[RADIATOR] Tacacs role reply.

Mark Bassett mbassett at intelius.com
Thu Feb 24 15:39:29 CST 2011 

<Client DEFAULT>

        DupInterval 0

        FramedGroupMaxPortsPerClassC 255

        LivingstonHole 2

        LivingstonOffs 29

        NasType unknown

        SNMPCommunity asdfasdfaf

        Secret asdfasdfasdf

</Client>

<AuthBy LDAP2>

        AuthDN somedn

        AuthPassword somepw

        BaseDN basedn

        CachePasswordExpiry 86400

        Deref find

        EAPAnonymous anonymous

        EAPContextTimeout 1000

        EAPFAST_PAC_Lifetime 7776000

        EAPFAST_PAC_Reprovision 2592000

        EAPTLS_MaxFragmentSize 2048

        EAPTLS_PEAPVersion 1

        EAPTLS_SessionResumption 1

        EAPTLS_SessionResumptionLimit 43200

        EAPTLS_VerifyDepth 1

        FailureBackoffTime 600

        Host somedomaincontroller

        Identifier CheckAD

        LDAPRejectEmptyPassword 1

        MaxRecords 1

        PasswordPrompt password

        Port 636

        SASLMechanism DIGEST-MD5

        SIPDigestRealm DefaultSipRealm

        SSLCAFile

        SSLCiphers ALL

        SSLVerify none

        Scope sub

        SearchFilter (%0=%1)

        ServerChecksPassword 1

        Timeout 10

        UseSSL 1

        UsernameAttr sAMAccountName

        Version 3

</AuthBy>

<Realm DEFAULT>

        AuthByPolicy ContinueWhileIgnore

        AuthBy CheckAD

</Realm>

<ServerTACACSPLUS >

        AddToRequest NAS-Identifier=TACACS

        AuthorizationTimeout 600

        AuthorizeGroup DEFAULT permit service=shell cmd\* {priv-lvl=15}

        BindAddress 0.0.0.0

        GroupCacheFile /tmp/radiator-tacacs-usergroup.cache

        IdleTimeout 180

        Key asdfasdfasdfasdf

        MaxBufferSize 100000

        PasswordPrompt Password:

        Port 49

        UsernamePrompt Username:

</ServerTACACSPLUS>

 

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection result
Access-Accept

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, ,  

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection disconnected from
x.x.x.x:44643

Thu Feb 24 13:34:06 2011: DEBUG: New TacacsplusConnection created for
x.x.x.x:44644

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection request 192, 2, 1,
0, 35453611, 77

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 2, 1, username, 0, xxxxxxxxxx, 4, service=shell cmd=
cisco-av-pair* shell:roles*

Thu Feb 24 13:34:06 2011: INFO: Authorization denied for username, group
DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd=
cisco-av-pair* shell:roles*

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Authorization
RESPONSE 16, denied, , 

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection disconnected from
x.x.x.x:44644

Thu Feb 24 13:34:06 2011: DEBUG: New TacacsplusConnection created for
x.x.x.x:44645

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection request 192, 3, 1,
0, 1201619601, 113

Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Accounting REQUEST
2, 6, 0, 2, 0, username, 3009, , 4, task_id=/dev/pts/9_10.192.144.33
start_time=Thu Feb 24 13:34:04 2011

 

 

From: Mark Bassett 
Sent: Thursday, February 24, 2011 12:40 PM
To: Mark Bassett; radiator at open.com.au
Subject: RE: [RADIATOR] Tacacs role reply.

 

I am currently using this in AuthorizeGroup

 

DEFAULT permit service=shell cmd\* {priv-lvl=15}

 

I tried adding roles="network-admin"   but that did not work

 

 

 

From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au]
On Behalf Of Mark Bassett
Sent: Thursday, February 24, 2011 12:09 PM
To: radiator at open.com.au
Subject: [RADIATOR] Tacacs role reply.

 

Hi guys, I'm using tacacs+ on some cisco SanOS fiber switches.  I am
able to authenticate and log in properly, but I am not being assigned
the proper tacacs role 

"network-admin"

 

I need to add this pair

cisco-av-pair=shell:roles="network-admin"

 

but I am not sure where to add it.    

 

Thu Feb 24 11:53:20 2011: DEBUG: TACACSPLUS derived Radius request
packet dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  <179><7><222><214><0>N<217><154><14><164>E<243>AXt<150>
Attributes:
        NAS-IP-Address = xxxxxxx
        NAS-Port-Id = "3009"
        NAS-Identifier = "TACACS"
        User-Name = "username"
        Acct-Status-Type = Stop
        Acct-Session-Id = "307300720"
        cisco-avpair = "task_id=/dev/pts/9_10.192.144.33"
        cisco-avpair = "stop_time=Thu Feb 24 11:53:20 2011<10>"
        cisco-avpair = "err_msg=shell terminated<0>"
        cisco-avpair = "service=none"
        OSC-Version-Identifier = "192"

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110224/6783e490/attachment-0001.html

More information about the radiator mailing list