[RADIATOR] TACACS authorization without authentication
Vangelis Kyriakakis
vkyriak at forthnet.gr
Fri Apr 23 01:38:09 CDT 2010
Hello Hugh,
The request I want to authorize is
TacacsplusConnection Authorization REQUEST 16, 1, 1, 1, radiustest.gr,
Async68, 21051xxxx/72xxxxx, 2, service=ppp protocol=vpdn
What I want to do is to include the radiustest.gr domain in the match
checks. What is the exact AuthorizeGroup configuration?
Is the following correct?
AuthorizeGroup DEFAULT permit \
radiustest.gr \
service = ppp protocol = vpdn \
{
..........
}
Regards
Vangelis
On 22/4/2010 11:58 μμ, Hugh Irvine wrote:
> Hello Vangelis -
>
> Rather than specify different AuthorizeGroup's, you should specify multiple DEFAULT lines with the domain as one of the match checks.
>
> Ie.
>
> .....
>
> AuthorizeGroup DEFAULT permit \
> ....... \
> service = ppp protocol = vpdn \
> {
> tunnel-type = l2tp \
> tunnel-id = F_DOMAIN \
> vpdn-group = F_DOMAIN \
> l2tp-tunnel-authen=no \
> ip-addresses = "xxx.xxx.xxx.xxx" \
> }
>
> .....
>
> AuthorizeGroup DEFAULT permit \
> ...... \
> service = ppp protocol = vpdn \
> {
> tunnel-type = l2tp \
> tunnel-id = F_DOMAIN \
> vpdn-group = F_DOMAIN \
> l2tp-tunnel-authen=no \
> ip-addresses = "xxx.xxx.xxx.xxx" \
> }
>
> .....
>
>
> Your debug doesn't show me exactly what you are receiving, but you should be able to do something like shown above, where you match the different name strings.
>
> regards
>
> Hugh
>
>
> On 22 Apr 2010, at 21:21, Vangelis Kyriakakis wrote:
>
>
>> Hello Hugh,
>>
>> Thanks for your answer.
>> This ofcourse works for the DEFAULT definition but what I have in
>> mind is to be able to reply to many domains with different attributes.
>> Something like:
>>
>> AuthorizeGroup DOMAIN1 permit \
>>
>> service = ppp protocol = vpdn \
>> {
>> tunnel-type = l2tp \
>> tunnel-id = F_DOMAIN1 \
>> vpdn-group = F_DOMAIN1 \
>> l2tp-tunnel-authen=no \
>> ip-addresses = "xxx.xxx.xxx.xxx" \
>> }
>>
>> AuthorizeGroup DOMAIN2 permit \
>>
>> service = ppp protocol = vpdn \
>> {
>> tunnel-type = l2tp \
>> tunnel-id = F_DOMAIN2 \
>> vpdn-group = F_DOMAIN2 \
>> l2tp-tunnel-authen=no \
>> ip-addresses = "xxx.xxx.xxx.xxx" \
>> }
>>
>> It would be great if I could use the domain name as the groupname, but
>> all I can do is to use the DEFAULT for all
>>
>> Regards
>> Vangelis
>>
>> On 22/4/2010 2:08 μμ, Hugh Irvine wrote:
>>
>>> Hello Vangelis -
>>>
>>> As you can see from the debug, you can just add the reply attributes to the DEFAULT definition.
>>>
>>> .....
>>>
>>> AuthorizeGroup DEFAULT permit \
>>> service = ppp protocol = vpdn \
>>> {
>>> tunnel-type = l2tp \
>>> tunnel-id = F_DOMAIN \
>>> vpdn-group = F_DOMAIN \
>>> l2tp-tunnel-authen=no \
>>> ip-addresses = "xxx.xxx.xxx.xxx" \
>>> }
>>>
>>> .....
>>>
>>> something like this should work.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 22 Apr 2010, at 20:52, Vangelis Kyriakakis wrote:
>>>
>>>
>>>
>>>> Hello Hugh,
>>>>
>>>> Well, this is an old configuration which has to do with many NASes and we just want to change the old tac_plus platform with the Radiator TACACS implementation.
>>>>
>>>> Regards
>>>> Vangelis
>>>>
>>>>
>>>> On 22/4/2010 12:22 μμ, Hugh Irvine wrote:
>>>>
>>>>
>>>>> Hello Vangelis -
>>>>>
>>>>> Why don't you just use RADIUS for this?
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 22 Apr 2010, at 19:12, Vangelis Kyriakakis wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Hello Hugh,
>>>>>>
>>>>>> Thanks for the answer. This I guess still needs an authentication packet
>>>>>> to work. What I want to do is to send these cisco-avpairs as a reply to
>>>>>> an authorization packet without making an authentication.
>>>>>>
>>>>>> This is what I have as input to Radiator (Trace 4 log):
>>>>>>
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>>>>> 194.219.252.130:42362
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>>>>> 0, 1403095764, 71
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>> REQUEST 16, 1, 1, 1, dnis:xxxxxxx, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>>>>> service=ppp protocol=vpdn
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>>>>> .* { }
>>>>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>>>>> dnis:xxxxxxx, group DEFAULT, args service=ppp protocol=vpdn
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>> RESPONSE 1, , ,
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>>>>> 194.219.252.130:42362
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>>>>> 194.219.252.130:42363
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>>>>> 0, 2621224921, 72
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>> REQUEST 16, 1, 1, 1, radiustest.gr, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>>>>> service=ppp protocol=vpdn
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>>>>> .* { }
>>>>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>>>>> radiustest.gr, group DEFAULT, args service=ppp protocol=vpdn
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>> RESPONSE 1, , ,
>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>>>>> 194.219.252.130:42363
>>>>>>
>>>>>> What I want to do is to reply to this request with tha vpdn attributes
>>>>>> for the radiustest.gr domain.
>>>>>>
>>>>>> Regards
>>>>>> Vangelis
>>>>>>
>>>>>> On 17/4/2010 12:39 πμ, Hugh Irvine wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hello Vangelis -
>>>>>>>
>>>>>>> There is an example in the "users" file included in the Radiator distribution.
>>>>>>>
>>>>>>> Here it is:
>>>>>>>
>>>>>>>
>>>>>>> # This example shows how to configure a Cisco VPDN circuit:
>>>>>>> open.com.au User-Password=cisco, Service-Type=Outbound-User
>>>>>>> cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>>>>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>>>>> cisco-avpair = "vpdn:nas-password=pw",
>>>>>>> cisco-avpair = "vpdn:gw-password=pw"
>>>>>>>
>>>>>>>
>>>>>>> Note that this is returned from the RADIUS request processing that is issued by ServerTACACSPLUS.
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Hugh
>>>>>>>
>>>>>>>
>>>>>>> On 16 Apr 2010, at 22:44, Vangelis Kyriakakis wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> How can I configure ServerTACACSPLUS to do per domain authorizations
>>>>>>>> without authenticating the users first?
>>>>>>>> I would like to be able to use the following tacacs configuration:
>>>>>>>>
>>>>>>>> user = domain.gr {
>>>>>>>> service = ppp protocol = vpdn {
>>>>>>>> tunnel-type = l2tp
>>>>>>>> tunnel-id = F_DOMAIN
>>>>>>>> vpdn-group = F_DOMAIN
>>>>>>>> l2tp-tunnel-authen=no
>>>>>>>> ip-addresses = "xxx.xxx.xxx.xxx"
>>>>>>>> }
>>>>>>>> }
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Vangelis Kyriakakis
>>>>>>>> FORTHnet S.A.
>>>>>>>> _______________________________________________
>>>>>>>> radiator mailing list
>>>>>>>> radiator at open.com.au
>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> NB:
>>>>>>>
>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>
>>>>>>
>>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>>
>>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
>
More information about the radiator
mailing list