[RADIATOR] TACACS authorization without authentication
Hugh Irvine
hugh at open.com.au
Thu Apr 22 06:08:13 CDT 2010
Hello Vangelis -
As you can see from the debug, you can just add the reply attributes to the DEFAULT definition.
.....
AuthorizeGroup DEFAULT permit \
service = ppp protocol = vpdn \
{
tunnel-type = l2tp \
tunnel-id = F_DOMAIN \
vpdn-group = F_DOMAIN \
l2tp-tunnel-authen=no \
ip-addresses = "xxx.xxx.xxx.xxx" \
}
.....
something like this should work.
regards
Hugh
On 22 Apr 2010, at 20:52, Vangelis Kyriakakis wrote:
> Hello Hugh,
>
> Well, this is an old configuration which has to do with many NASes and we just want to change the old tac_plus platform with the Radiator TACACS implementation.
>
> Regards
> Vangelis
>
>
> On 22/4/2010 12:22 μμ, Hugh Irvine wrote:
>> Hello Vangelis -
>>
>> Why don't you just use RADIUS for this?
>>
>> regards
>>
>> Hugh
>>
>>
>> On 22 Apr 2010, at 19:12, Vangelis Kyriakakis wrote:
>>
>>
>>> Hello Hugh,
>>>
>>> Thanks for the answer. This I guess still needs an authentication packet
>>> to work. What I want to do is to send these cisco-avpairs as a reply to
>>> an authorization packet without making an authentication.
>>>
>>> This is what I have as input to Radiator (Trace 4 log):
>>>
>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>> 194.219.252.130:42362
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>> 0, 1403095764, 71
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>> REQUEST 16, 1, 1, 1, dnis:xxxxxxx, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>> service=ppp protocol=vpdn
>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>> .* { }
>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>> dnis:xxxxxxx, group DEFAULT, args service=ppp protocol=vpdn
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>> RESPONSE 1, , ,
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>> 194.219.252.130:42362
>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>> 194.219.252.130:42363
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>> 0, 2621224921, 72
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>> REQUEST 16, 1, 1, 1, radiustest.gr, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>> service=ppp protocol=vpdn
>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>> .* { }
>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>> radiustest.gr, group DEFAULT, args service=ppp protocol=vpdn
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>> RESPONSE 1, , ,
>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>> 194.219.252.130:42363
>>>
>>> What I want to do is to reply to this request with tha vpdn attributes
>>> for the radiustest.gr domain.
>>>
>>> Regards
>>> Vangelis
>>>
>>> On 17/4/2010 12:39 πμ, Hugh Irvine wrote:
>>>
>>>> Hello Vangelis -
>>>>
>>>> There is an example in the "users" file included in the Radiator distribution.
>>>>
>>>> Here it is:
>>>>
>>>>
>>>> # This example shows how to configure a Cisco VPDN circuit:
>>>> open.com.au User-Password=cisco, Service-Type=Outbound-User
>>>> cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>> cisco-avpair = "vpdn:nas-password=pw",
>>>> cisco-avpair = "vpdn:gw-password=pw"
>>>>
>>>>
>>>> Note that this is returned from the RADIUS request processing that is issued by ServerTACACSPLUS.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 16 Apr 2010, at 22:44, Vangelis Kyriakakis wrote:
>>>>
>>>>
>>>>
>>>>> Hello,
>>>>>
>>>>> How can I configure ServerTACACSPLUS to do per domain authorizations
>>>>> without authenticating the users first?
>>>>> I would like to be able to use the following tacacs configuration:
>>>>>
>>>>> user = domain.gr {
>>>>> service = ppp protocol = vpdn {
>>>>> tunnel-type = l2tp
>>>>> tunnel-id = F_DOMAIN
>>>>> vpdn-group = F_DOMAIN
>>>>> l2tp-tunnel-authen=no
>>>>> ip-addresses = "xxx.xxx.xxx.xxx"
>>>>> }
>>>>> }
>>>>>
>>>>> Regards
>>>>> Vangelis Kyriakakis
>>>>> FORTHnet S.A.
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list