[RADIATOR] ServerTACACSPLUS and Client-Identifier

Steve Rogers sterogers at gmail.com
Thu Apr 23 05:26:30 CDT 2009 

Thanks Hugh - works fine :-)
On Thu, Apr 23, 2009 at 9:37 AM, Hugh Irvine <hugh at open.com.au> wrote:

>
> Hello Steve -
>
> You will need to do a "find" to get the correct Client object first. The
> Client as far as TACACS+ is concerned is the ServerTACACSPLUS clause itself.
>
> Here is an example that tests fine on my machine with Radiator 4.4.
>
>
> #
> # client.pl
> #
>
> sub
> {
>        my $p = ${$_[0]};
>
>        my $nasip = $p->get_attr('NAS-IP-Address');
>        my $nas = Radius::Util::inet_pton($nasip);
>        my $client = Radius::Client::findAddress($nas);
>        my $identifier = $client->{Identifier};
>        print "Identifier is $identifier\n";
> }
>
>
> This assumes of course that the NAS-IP-Address is present in the derived
> RADIUS request.
>
> See my other example hooks in "goodies/hooks.txt".
>
> regards
>
> Hugh
>
>
>
> On 23 Apr 2009, at 16:39, Steve Rogers wrote:
>
>  Hi Hugh,
>>
>> We have this in the PostAuthHook code - shown below. Also I've attached a
>> debug output extract showing the Client Identifier being null. And the
>> Client definition. If we do a data dumper of $p->{Client} we don't see the
>> Identifier.
>>
>> Any further suggestions we could look at?
>>
>> <Client 192.168.X.X>
>>        Identifier noncisco
>>        TACACSPLUSKey XXXXXX
>> </Client>
>>
>> sub
>> {
>>        my $p = ${$_[0]};
>>        my $rp = ${$_[1]};
>>        my $result = ${$_[2]};
>>
>>        my $authGrp;
>>        my $tacAttr = 'tacplusgrp';
>>
>>        if (($result == $main::ACCEPT) && ($authGrp =
>> $rp->get_attr($tacAttr)))
>>        {
>>                my $clientId = $p->{Client}->{Identifier};
>>                &main::log($main::LOG_DEBUG, "Client Identifier =
>> $clientId");
>>                $authGrp .= '-'.$clientId;
>>                $rp->change_attr($tacAttr, "$authGrp");
>>                &main::log($main::LOG_DEBUG, "TACACS group = $authGrp");
>>        }
>> }
>>
>>
>> Thu Apr 23 07:26:19 2009: DEBUG: Handling request with Handler ''
>> Thu Apr 23 07:26:19 2009: DEBUG:  Deleting session for sr, 192.168.0.99,
>> Thu Apr 23 07:26:19 2009: DEBUG: Handling with Radius::AuthFILE:
>> Thu Apr 23 07:26:19 2009: DEBUG: Reading users file /Radiator/users
>> Thu Apr 23 07:26:19 2009: DEBUG: Radius::AuthFILE looks for match with sr
>> [sr]
>> Thu Apr 23 07:26:19 2009: DEBUG: Expiration date converted to: 1264723200
>> Thu Apr 23 07:26:19 2009: DEBUG: Radius::AuthFILE ACCEPT: : sr [sr]
>> Thu Apr 23 07:26:19 2009: DEBUG: AuthBy FILE result: ACCEPT,
>> Thu Apr 23 07:26:19 2009: DEBUG: Client Identifier =
>> Thu Apr 23 07:26:19 2009: DEBUG: TACACS group = TACACSAdmins-
>> Thu Apr 23 07:26:19 2009: DEBUG: Access accepted for sr
>> Thu Apr 23 07:26:19 2009: DEBUG: Packet dump:
>> *** Reply to TACACSPLUS request:
>> Code:       Access-Accept
>> Identifier: UNDEF
>> Authentic:  _<240><12><227><155><2><196>2<145><171><144>><194><20>y<227>
>> Attributes:
>>        tacplusgrp = TACACSAdmins-
>>
>> Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection result Access-Accept
>> Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection Authentication REPLY
>> 1, 0,
>>  ,
>> Thu Apr 23 07:26:19 2009: DEBUG: TacacsplusConnection request 192, 2, 1,
>> 0, 2, 6
>> 3
>>
>> Cheers
>> Steve
>>
>>
>> On Thu, Apr 23, 2009 at 1:51 AM, Hugh Irvine <hugh at open.com.au> wrote:
>>
>> Hi Steve -
>>
>> Try this:
>>
>>       .....
>>
>>       my $identifer = $p->{Client}->{Identifier};
>>
>>       .....
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 22 Apr 2009, at 22:14, Steve Rogers wrote:
>>
>> Hi,
>>
>> We are using Radiator 4.4 with patches and attempting to get the
>> Client-Identifier and use this in a hook as part of a Handler, but it
>> doesn't seem to be available. Doing a bit of debug, we see the following
>> line from ServerTACACSPLUS.pm and we can retrieve the Client-Identifier at
>> this point but appears that when the module creates the fake radius request
>> and we look at the object passed to the PostAuthHook (${$_[0]} we cant seem
>> to get this.
>>
>> $tp->{Client} = $self; # So you can use Client-Identifier check items
>>
>> Is this possible? Or is there a simple mechanism to use the originating
>> Client-Identifier from the Client that the TACACS request came from?
>>
>> Appreciate any help or advise.
>>
>> Cheers
>> Steve
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (
>> www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (
> www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090423/7dc1e81f/attachment.html>

More information about the radiator mailing list