[RADIATOR] TACACS+ authorisation problem

Markus Moeller huaraz at moeller.plus.com
Mon Oct 18 00:15:05 CDT 2010 

Apologies. I didn't read it correctly.

Thank you
Markus

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Sunday, October 17, 2010 11:42 PM
Subject: Re: [RADIATOR] TACACS+ authorisation problem



Hello Markus -

>From section 5.86 in the manual:

….

Incoming TACACS+ authorization requests are approved subject to any Command- 
Auth parameters, and any cisco-avpair reply items from the previous 
authentication RADIUS Access-Accept are used as authorization 
attribute-value pairs.

….

Perhaps I am not understanding what you are wanting?

regards

Hugh


On 18 Oct 2010, at 09:07, Markus Moeller wrote:

> Sorry Hugh,
>
> I may have not been clear.  As far as I understood a line like:
>
> AuthorizeGroup group1 permit service=shell  {cisco-avpair="priv-lvl=12"}
>
> would add priv-lvl=12 to the authorization reply and I agree with that.
>
> But would a handler like:
>
> <Handler Service-Type=Administrative-User>
>  AuthByPolicy ContinueUntilAccept
>  AuthBy Users
>  AuthLog LogAuthentication
>  AddToReply cisco-avpair="priv-lvl=12"
> </Handler>
>
> mean that all authentication AND authorization replys have priv-lvl=12 in 
> their reply ?  That is what I see and not expect and can't see in the 
> documentation.
>
> Markus
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Sunday, October 17, 2010 10:13 PM
> Subject: Re: [RADIATOR] TACACS+ authorisation problem
>
>
>
> Hello Markus -
>
> Radiator is operating as intended.
>
> See section 5.86 in the Radiator 4.7 reference manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 18 Oct 2010, at 07:27, Markus Moeller wrote:
>
>> With bug I mean is it intended to add the av pair to the authorisation 
>> exchange ? I would have thought this would be only done as part of the 
>> authorisationgroup command
>>
>> Thank you
>> Markus
>> ----- Original Message -----
>> From: Markus Moeller
>> To: radiator at open.com.au
>> Sent: Sunday, October 17, 2010 1:35 PM
>> Subject: [RADIATOR] TACACS+ authorisation problem
>>
>>
>> I have a problem with TACACS+ command authorisation.
>>
>> If I add am attribute to the authentication reply as shown below it seems 
>> that it is also added to the authorisation reply (see RESPONSE line). 
>> This creates a problem on the cisco router and the command is denied. Is 
>> this a bug ?
>>
>> Thank you
>> Markus
>>
>> <Handler Service-Type=Administrative-User>
>>   AuthByPolicy ContinueUntilAccept
>>   AuthBy Users
>>   AuthLog LogAuthentication
>>   AddToReply cisco-avpair="priv-lvl=15"
>> </Handler>
>>
>>
>> Code:       Access-Accept
>> Identifier: UNDEF
>> Authentic:  <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/
>> Attributes:
>>        cisco-avpair = "priv-lvl=15"
>>
>> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result 
>> Access-Accept
>> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication 
>> REPLY 1, 0, ,
>> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from 
>> 10.10.10.10:37060
>> Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for 
>> 10.10.10.10:37061
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 
>> 0, 4287547660, 88
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization 
>> REQUEST 6, 1, 1, 1, xxx, tty1, 10.20.1.1, 4, service=
>> shell cmd=show cmd-arg=running-config cmd-arg=<cr>
>> Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit 
>> service=shell {  }
>> Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group 
>> test, args service=shell cmd=show cmd-arg=running-c
>> onfig cmd-arg=<cr>
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization 
>> RESPONSE 1, , , priv-lvl=15
>> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from 
>> 10.10.10.10:37061
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
>
>
>
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

More information about the radiator mailing list