[RADIATOR] TACACS authorization without authentication
Hugh Irvine
hugh at open.com.au
Fri Apr 23 02:09:29 CDT 2010
Hello Vangelis -
Ok - I wonder if you could do two things for me?
1. send me a few trace 5 (five) debugs showing the hex packet dumps of a few of these requests?
2. consider whether adding some code to ServerTACACSPLUS to optionally send a RADIUS Authorize-Only request will meet your needs?
In both cases we will need some assistance to test and debug whatever we come up with.
regards
Hugh
On 23 Apr 2010, at 16:38, Vangelis Kyriakakis wrote:
> Hello Hugh,
>
> The request I want to authorize is
>
> TacacsplusConnection Authorization REQUEST 16, 1, 1, 1, radiustest.gr,
> Async68, 21051xxxx/72xxxxx, 2, service=ppp protocol=vpdn
>
> What I want to do is to include the radiustest.gr domain in the match
> checks. What is the exact AuthorizeGroup configuration?
> Is the following correct?
>
> AuthorizeGroup DEFAULT permit \
> radiustest.gr \
> service = ppp protocol = vpdn \
> {
> ..........
> }
>
> Regards
> Vangelis
>
> On 22/4/2010 11:58 μμ, Hugh Irvine wrote:
>> Hello Vangelis -
>>
>> Rather than specify different AuthorizeGroup's, you should specify multiple DEFAULT lines with the domain as one of the match checks.
>>
>> Ie.
>>
>> .....
>>
>> AuthorizeGroup DEFAULT permit \
>> ....... \
>> service = ppp protocol = vpdn \
>> {
>> tunnel-type = l2tp \
>> tunnel-id = F_DOMAIN \
>> vpdn-group = F_DOMAIN \
>> l2tp-tunnel-authen=no \
>> ip-addresses = "xxx.xxx.xxx.xxx" \
>> }
>>
>> .....
>>
>> AuthorizeGroup DEFAULT permit \
>> ...... \
>> service = ppp protocol = vpdn \
>> {
>> tunnel-type = l2tp \
>> tunnel-id = F_DOMAIN \
>> vpdn-group = F_DOMAIN \
>> l2tp-tunnel-authen=no \
>> ip-addresses = "xxx.xxx.xxx.xxx" \
>> }
>>
>> .....
>>
>>
>> Your debug doesn't show me exactly what you are receiving, but you should be able to do something like shown above, where you match the different name strings.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 22 Apr 2010, at 21:21, Vangelis Kyriakakis wrote:
>>
>>
>>> Hello Hugh,
>>>
>>> Thanks for your answer.
>>> This ofcourse works for the DEFAULT definition but what I have in
>>> mind is to be able to reply to many domains with different attributes.
>>> Something like:
>>>
>>> AuthorizeGroup DOMAIN1 permit \
>>>
>>> service = ppp protocol = vpdn \
>>> {
>>> tunnel-type = l2tp \
>>> tunnel-id = F_DOMAIN1 \
>>> vpdn-group = F_DOMAIN1 \
>>> l2tp-tunnel-authen=no \
>>> ip-addresses = "xxx.xxx.xxx.xxx" \
>>> }
>>>
>>> AuthorizeGroup DOMAIN2 permit \
>>>
>>> service = ppp protocol = vpdn \
>>> {
>>> tunnel-type = l2tp \
>>> tunnel-id = F_DOMAIN2 \
>>> vpdn-group = F_DOMAIN2 \
>>> l2tp-tunnel-authen=no \
>>> ip-addresses = "xxx.xxx.xxx.xxx" \
>>> }
>>>
>>> It would be great if I could use the domain name as the groupname, but
>>> all I can do is to use the DEFAULT for all
>>>
>>> Regards
>>> Vangelis
>>>
>>> On 22/4/2010 2:08 μμ, Hugh Irvine wrote:
>>>
>>>> Hello Vangelis -
>>>>
>>>> As you can see from the debug, you can just add the reply attributes to the DEFAULT definition.
>>>>
>>>> .....
>>>>
>>>> AuthorizeGroup DEFAULT permit \
>>>> service = ppp protocol = vpdn \
>>>> {
>>>> tunnel-type = l2tp \
>>>> tunnel-id = F_DOMAIN \
>>>> vpdn-group = F_DOMAIN \
>>>> l2tp-tunnel-authen=no \
>>>> ip-addresses = "xxx.xxx.xxx.xxx" \
>>>> }
>>>>
>>>> .....
>>>>
>>>> something like this should work.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 22 Apr 2010, at 20:52, Vangelis Kyriakakis wrote:
>>>>
>>>>
>>>>
>>>>> Hello Hugh,
>>>>>
>>>>> Well, this is an old configuration which has to do with many NASes and we just want to change the old tac_plus platform with the Radiator TACACS implementation.
>>>>>
>>>>> Regards
>>>>> Vangelis
>>>>>
>>>>>
>>>>> On 22/4/2010 12:22 μμ, Hugh Irvine wrote:
>>>>>
>>>>>
>>>>>> Hello Vangelis -
>>>>>>
>>>>>> Why don't you just use RADIUS for this?
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Hugh
>>>>>>
>>>>>>
>>>>>> On 22 Apr 2010, at 19:12, Vangelis Kyriakakis wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hello Hugh,
>>>>>>>
>>>>>>> Thanks for the answer. This I guess still needs an authentication packet
>>>>>>> to work. What I want to do is to send these cisco-avpairs as a reply to
>>>>>>> an authorization packet without making an authentication.
>>>>>>>
>>>>>>> This is what I have as input to Radiator (Trace 4 log):
>>>>>>>
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>>>>>> 194.219.252.130:42362
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>>>>>> 0, 1403095764, 71
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>>> REQUEST 16, 1, 1, 1, dnis:xxxxxxx, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>>>>>> service=ppp protocol=vpdn
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>>>>>> .* { }
>>>>>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>>>>>> dnis:xxxxxxx, group DEFAULT, args service=ppp protocol=vpdn
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>>> RESPONSE 1, , ,
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>>>>>> 194.219.252.130:42362
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: New TacacsplusConnection created for
>>>>>>> 194.219.252.130:42363
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection request 192, 2, 1,
>>>>>>> 0, 2621224921, 72
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>>> REQUEST 16, 1, 1, 1, radiustest.gr, Async94, XXXXXXXXXX/xxxxxxx, 2,
>>>>>>> service=ppp protocol=vpdn
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: AuthorizeGroup rule match found: permit
>>>>>>> .* { }
>>>>>>> Thu Apr 15 16:27:16 2010: INFO: Authorization permitted for
>>>>>>> radiustest.gr, group DEFAULT, args service=ppp protocol=vpdn
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection Authorization
>>>>>>> RESPONSE 1, , ,
>>>>>>> Thu Apr 15 16:27:16 2010: DEBUG: TacacsplusConnection disconnected from
>>>>>>> 194.219.252.130:42363
>>>>>>>
>>>>>>> What I want to do is to reply to this request with tha vpdn attributes
>>>>>>> for the radiustest.gr domain.
>>>>>>>
>>>>>>> Regards
>>>>>>> Vangelis
>>>>>>>
>>>>>>> On 17/4/2010 12:39 πμ, Hugh Irvine wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello Vangelis -
>>>>>>>>
>>>>>>>> There is an example in the "users" file included in the Radiator distribution.
>>>>>>>>
>>>>>>>> Here it is:
>>>>>>>>
>>>>>>>>
>>>>>>>> # This example shows how to configure a Cisco VPDN circuit:
>>>>>>>> open.com.au User-Password=cisco, Service-Type=Outbound-User
>>>>>>>> cisco-avpair = "vpdn:tunnel-id=cca-gw",
>>>>>>>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>>>>>>>> cisco-avpair = "vpdn:nas-password=pw",
>>>>>>>> cisco-avpair = "vpdn:gw-password=pw"
>>>>>>>>
>>>>>>>>
>>>>>>>> Note that this is returned from the RADIUS request processing that is issued by ServerTACACSPLUS.
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> Hugh
>>>>>>>>
>>>>>>>>
>>>>>>>> On 16 Apr 2010, at 22:44, Vangelis Kyriakakis wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> How can I configure ServerTACACSPLUS to do per domain authorizations
>>>>>>>>> without authenticating the users first?
>>>>>>>>> I would like to be able to use the following tacacs configuration:
>>>>>>>>>
>>>>>>>>> user = domain.gr {
>>>>>>>>> service = ppp protocol = vpdn {
>>>>>>>>> tunnel-type = l2tp
>>>>>>>>> tunnel-id = F_DOMAIN
>>>>>>>>> vpdn-group = F_DOMAIN
>>>>>>>>> l2tp-tunnel-authen=no
>>>>>>>>> ip-addresses = "xxx.xxx.xxx.xxx"
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Vangelis Kyriakakis
>>>>>>>>> FORTHnet S.A.
>>>>>>>>> _______________________________________________
>>>>>>>>> radiator mailing list
>>>>>>>>> radiator at open.com.au
>>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> NB:
>>>>>>>>
>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> radiator mailing list
>>>>>>> radiator at open.com.au
>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> NB:
>>>>>>
>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>> Have you included a copy of your configuration file (no secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list