[RADIATOR] (RADIATOR) enable privilege levels for TACACS+ server

Hugh Irvine hugh at open.com.au
Fri Sep 24 17:51:01 CDT 2010 

Hello Markus -

You can do this already with the AuthenticationStartHook.

See the code immediately following what you show below.

regards

Hugh


On 25 Sep 2010, at 03:09, Markus Moeller wrote:

> Hi,
>  
>  Would it be possible to map also the privilege level from the tacacs request into a radius attribute ? This will allow to differentiate in Radiator if a user typed enable or enable 5 or enable 7.
>  
> Thank you
> Markus
>  
>  
> ####################################################################
> # Handle a TACACS+ authentication START request
> sub authentication_start
> {
>     my ($self, $body) = @_;
>  
>     $self->{user} = undef;
>     $self->{password} = undef;
>  
>     my ($action, $priv_lvl, $authen_type, $service,
>         $user_len, $port_len, $rem_addr_len, $data_len,
>         $fields) = unpack('CCCCCCCCa*', $body);
>     if ($user_len + $port_len + $rem_addr_len + $data_len > length($fields))
>     {
>         $self->{parent}->log($main::LOG_ERR, "Inconsistent lengths in Tacacs Authentication request from $self->{peeraddr}:$self->{peerport}. Bad Key?");
>         $self->authentication_reply($Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_ERROR, 0, 'Inconsistent lengths');
>         $self->disconnect();
>         return;
>     }
>     # Decode the variable length fields
>     my $i = 0;
>     my $user     = substr($fields, $i, $user_len);     $i += $user_len;
>     my $port     = substr($fields, $i, $port_len);     $i += $port_len;
>     my $rem_addr = substr($fields, $i, $rem_addr_len); $i += $rem_addr_len;
>     my $data     = substr($fields, $i, $data_len);     $i += $data_len;
>  
>     $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication START $action, $authen_type, $service for $user, $port, $rem_addr");
>  
>     $self->{user} = $user;
>     $self->{port} = $port;
>     $self->{service} = $service;
>     $self->{rem_addr} = $rem_addr;
>     my $tp = $self->create_radius_request('Access-Request');
>  
> The Tacacs request contains the following, but only user, port, servicve and remote address are converted not the privelege level.
>  
> >   Decrypted Request
> >        Action: Inbound Login
> >        Privilege Level: 15
> >        Authentication type: ASCII
> >        Service: ENABLE
> >        User len: 6
> >        User: fred
> >        Port len: 5
> >        Port: tty18
> >        Remaddr len: 12
> >        Remote Address: 192.168.1.1
> >        Data: 0 (not used)
>  
>  
> ----- Original Message -----
> From: Markus Moeller
> To: radiator at open.com.au
> Sent: Tuesday, January 29, 2008 11:17 PM
> Subject: (RADIATOR) enable privilege levels for TACACS+ server
> 
> I try to run in addition to the Radius server the TACACS+ server.  On cisco router you can get into different privilege leves by using enable # where # is a number between 1 and 15.  On a normal TACACS+ server this corresponds to users enable#  e.g. 15 different users and passwords.
>  
> The Tacacs+ client sends among others the following AV pairs
>  
> Service = ENABLE
> Privilege Level = #
> User-name = fred
> User-password = fred
>  
> In the Radiator log  I can only see among others the following attributes:
>  
> Service-Type = Administrative-Login
> User-name = fred
> User-password = fred
>  
> The Service Type changes from User-Login to Administrative-Login but I can't identify the privilege level attribute ?
>  
> How can I get access to the privilege level attribute from TACACS+ ?
>  
> Thank you
> Markus 
>  
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list