[RADIATOR] Radiator 4.9 and cisco-avpair

[Kim, Steve]

Hello,

I'm trying to understand why I'm getting "cisco-avpair" during the initial authentication as below log.
The user xyz is authenticated via Authby LSA from AD calling this handler from ServerTACACSPLUS clause.
My objective is getting priv-lvl=15 and not being successful.

Here is my radius.cfg:

<Realm DEFAULT>
      AcctLogFileName %D/acct.log
      AuthByPolicy ContinueWhileIgnore

      <AuthBy GROUP>
         Identifier GetUser
         AuthByPolicy ContinueUntilAccept

         <AuthBy LSA>
            Domain abc.def.com
            Group networking_staff
            DomainController abcd001
            EAPType MSCHAP-V2
            AddToReply tacacsgroup = netadmin
         </AuthBy>
</Realm>

<ServerTACACSPLUS >
      AddToRequest NAS-Identifier=TACACS

      GroupMemberAttr tacacsgroup

      AuthorizationTimeout 600
      AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"}
      AuthorizeGroup netadmin permit .*
      AuthorizeGroup users permit service=shell cmd\* {priv-lvl=1}
      AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=0}
      AuthorizeGroup DEFAULT  deny .*
      BindAddress 0.0.0.0
      GroupCacheFile %L/radiator-tacacs-usergroup.cache
      IdleTimeout 180
      MaxBufferSize 100000
      PasswordPrompt Password:
      Port 49
      SingleSession 1
      UsernamePrompt Username:

      <Log FILE>
            Filename %L/tacacs.log
            Trace 4
      </Log>
</ServerTACACSPLUS>

<Handler NAS-Identifier=TACACS>
        AuthBy GetUser

</Handler>

LOG:

Mon Nov 14 10:20:53 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <143><162><7>B<16>wd<228><1><251><28><14>C<234>i9
Attributes:
      NAS-IP-Address = xx.xx.xx.142
      NAS-Port-Id = "tty1"
      Calling-Station-Id = "xx.xx.xx.1"
      Service-Type = Login-User
      NAS-Identifier = "TACACS"
      User-Name = "xyz"
      User-Password = **obscured**
      cisco-avpair = "action=1"
      cisco-avpair = "authen_type=1"
      cisco-avpair = "priv-lvl=1"
      cisco-avpair = "service=1"
      OSC-Version-Identifier = "192"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111114/5640a0bb/attachment-0001.html