[RADIATOR] Radiator 4.9 and cisco-avpair

Heikki Vatiainen hvn at open.com.au
Mon Nov 14 13:50:16 CST 2011 

On 11/14/2011 06:18 PM, Kim, Steve wrote:

Hello Steve,

> I’m trying to understand why I’m getting “cisco-avpair” during the
> initial authentication as below log.

Those come from the TACACS authentication request message header. See
for example http://tools.ietf.org/html/draft-grant-tacacs-02 and section
"6.1 Authentication".

The cisco-avpair attributes make the priv_lvl and other fields available
for authentication request processing. In other words, those attributes
are generated by Radiator when it processes the incoming authentication
request.

> The user xyz is authenticated via Authby LSA from AD calling this
> handler from ServerTACACSPLUS clause.
> 
> My objective is getting priv-lvl=15 and not being successful.

See goodies/tacplus.txt and the discussion about configuring command
authorization. If you enable command authorization, the client device
should send TACACS+ authorization request once the authentication has
completed successfully.

You should start seeing something like this in Radiator log:

Mon Nov 14 21:46:14 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 0, 2, 0, mikem, 123, testclient, 2, service=shell cmd=*
Mon Nov 14 21:46:14 2011: DEBUG: AuthorizeGroup rule match found: permit
service=shell cmd=\* { cisco-avpair=priv-lvl=15 }
Mon Nov 14 21:46:14 2011: INFO: Authorization permitted for mikem at
127.0.0.1, group netadmin, args service=shell cmd=*
Mon Nov 14 21:46:14 2011: DEBUG: TacacsplusConnection Authorization
RESPONSE 1, , , cisco-avpair=priv-lvl=15


For testing you can also try goodies/tacacsplus test with something like
this:

First go to Radiator distribution directory. Then run tacacsplustest
like this:

  perl goodies/tacacsplustest -h

  perl goodies/tacacsplustest -trace 4 -noacct -port 4949 -author_args
service=shell,cmd=\*

> Here is my radius.cfg:

The config looks good and the AuthorizeGroup lines should start matching
once the client device starts sending authorization requests.

Heikki


> <Realm DEFAULT>
> 
>       AcctLogFileName %D/acct.log
> 
>       AuthByPolicy ContinueWhileIgnore
> 
>      
> 
>       <AuthBy GROUP>
> 
>          Identifier GetUser        
> 
>          AuthByPolicy ContinueUntilAccept
> 
>         
> 
>          <AuthBy LSA>
> 
>             Domain abc.def.com
> 
>             Group networking_staff
> 
>             DomainController abcd001
> 
>             EAPType MSCHAP-V2
> 
>             AddToReply tacacsgroup = netadmin
> 
>          </AuthBy>
> 
> </Realm>
> 
>  
> 
> <ServerTACACSPLUS >
> 
>       AddToRequest NAS-Identifier=TACACS
> 
>      
> 
>       GroupMemberAttr tacacsgroup
> 
>             
> 
>       AuthorizationTimeout 600
> 
>       AuthorizeGroup netadmin permit service=shell cmd=\*
> {cisco-avpair="priv-lvl=15"}
> 
>       AuthorizeGroup netadmin permit .*
> 
>       AuthorizeGroup users permit service=shell cmd\* {priv-lvl=1}
> 
>       AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=0}
> 
>       AuthorizeGroup DEFAULT  deny .*
> 
>       BindAddress 0.0.0.0
> 
>       GroupCacheFile %L/radiator-tacacs-usergroup.cache
> 
>       IdleTimeout 180
> 
>       MaxBufferSize 100000
> 
>       PasswordPrompt Password:
> 
>       Port 49
> 
>       SingleSession 1
> 
>       UsernamePrompt Username:
> 
>  
> 
>       <Log FILE>
> 
>             Filename %L/tacacs.log
> 
>             Trace 4
> 
>       </Log>
> 
> </ServerTACACSPLUS>
> 
>  
> 
> <Handler NAS-Identifier=TACACS>
> 
>         AuthBy GetUser
> 
>        
> 
> </Handler>
> 
>  
> 
> LOG:
> 
>  
> 
> Mon Nov 14 10:20:53 2011: DEBUG: TACACSPLUS derived Radius request
> packet dump:
> 
> Code:       Access-Request
> 
> Identifier: UNDEF
> 
> Authentic:  <143><162><7>B<16>wd<228><1><251><28><14>C<234>i9
> 
> Attributes:
> 
>       NAS-IP-Address = xx.xx.xx.142
> 
>       NAS-Port-Id = "tty1"
> 
>       Calling-Station-Id = "xx.xx.xx.1"
> 
>       Service-Type = Login-User
> 
>       NAS-Identifier = "TACACS"
> 
>       User-Name = "xyz"
> 
>       User-Password = **obscured**
> 
>       *cisco-avpair = "action=1"*
> 
> *      cisco-avpair = "authen_type=1"*
> 
> *      cisco-avpair = "priv-lvl=1"*
> 
> *      cisco-avpair = "service=1"*
> 
>       OSC-Version-Identifier = "192"
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list