[RADIATOR] Client-Identifier doesn't match handler for Tacacs requests

Andrew D. Clark adc at umn.edu
Wed Nov 25 10:14:44 CST 2009 

Here's one I use to do it:

# $Id: tacacs_client_identifier,v 1.3 2009/11/11 16:29:38 adc Exp $

# PreHandlerHook to pull the Identifier out of the client clause
# for TACACS+ clients.  The Identifier is then added to the request
# in the 'OSC-Client-Identifier' VSA

sub {
        my $p = ${$_[0]};
        my $hook_name = 'tacacs_client_identifier';

        &main::log($main::LOG_DEBUG, "Hook $hook_name called");

        my $client_addr = $p->get_attr('NAS-IP-Address');
        my $client = Radius::Client::findAddress($client_addr);

        &main::log($main::LOG_DEBUG, "Hook $hook_name searching for client 
<$client_addr>");
        &main::log($main::LOG_DEBUG, "Hook $hook_name got client ident 
<$client->{'Identifier'}>");

        $p->add_attr('OSC-Client-Identifier', $client->{'Identifier'});

        return;
}


On Wednesday 25 November 2009 04:49:57 Hugh Irvine wrote:
> Hello Alex -
> 
> You can add a simple PreHandlerHook in the ServerTACACSPLUS clause to look
>  up the Client and add an OSC-Client-Identifier to the request.
> 
> I'll talk to Mike tomorrow about the Service-Type.
> 
> regards
> 
> Hugh
> 
> On 25 Nov 2009, at 21:18, Alexander Hartmaier wrote:
> > Hi Hugh!
> >
> > Because the fake radius request originates from it?
> >
> > Can that behavior be changed to match that of Radius?
> > It makes more sense to be able to distinguish from which NAS the request
> > came than to know how the internals of Radiator work.
> >
> > Additionally we've found out that the request from the tacacs proxy
> > Radiator to the backend Radiator doesn't contain the info which
> > transforms to the Service-Type radius attribute, so
> > Service-Type=Administrative-User becomes Service-Type=Login-User.
> > I couldn't find the opposite of the service_to_service_type hash to fix
> > it myself.
> >
> >> Hello Alexander -
> >>
> >> The client for TACACS is the ServerTACACSPLUS clause.
> >>
> >> Ie.
> >>
> >> .....
> >>
> >> <ServerTACACSPLUS>
> >> 	Identifier ouridentifier
> >> 	.....
> >> </Server>
> >>
> >> <Handler Client-Identifier=ouridentifier, Service-Type=Login-User>
> >> 	.....
> >> </Handler>
> >>
> >> .....
> >>
> >> regards
> >>
> >> Hugh
> >>
> >> On 25 Nov 2009, at 01:25, Alexander Hartmaier wrote:
> >>> Hi!
> >>>
> >>> I've configured Radiator according to 5.5.16 Identifier in the 4.4.1
> >>> manual:
> >>>
> >>> <Client DEFAULT>
> >>>       Identifier ouridentifier
> >>>       TACACSPLUSKey oursecret
> >>>       DupInterval 60
> >>> </Client>
> >>>
> >>> But this handler doesn't match:
> >>>
> >>> <Handler Client-Identifier=outidentifier, Service-Type=Login-User>
> >>>
> >>> The fake radius packet looks like this:
> >>>
> >>> Attributes:
> >>>       NAS-IP-Address = 10.1.2.3
> >>>       NAS-Port-Id = "tty322"
> >>>       Calling-Station-Id = "1.2.3.4"
> >>>       Service-Type = Login-User
> >>>       User-Name = "username"
> >>>       User-Password = **obscured**
> >>>       OSC-Version-Identifier = "192"
> >>>
> >>> In ServerTACACSPLUS line 547 it seems this should work:
> >>>
> >>> $tp->{Client} = $self; # So you can use Client-Identifier check items
> >>>
> >>> Is this a bug or are I'm doing something wrong?
> >>>
> >>> --
> >>> Alexander Hartmaier <alexander.hartmaier at t-systems.at>
> >>> T-Systems Austria GesmbH
> >>>
> >>>
> >>>
> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >>>"*"*"* T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> >>> Handelsgericht Wien, FN 79340b
> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >>>"*"*"* Notice: This e-mail contains information that is confidential and
> >>> may be privileged. If you are not the intended recipient, please notify
> >>> the sender and then delete this e-mail immediately.
> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >>>"*"*"* _______________________________________________
> >>> radiator mailing list
> >>> radiator at open.com.au
> >>> http://www.open.com.au/mailman/listinfo/radiator
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive
> >> (www.open.com.au/archives/radiator)? Have you had a quick look on Google
> >> (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
>  (www.open.com.au/archives/radiator)? Have you had a quick look on Google
>  (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 

-- 
Andrew D. Clark
Network Operations Engineer
University of Minnesota, Networking/Telecom Services
2218 University Ave SE
Minneapolis, MN 55414-3029
Phone: 612-626-4880

More information about the radiator mailing list