[RADIATOR] Radiator/TACACS+ via ADSI
Kim, Steve
steve.kim at davispolk.com
Wed Nov 9 10:39:17 CST 2011
It's sweet! It is working.
Thanks for your help.
My initial setup is working with your help.
However, I'd like to configure following with a Cisco router and AD via TACACS+
Here is the Cisco configuration:
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
In order to accomplish following authorization per group, can you help me out how <ServerTACACSPLUS> should configure?
privilege level 0 (other) - which includes disable, enable, exit, help, and logout
privilege level 1 (guest) - normal level on a Telnet, allows show commands - prompt says router>
privilege level 15 (networking_staff) - enable level, full access - prompt says router#
These are what I'm trying to use:
AuthorizeGroup networkin_staff permit service=shell cmd=\* {priv-lvl=15}
AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroup others permit service=shell cmd\* {priv-lvl=0}
AuthorizeGroup DEFAULT deny .*
Thanks,
Steve.
-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au]
Sent: Wednesday, November 09, 2011 11:09 AM
To: Kim, Steve
Cc: 'radiator at open.com.au'
Subject: Re: [RADIATOR] Radiator/TACACS+ via ADSI
On 11/09/2011 05:58 PM, Kim, Steve wrote:
Hello Steve,
> Yes, I have checked the privileges.
> So, this time, I ran the radiator from the services.msc which starts with local system account instead of command line.
> It looked like it is working in a way, but I got following error:
Yes, it's looking much better. Please see below for some options.
> Wed Nov 9 10:49:10 2011: DEBUG: Handling with Radius::AuthLSA: LSA
> Wed Nov 9 10:49:10 2011: DEBUG: Radius::AuthLSA looks for match with
> stevekim [stevekim] Wed Nov 9 10:49:13 2011: DEBUG: Checking LSA
> Group membership for , networking_staff, stevekim
Ok, it is checking group networking_staff, user stevekim against controller '' (empty string). You may want specify DomainController config option since it seems not to be able to get results from '' which means to check the host where Radiator runs.
See ref.pdf section "5.53.8 DomainController" for more abou the option.
Thanks!
Heikki
> Wed Nov 9 10:49:13 2011: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> User is not a member of any Group: stevekim [stevekim] Wed Nov 9
> 10:49:13 2011: DEBUG: AuthBy LSA result: REJECT, AuthBy LSA User is
> not a member of any Group Wed Nov 9 10:49:13 2011: INFO: Access rejected for stevekim: AuthBy LSA User is not a member of any Group Wed Nov 9 10:49:13 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Access-Reject
>
> The id, stevekim, is a member of networking_staff of ad group.
>
> Thanks,
>
> Steve.
>
> -----Original Message-----
> From: Heikki Vatiainen [mailto:hvn at open.com.au]
> Sent: Wednesday, November 09, 2011 10:47 AM
> To: Kim, Steve
> Cc: 'radiator at open.com.au'
> Subject: Re: [RADIATOR] Radiator/TACACS+ via ADSI
>
> On 11/09/2011 05:37 PM, Kim, Steve wrote:
>
> Hello Steve,
>
>> I have tried LSA with following config and it did not work.
>>
>> <AuthBy LSA>
>> Identifier LSA
>> Domain xxx.xxx.xxx
>
> The Domain here is a valid Windows domain?
>
>> Group networking_staff
>> UsernameMatchesWithoutRealm
>> EAPType MSCHAP-V2
>> </AuthBy>
>
> Also, the reference manual ref.pdf lists a couple of requirements (Win32-LSA ppm, need for special privileges for user Radiator runs as on the Windows server and access rights for the users that try to authenticate).
>
> Have you noticed and checked these?
>
> If there are further problems, full log file from the moment Radiator starts would be useful to see.
>
> Thanks!
>
>
>> It generated following error:
>>
>> Wed Nov 9 10:29:32 2011: DEBUG: Deleting session for stevekim,
>> 127.0.0.1, Wed Nov 9 10:29:32 2011: DEBUG: Handling with
>> Radius::AuthLSA: LSA Wed Nov 9 10:29:32 2011: DEBUG: Radius::AuthLSA
>> looks for match with stevekim [ stevekim] Wed Nov 9 10:29:32 2011:
>> WARNING: Could not LogonUserNetworkPAP: The handle is invalid.
>>
>> Wed Nov 9 10:29:32 2011: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
>> Password che ck failed: stevekim [stevekim] Wed Nov 9 10:29:32 2011:
>> DEBUG: AuthBy LSA result: REJECT, AuthBy LSA Password check failed
>> Wed Nov 9 10:29:32 2011: INFO: Access rejected for stevekim: AuthBy
>> LSA Passwor d check failed Wed Nov 9 10:29:32 2011: DEBUG: Packet dump:
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Tuesday, November 08, 2011 3:00 PM
>> To: Kim, Steve
>> Cc: 'radiator at open.com.au'
>> Subject: Re: [RADIATOR] Radiator/TACACS+ via ADSI
>>
>>
>> Hi Steve -
>>
>> I suggest you use the AuthBy LSA clause as it is more flexible, and you can do the Group check directly with it.
>>
>> To see what is happening for debugging it is simplest to run radiusd by hand in a terminal window like this so you see the debug log:
>>
>> cd /your/Radiator/distribution
>>
>> perl radiusd -foreground -log_stdout -trace 4 -config_file
>> /your/Radiator/configuration/file
>>
>> .....
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 9 Nov 2011, at 05:28, Kim, Steve wrote:
>>
>>> Hi experts,
>>>
>>> I'm testing Radiator/TACACS+ via authentication from AD with ADSI.
>>> I'd like to accomplish that a group member in AD only can authenticated.
>>> Can someone take a look following config and see if there is(are) any error(s)?
>>>
>>> Thanks in advance.
>>>
>>> So, here is my radius.cfg where I need your expertise.
>>>
>>> <AuthBy ADSI>
>>>
>>> Identifier ADSI
>>>
>>> BindString LDAP://ou=Users,ou=xxx Users,dc=xx,dc=xx,dc=xx
>>> AuthUser %0
>>> AuthFlags 1
>>> </AuthBy >
>>>
>>> <ServerTACACSPLUS >
>>> AddToRequest NAS-Identifier=TACACS
>>>
>>> GroupMemberAttr tacacsGroup
>>>
>>> AuthorizationTimeout 600
>>>
>>> BindAddress 0.0.0.0
>>> GroupCacheFile %L/radiator-tacacs-usergroup.cache
>>> IdleTimeout 180
>>> MaxBufferSize 100000
>>> PasswordPrompt Password:
>>> Port 49
>>> SingleSession 1
>>> UsernamePrompt Username:
>>>
>>> <Log FILE>
>>> Filename %L/logfile-tacacs
>>> Trace 4
>>> </Log>
>>> </ServerTACACSPLUS>
>>>
>>> <Handler NAS-Identifier=TACACS>
>>> <AuthBy FILE>
>>> Filename %D/users.groups
>>> </AuthBy>
>>> AcctLogFileName %D/detail </Handler>
>>>
>>> Here is users.groups:
>>>
>>> DEFAULT Auth-Type=ADSI, Group="networking_staff"
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> --
>>
>> Hugh Irvine
>> hugh at open.com.au
>>
>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list