[RADIATOR] TACACS+ authorisation problem

Markus Moeller huaraz at moeller.plus.com
Sun Oct 17 08:01:52 CDT 2010 

I use version 4.6 and the TACACS auth config is:

 
<ServerTACACSPLUS>
#
  Port 49
  GroupMemberAttr TACACS_Group

  AuthorizeGroup all permit service=shell
   AuthorizeGroup all permit service=ciscowlc protocol=common {role1=ALL}
#
# test group permissions
#
  AuthorizeGroup test permit service=shell cmd=show cmd-args=.*
  AuthorizeGroup test permit service=ciscowlc protocol=common {role1=ALL}
  AuthorizeGroup test permit  service=shell cmd\*
  AuthorizeGroup test deny  service=shell

  AuthorizeGroup DEFAULT  deny .*

<ServerTACACSPLUS>


  ----- Original Message ----- 
  From: Markus Moeller 
  To: radiator at open.com.au 
  Sent: Sunday, October 17, 2010 1:35 PM
  Subject: [RADIATOR] TACACS+ authorisation problem


    
  I have a problem with TACACS+ command authorisation.

  If I add am attribute to the authentication reply as shown below it seems that it is also added to the authorisation reply (see RESPONSE line). This creates a problem on the cisco router and the command is denied. Is this a bug ?

  Thank you
  Markus

  <Handler Service-Type=Administrative-User>
     AuthByPolicy ContinueUntilAccept
     AuthBy Users
     AuthLog LogAuthentication
     AddToReply cisco-avpair="priv-lvl=15"
  </Handler>


  Code:       Access-Accept
  Identifier: UNDEF
  Authentic:  <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/
  Attributes:
          cisco-avpair = "priv-lvl=15"

  Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result Access-Accept
  Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
  Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from 10.10.10.10:37060
  Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for 10.10.10.10:37061
  Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 4287547660, 88
  Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, xxx, tty1, 10.20.1.1, 4, service=
  shell cmd=show cmd-arg=running-config cmd-arg=<cr>
  Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit service=shell {  }
  Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group test, args service=shell cmd=show cmd-arg=running-c
  onfig cmd-arg=<cr>
  Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , priv-lvl=15
  Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from 10.10.10.10:37061




------------------------------------------------------------------------------


  _______________________________________________
  radiator mailing list
  radiator at open.com.au
  http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101017/49893c80/attachment.html

More information about the radiator mailing list