[RADIATOR] TACACS authorization without authentication

Hugh Irvine hugh at open.com.au
Thu Apr 22 04:22:11 CDT 2010 

Hello Vangelis -

Why don't you just use RADIUS for this?

regards

Hugh


On 22 Apr 2010, at 19:12, Vangelis Kyriakakis wrote:

> Hello Hugh,
> 
> Thanks for the answer. This I guess still needs an authentication packet 
> to work. What I want to do is to send these cisco-avpairs as a reply to 
> an authorization packet without making an authentication.
> 
> This is what I have as input to Radiator (Trace 4 log):
> 
> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for 
> 194.219.252.130:42362
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 
> 0, 1403095764, 71
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization 
> REQUEST 16, 1, 1, 1, dnis:xxxxxxx, Async94, XXXXXXXXXX/xxxxxxx, 2, 
> service=ppp protocol=vpdn
> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit 
> .* { }
> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for 
> dnis:xxxxxxx, group DEFAULT, args service=ppp protocol=vpdn
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization 
> RESPONSE 1, , ,
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from 
> 194.219.252.130:42362
> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for 
> 194.219.252.130:42363
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 
> 0, 2621224921, 72
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization 
> REQUEST 16, 1, 1, 1, radiustest.gr, Async94, XXXXXXXXXX/xxxxxxx, 2, 
> service=ppp protocol=vpdn
> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit 
> .* { }
> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for 
> radiustest.gr, group DEFAULT, args service=ppp protocol=vpdn
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization 
> RESPONSE 1, , ,
> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from 
> 194.219.252.130:42363
> 
> What I want to do is to reply to this request with tha vpdn attributes 
> for the radiustest.gr domain.
> 
> Regards
> Vangelis
> 
> On 17/4/2010 12:39 πμ, Hugh Irvine wrote:
>> Hello Vangelis -
>> 
>> There is an example in the "users" file included in the Radiator distribution.
>> 
>> Here it is:
>> 
>> 
>> # This example shows how to configure a Cisco VPDN circuit:
>> open.com.au     User-Password=cisco, Service-Type=Outbound-User
>>         cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>         cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>         cisco-avpair = "vpdn:nas-password=pw",
>>         cisco-avpair = "vpdn:gw-password=pw"
>> 
>> 
>> Note that this is returned from the RADIUS request processing that is issued by ServerTACACSPLUS.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 16 Apr 2010, at 22:44, Vangelis Kyriakakis wrote:
>> 
>> 
>>> Hello,
>>> 
>>>    How can I configure ServerTACACSPLUS to do per domain authorizations
>>> without authenticating the users first?
>>>    I would like to be able to use the following tacacs configuration:
>>> 
>>> user = domain.gr {
>>>              service = ppp protocol = vpdn {
>>>              tunnel-type = l2tp
>>>              tunnel-id = F_DOMAIN
>>>              vpdn-group = F_DOMAIN
>>>              l2tp-tunnel-authen=no
>>>              ip-addresses = "xxx.xxx.xxx.xxx"
>>>           }
>>> }
>>> 
>>>            Regards
>>>               Vangelis Kyriakakis
>>>               FORTHnet S.A.
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>> 
>> 
>> NB:
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> 
>> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list