[RADIATOR] Client-Identifier doesn't match handler for Tacacs requests

Hugh Irvine hugh at open.com.au
Wed Nov 25 04:49:57 CST 2009 

Hello Alex -

You can add a simple PreHandlerHook in the ServerTACACSPLUS clause to look up the Client and add an OSC-Client-Identifier to the request.

I'll talk to Mike tomorrow about the Service-Type.

regards

Hugh



On 25 Nov 2009, at 21:18, Alexander Hartmaier wrote:

> Hi Hugh!
> 
> Because the fake radius request originates from it?
> 
> Can that behavior be changed to match that of Radius?
> It makes more sense to be able to distinguish from which NAS the request
> came than to know how the internals of Radiator work.
> 
> Additionally we've found out that the request from the tacacs proxy
> Radiator to the backend Radiator doesn't contain the info which
> transforms to the Service-Type radius attribute, so
> Service-Type=Administrative-User becomes Service-Type=Login-User.
> I couldn't find the opposite of the service_to_service_type hash to fix
> it myself.
> 
> -- 
> Best regards, Alex
> 
> 
> Am Dienstag, den 24.11.2009, 22:54 +0100 schrieb Hugh Irvine:
>> Hello Alexander -
>> 
>> The client for TACACS is the ServerTACACSPLUS clause.
>> 
>> Ie.
>> 
>> .....
>> 
>> <ServerTACACSPLUS>
>> 	Identifier ouridentifier
>> 	.....
>> </Server>
>> 
>> <Handler Client-Identifier=ouridentifier, Service-Type=Login-User>
>> 	.....
>> </Handler>
>> 
>> .....
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 25 Nov 2009, at 01:25, Alexander Hartmaier wrote:
>> 
>>> Hi!
>>> 
>>> I've configured Radiator according to 5.5.16 Identifier in the 4.4.1
>>> manual:
>>> 
>>> <Client DEFAULT>
>>>       Identifier ouridentifier
>>>       TACACSPLUSKey oursecret
>>>       DupInterval 60
>>> </Client>
>>> 
>>> But this handler doesn't match:
>>> 
>>> <Handler Client-Identifier=outidentifier, Service-Type=Login-User>
>>> 
>>> The fake radius packet looks like this:
>>> 
>>> Attributes:
>>>       NAS-IP-Address = 10.1.2.3
>>>       NAS-Port-Id = "tty322"
>>>       Calling-Station-Id = "1.2.3.4"
>>>       Service-Type = Login-User
>>>       User-Name = "username"
>>>       User-Password = **obscured**
>>>       OSC-Version-Identifier = "192"
>>> 
>>> In ServerTACACSPLUS line 547 it seems this should work:
>>> 
>>> $tp->{Client} = $self; # So you can use Client-Identifier check items
>>> 
>>> Is this a bug or are I'm doing something wrong?
>>> 
>>> --
>>> Alexander Hartmaier <alexander.hartmaier at t-systems.at>
>>> T-Systems Austria GesmbH
>>> 
>>> 
>>> 
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> Notice: This e-mail contains information that is confidential and may be privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list