[RADIATOR] Client-Identifier doesn't match handler for Tacacs requests

Alexander Hartmaier alexander.hartmaier at t-systems.at
Wed Nov 25 04:18:41 CST 2009


Hi Hugh!

Because the fake radius request originates from it?

Can that behavior be changed to match that of Radius?
It makes more sense to be able to distinguish from which NAS the request
came than to know how the internals of Radiator work.

Additionally we've found out that the request from the tacacs proxy
Radiator to the backend Radiator doesn't contain the info which
transforms to the Service-Type radius attribute, so
Service-Type=Administrative-User becomes Service-Type=Login-User.
I couldn't find the opposite of the service_to_service_type hash to fix
it myself.

-- 
Best regards, Alex


Am Dienstag, den 24.11.2009, 22:54 +0100 schrieb Hugh Irvine:
> Hello Alexander -
> 
> The client for TACACS is the ServerTACACSPLUS clause.
> 
> Ie.
> 
> .....
> 
> <ServerTACACSPLUS>
> 	Identifier ouridentifier
> 	.....
> </Server>
> 
> <Handler Client-Identifier=ouridentifier, Service-Type=Login-User>
> 	.....
> </Handler>
> 
> .....
> 
> regards
> 
> Hugh
> 
> 
> On 25 Nov 2009, at 01:25, Alexander Hartmaier wrote:
> 
> > Hi!
> > 
> > I've configured Radiator according to 5.5.16 Identifier in the 4.4.1
> > manual:
> > 
> > <Client DEFAULT>
> >        Identifier ouridentifier
> >        TACACSPLUSKey oursecret
> >        DupInterval 60
> > </Client>
> > 
> > But this handler doesn't match:
> > 
> > <Handler Client-Identifier=outidentifier, Service-Type=Login-User>
> > 
> > The fake radius packet looks like this:
> > 
> > Attributes:
> >        NAS-IP-Address = 10.1.2.3
> >        NAS-Port-Id = "tty322"
> >        Calling-Station-Id = "1.2.3.4"
> >        Service-Type = Login-User
> >        User-Name = "username"
> >        User-Password = **obscured**
> >        OSC-Version-Identifier = "192"
> > 
> > In ServerTACACSPLUS line 547 it seems this should work:
> > 
> > $tp->{Client} = $self; # So you can use Client-Identifier check items
> > 
> > Is this a bug or are I'm doing something wrong?
> > 
> > --
> > Alexander Hartmaier <alexander.hartmaier at t-systems.at>
> > T-Systems Austria GesmbH
> > 
> > 
> > 
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> > Handelsgericht Wien, FN 79340b
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > Notice: This e-mail contains information that is confidential and may be privileged.
> > If you are not the intended recipient, please notify the sender and then
> > delete this e-mail immediately.
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 



More information about the radiator mailing list