[RADIATOR] TACACS+ authorisation problem

Markus Moeller huaraz at moeller.plus.com
Sun Oct 17 17:07:16 CDT 2010 

Sorry Hugh,

I may have not been clear.  As far as I understood a line like:

AuthorizeGroup group1 permit service=shell  {cisco-avpair="priv-lvl=12"}

would add priv-lvl=12 to the authorization reply and I agree with that.

But would a handler like:

<Handler Service-Type=Administrative-User>
   AuthByPolicy ContinueUntilAccept
   AuthBy Users
   AuthLog LogAuthentication
   AddToReply cisco-avpair="priv-lvl=12"
</Handler>

mean that all authentication AND authorization replys have priv-lvl=12 in 
their reply ?  That is what I see and not expect and can't see in the 
documentation.

Markus

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Sunday, October 17, 2010 10:13 PM
Subject: Re: [RADIATOR] TACACS+ authorisation problem



Hello Markus -

Radiator is operating as intended.

See section 5.86 in the Radiator 4.7 reference manual ("doc/ref.pdf").

regards

Hugh


On 18 Oct 2010, at 07:27, Markus Moeller wrote:

> With bug I mean is it intended to add the av pair to the authorisation 
> exchange ? I would have thought this would be only done as part of the 
> authorisationgroup command
>
> Thank you
> Markus
> ----- Original Message -----
> From: Markus Moeller
> To: radiator at open.com.au
> Sent: Sunday, October 17, 2010 1:35 PM
> Subject: [RADIATOR] TACACS+ authorisation problem
>
>
> I have a problem with TACACS+ command authorisation.
>
> If I add am attribute to the authentication reply as shown below it seems 
> that it is also added to the authorisation reply (see RESPONSE line). This 
> creates a problem on the cisco router and the command is denied. Is this a 
> bug ?
>
> Thank you
> Markus
>
> <Handler Service-Type=Administrative-User>
>    AuthByPolicy ContinueUntilAccept
>    AuthBy Users
>    AuthLog LogAuthentication
>    AddToReply cisco-avpair="priv-lvl=15"
> </Handler>
>
>
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/
> Attributes:
>         cisco-avpair = "priv-lvl=15"
>
> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result Access-Accept
> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication REPLY 
> 1, 0, ,
> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from 
> 10.10.10.10:37060
> Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for 
> 10.10.10.10:37061
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 
> 0, 4287547660, 88
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization 
> REQUEST 6, 1, 1, 1, xxx, tty1, 10.20.1.1, 4, service=
> shell cmd=show cmd-arg=running-config cmd-arg=<cr>
> Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit 
> service=shell {  }
> Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group 
> test, args service=shell cmd=show cmd-arg=running-c
> onfig cmd-arg=<cr>
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization 
> RESPONSE 1, , , priv-lvl=15
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from 
> 10.10.10.10:37061
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

More information about the radiator mailing list