[RADIATOR] TACACS authorization without authentication

Vangelis Kyriakakis vkyriak at forthnet.gr
Thu Apr 22 06:21:32 CDT 2010 

Hello Hugh,

       Thanks for your answer.
       This ofcourse works for the DEFAULT definition but what I have in 
mind is to be able to reply to many domains with different attributes. 
Something like:

AuthorizeGroup DOMAIN1 permit \

		service = ppp protocol = vpdn \
		{
			tunnel-type = l2tp \
			tunnel-id = F_DOMAIN1 \
			vpdn-group = F_DOMAIN1 \
			l2tp-tunnel-authen=no \
			ip-addresses = "xxx.xxx.xxx.xxx" \
		}

AuthorizeGroup DOMAIN2 permit \

		service = ppp protocol = vpdn \
		{
			tunnel-type = l2tp \
			tunnel-id = F_DOMAIN2 \
			vpdn-group = F_DOMAIN2 \
			l2tp-tunnel-authen=no \
			ip-addresses = "xxx.xxx.xxx.xxx" \
		}

It would be great if I could use the domain name as the groupname, but 
all I can do is to use the DEFAULT for all

            Regards
                Vangelis

On 22/4/2010 2:08 μμ, Hugh Irvine wrote:
> Hello Vangelis -
>
> As you can see from the debug, you can just add the reply attributes to the DEFAULT definition.
>
> 	.....
>
> 	AuthorizeGroup DEFAULT permit \
> 		service = ppp protocol = vpdn \
> 		{
> 			tunnel-type = l2tp \
> 			tunnel-id = F_DOMAIN \
> 			vpdn-group = F_DOMAIN \
> 			l2tp-tunnel-authen=no \
> 			ip-addresses = "xxx.xxx.xxx.xxx" \
> 		}
>
> 	.....
>
> something like this should work.
>
> regards
>
> Hugh
>
>
> On 22 Apr 2010, at 20:52, Vangelis Kyriakakis wrote:
>
>    
>> Hello Hugh,
>>
>>       Well, this is an old configuration which has to do with many NASes and we just want to change the old tac_plus platform with the Radiator TACACS implementation.
>>
>>               Regards
>>                   Vangelis
>>
>>
>> On 22/4/2010 12:22 μμ, Hugh Irvine wrote:
>>      
>>> Hello Vangelis -
>>>
>>> Why don't you just use RADIUS for this?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 22 Apr 2010, at 19:12, Vangelis Kyriakakis wrote:
>>>
>>>
>>>        
>>>> Hello Hugh,
>>>>
>>>> Thanks for the answer. This I guess still needs an authentication packet
>>>> to work. What I want to do is to send these cisco-avpairs as a reply to
>>>> an authorization packet without making an authentication.
>>>>
>>>> This is what I have as input to Radiator (Trace 4 log):
>>>>
>>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>>> 194.219.252.130:42362
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>>> 0, 1403095764, 71
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>> REQUEST 16, 1, 1, 1, dnis:xxxxxxx, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>>> service=ppp protocol=vpdn
>>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>>> .* { }
>>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>>> dnis:xxxxxxx, group DEFAULT, args service=ppp protocol=vpdn
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>> RESPONSE 1, , ,
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>>> 194.219.252.130:42362
>>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>>> 194.219.252.130:42363
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>>> 0, 2621224921, 72
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>> REQUEST 16, 1, 1, 1, radiustest.gr, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>>> service=ppp protocol=vpdn
>>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>>> .* { }
>>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>>> radiustest.gr, group DEFAULT, args service=ppp protocol=vpdn
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>> RESPONSE 1, , ,
>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>>> 194.219.252.130:42363
>>>>
>>>> What I want to do is to reply to this request with tha vpdn attributes
>>>> for the radiustest.gr domain.
>>>>
>>>> Regards
>>>> Vangelis
>>>>
>>>> On 17/4/2010 12:39 πμ, Hugh Irvine wrote:
>>>>
>>>>          
>>>>> Hello Vangelis -
>>>>>
>>>>> There is an example in the "users" file included in the Radiator distribution.
>>>>>
>>>>> Here it is:
>>>>>
>>>>>
>>>>> # This example shows how to configure a Cisco VPDN circuit:
>>>>> open.com.au     User-Password=cisco, Service-Type=Outbound-User
>>>>>          cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>>>          cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>>>          cisco-avpair = "vpdn:nas-password=pw",
>>>>>          cisco-avpair = "vpdn:gw-password=pw"
>>>>>
>>>>>
>>>>> Note that this is returned from the RADIUS request processing that is issued by ServerTACACSPLUS.
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 16 Apr 2010, at 22:44, Vangelis Kyriakakis wrote:
>>>>>
>>>>>
>>>>>
>>>>>            
>>>>>> Hello,
>>>>>>
>>>>>>     How can I configure ServerTACACSPLUS to do per domain authorizations
>>>>>> without authenticating the users first?
>>>>>>     I would like to be able to use the following tacacs configuration:
>>>>>>
>>>>>> user = domain.gr {
>>>>>>               service = ppp protocol = vpdn {
>>>>>>               tunnel-type = l2tp
>>>>>>               tunnel-id = F_DOMAIN
>>>>>>               vpdn-group = F_DOMAIN
>>>>>>               l2tp-tunnel-authen=no
>>>>>>               ip-addresses = "xxx.xxx.xxx.xxx"
>>>>>>            }
>>>>>> }
>>>>>>
>>>>>>             Regards
>>>>>>                Vangelis Kyriakakis
>>>>>>                FORTHnet S.A.
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>
>>>>>>
>>>>>>              
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>>>
>>>>>
>>>>>            
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>          
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>>
>>>        
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
>

More information about the radiator mailing list