[RADIATOR] (RADIATOR) enable privilege levels for TACACS+ server

Markus Moeller huaraz at moeller.plus.com
Fri Sep 24 12:09:41 CDT 2010 

Hi,

 Would it be possible to map also the privilege level from the tacacs request into a radius attribute ? This will allow to differentiate in Radiator if a user typed enable or enable 5 or enable 7.

Thank you
Markus


####################################################################
# Handle a TACACS+ authentication START request
sub authentication_start
{
    my ($self, $body) = @_;

    $self->{user} = undef;
    $self->{password} = undef;

    my ($action, $priv_lvl, $authen_type, $service,
        $user_len, $port_len, $rem_addr_len, $data_len,
        $fields) = unpack('CCCCCCCCa*', $body);
    if ($user_len + $port_len + $rem_addr_len + $data_len > length($fields))
    {
        $self->{parent}->log($main::LOG_ERR, "Inconsistent lengths in Tacacs Authentication request from $self->{peeraddr}:$self->{peerport}. Bad Key?");
        $self->authentication_reply($Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_ERROR, 0, 'Inconsistent lengths');
        $self->disconnect();
        return;
    }
    # Decode the variable length fields
    my $i = 0;
    my $user     = substr($fields, $i, $user_len);     $i += $user_len;
    my $port     = substr($fields, $i, $port_len);     $i += $port_len;
    my $rem_addr = substr($fields, $i, $rem_addr_len); $i += $rem_addr_len;
    my $data     = substr($fields, $i, $data_len);     $i += $data_len;

    $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication START $action, $authen_type, $service for $user, $port, $rem_addr");

    $self->{user} = $user;
    $self->{port} = $port;
    $self->{service} = $service;
    $self->{rem_addr} = $rem_addr;
    my $tp = $self->create_radius_request('Access-Request');

The Tacacs request contains the following, but only user, port, servicve and remote address are converted not the privelege level.

>   Decrypted Request
>        Action: Inbound Login
>        Privilege Level: 15
>        Authentication type: ASCII
>        Service: ENABLE
>        User len: 6
>        User: fred
>        Port len: 5
>        Port: tty18
>        Remaddr len: 12
>        Remote Address: 192.168.1.1
>        Data: 0 (not used)



  ----- Original Message ----- 
  From: Markus Moeller 
  To: radiator at open.com.au 
  Sent: Tuesday, January 29, 2008 11:17 PM
  Subject: (RADIATOR) enable privilege levels for TACACS+ server


  I try to run in addition to the Radius server the TACACS+ server.  On cisco router you can get into different privilege leves by using enable # where # is a number between 1 and 15.  On a normal TACACS+ server this corresponds to users enable#  e.g. 15 different users and passwords. 

  The Tacacs+ client sends among others the following AV pairs

  Service = ENABLE
  Privilege Level = #
  User-name = fred
  User-password = fred

  In the Radiator log  I can only see among others the following attributes:

  Service-Type = Administrative-Login
  User-name = fred
  User-password = fred

  The Service Type changes from User-Login to Administrative-Login but I can't identify the privilege level attribute ? 

  How can I get access to the privilege level attribute from TACACS+ ?

  Thank you
  Markus 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100924/db291d71/attachment.html

More information about the radiator mailing list