[RADIATOR] TACACS+ authorisation problem
Markus Moeller
huaraz at moeller.plus.com
Sun Oct 17 07:35:35 CDT 2010
I have a problem with TACACS+ command authorisation.
If I add am attribute to the authentication reply as shown below it seems that it is also added to the authorisation reply (see RESPONSE line). This creates a problem on the cisco router and the command is denied. Is this a bug ?
Thank you
Markus
<Handler Service-Type=Administrative-User>
AuthByPolicy ContinueUntilAccept
AuthBy Users
AuthLog LogAuthentication
AddToReply cisco-avpair="priv-lvl=15"
</Handler>
Code: Access-Accept
Identifier: UNDEF
Authentic: <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/
Attributes:
cisco-avpair = "priv-lvl=15"
Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result Access-Accept
Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from 10.10.10.10:37060
Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for 10.10.10.10:37061
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 4287547660, 88
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, xxx, tty1, 10.20.1.1, 4, service=
shell cmd=show cmd-arg=running-config cmd-arg=<cr>
Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit service=shell { }
Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group test, args service=shell cmd=show cmd-arg=running-c
onfig cmd-arg=<cr>
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , priv-lvl=15
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from 10.10.10.10:37061
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101017/20dc7e10/attachment.html
More information about the radiator
mailing list