009: DEBUG: Expiration date converted to:
> 1264723200
> Thu Apr 23 07:26:19 2009: DEBUG: Radius::AuthFILE ACCEPT: : sr [sr]
> Thu Apr 23 07:26:19 2009: DEBUG: AuthBy FILE result: ACCEPT,
> Thu Apr 23 07:26:19 2009: DEBUG: Client Identifier =
> Thu Apr 23 07:26:19 2009: DEBUG: TACACS group = TACACSAdmins-
> Thu Apr 23 07:26:19 2009: DEBUG: Access accepted for sr
> Thu Apr 23 07:26:19 2009: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:
>  _<240><12><227><155><2><196>2<145><171><144>><194><20>y<227>
> Attributes:
>         tacplusgrp = TACACSAdmins-
>
>
> Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection result
> Access-Accept
> Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection Authentication
> REPLY 1, 0,
>  ,
> Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection request 192, 2,
> 1, 0, 2, 6
> 3
>
>
> Cheers
> Steve
>
>
>
> On Thu, Apr 23, 2009 at 1:51 AM, Hugh Irvine <hugh at open.com.au> wrote:
>
>         Hi Steve -
>
>         Try this:
>
>                .....
>
>                my $identifer = $p->{Client}->{Identifier};
>
>                .....
>
>         regards
>
>         Hugh
>
>
>
>
>         On 22 Apr 2009, at 22:14, Steve Rogers wrote:
>
>
>
>                 Hi,
>
>                 We are using Radiator 4.4 with patches and attempting
>                 to get the Client-Identifier and use this in a hook as
>                 part of a Handler, but it doesn't seem to be
>                 available. Doing a bit of debug, we see the following
>                 line from ServerTACACSPLUS.pm and we can retrieve the
>                 Client-Identifier at this point but appears that when
>                 the module creates the fake radius request and we look
>                 at the object passed to the PostAuthHook (${$_[0]} we
>                 cant seem to get this.
>
>                 $tp->{Client} = $self; # So you can use
>                 Client-Identifier check items
>
>                 Is this possible? Or is there a simple mechanism to
>                 use the originating Client-Identifier from the Client
>                 that the TACACS request came from?
>
>                 Appreciate any help or advise.
>
>                 Cheers
>                 Steve
>
>                 _______________________________________________
>                 radiator mailing list
>                 radiator at open.com.au
>                 http://www.open.com.au/mailman/listinfo/radiator
>
>
>
>         NB:
>
>         Have you read the reference manual ("doc/ref.html")?
>         Have you searched the mailing list archive
>         (www.open.com.au/archives/radiator)?
>         Have you had a quick look on Google (www.google.com)?
>         Have you included a copy of your configuration file (no
>         secrets),
>         together with a trace 4 debug showing what is happening?
>         Have you checked the RadiusExpert wiki:
>         http://www.open.com.au/wiki/index.php/Main_Page
>
>         --
>         Radiator: the most portable, flexible and configurable RADIUS
>         server
>         anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>         Includes support for reliable RADIUS transport (RadSec),
>         and DIAMETER translation agent.
>         -
>         Nets: internetwork inventory and management - graphical,
>         extensible,
>         flexible with hardware, software, platform and database
>         independence.
>         -
>         CATool: Private Certificate Authority for Unix and Unix-like
>         systems.
>
>
>
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

More information about the radiator mailing list