[RADIATOR] TACACS+ authorisation problem

Hugh Irvine hugh at open.com.au
Sun Oct 17 17:42:00 CDT 2010 

Hello Markus -

From section 5.86 in the manual:

….

Incoming TACACS+ authorization requests are approved subject to any Command- Auth parameters, and any cisco-avpair reply items from the previous authentication RADIUS Access-Accept are used as authorization attribute-value pairs.

….

Perhaps I am not understanding what you are wanting?

regards

Hugh


On 18 Oct 2010, at 09:07, Markus Moeller wrote:

> Sorry Hugh,
> 
> I may have not been clear.  As far as I understood a line like:
> 
> AuthorizeGroup group1 permit service=shell  {cisco-avpair="priv-lvl=12"}
> 
> would add priv-lvl=12 to the authorization reply and I agree with that.
> 
> But would a handler like:
> 
> <Handler Service-Type=Administrative-User>
>  AuthByPolicy ContinueUntilAccept
>  AuthBy Users
>  AuthLog LogAuthentication
>  AddToReply cisco-avpair="priv-lvl=12"
> </Handler>
> 
> mean that all authentication AND authorization replys have priv-lvl=12 in their reply ?  That is what I see and not expect and can't see in the documentation.
> 
> Markus
> 
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Sunday, October 17, 2010 10:13 PM
> Subject: Re: [RADIATOR] TACACS+ authorisation problem
> 
> 
> 
> Hello Markus -
> 
> Radiator is operating as intended.
> 
> See section 5.86 in the Radiator 4.7 reference manual ("doc/ref.pdf").
> 
> regards
> 
> Hugh
> 
> 
> On 18 Oct 2010, at 07:27, Markus Moeller wrote:
> 
>> With bug I mean is it intended to add the av pair to the authorisation exchange ? I would have thought this would be only done as part of the authorisationgroup command
>> 
>> Thank you
>> Markus
>> ----- Original Message -----
>> From: Markus Moeller
>> To: radiator at open.com.au
>> Sent: Sunday, October 17, 2010 1:35 PM
>> Subject: [RADIATOR] TACACS+ authorisation problem
>> 
>> 
>> I have a problem with TACACS+ command authorisation.
>> 
>> If I add am attribute to the authentication reply as shown below it seems that it is also added to the authorisation reply (see RESPONSE line). This creates a problem on the cisco router and the command is denied. Is this a bug ?
>> 
>> Thank you
>> Markus
>> 
>> <Handler Service-Type=Administrative-User>
>>   AuthByPolicy ContinueUntilAccept
>>   AuthBy Users
>>   AuthLog LogAuthentication
>>   AddToReply cisco-avpair="priv-lvl=15"
>> </Handler>
>> 
>> 
>> Code:       Access-Accept
>> Identifier: UNDEF
>> Authentic:  <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/
>> Attributes:
>>        cisco-avpair = "priv-lvl=15"
>> 
>> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result Access-Accept
>> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
>> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from 10.10.10.10:37060
>> Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for 10.10.10.10:37061
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 4287547660, 88
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, xxx, tty1, 10.20.1.1, 4, service=
>> shell cmd=show cmd-arg=running-config cmd-arg=<cr>
>> Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit service=shell {  }
>> Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group test, args service=shell cmd=show cmd-arg=running-c
>> onfig cmd-arg=<cr>
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , priv-lvl=15
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from 10.10.10.10:37061
>> 
>> 
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> 
> 
> 
> 
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

More information about the radiator mailing list