[RADIATOR] Radiator 4.9 and cisco-avpair
Kim, Steve
steve.kim at davispolk.com
Tue Nov 15 09:08:35 CST 2011
Heikki,
Here is a log and still set to priv-lvl is 1.
Tue Nov 15 09:42:02 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:27492
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 3401425457, 85
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>
Tue Nov 15 09:42:02 2011: DEBUG: AuthorizeGroup rule match found: permit .* { }
Tue Nov 15 09:42:02 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:27492
Tue Nov 15 09:42:02 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:29655
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 1596600160, 128
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=148 timezone=est service=shell start_time=1321368122 priv-lvl=1 cmd=connect exitr <cr>
Tue Nov 15 09:42:02 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code: Accounting-Request
Identifier: UNDEF
Authentic: <140>N)<172><12>N<138><205><175><216><254><4><237><173>?<181>
Attributes:
NAS-IP-Address = xxx.xxx.11.242
NAS-Port-Id = "tty1"
Calling-Station-Id = "xxx.xxx.11.1"
NAS-Identifier = "TACACS"
User-Name = "connolly"
Acct-Status-Type = Stop
Acct-Session-Id = "1596600160"
cisco-avpair = "task_id=148"
cisco-avpair = "timezone=est"
cisco-avpair = "service=shell"
cisco-avpair = "start_time=1321368122"
cisco-avpair = "priv-lvl=1"
cisco-avpair = "cmd=connect exitr <cr>"
OSC-Version-Identifier = "192"
Tue Nov 15 09:42:02 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Nov 15 09:42:02 2011: DEBUG: Deleting session for connolly, xxx.xxx.11.242,
Tue Nov 15 09:42:02 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 09:42:02 2011: DEBUG: Handling with Radius::AuthLSA:
Tue Nov 15 09:42:02 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
Tue Nov 15 09:42:02 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Nov 15 09:42:02 2011: DEBUG: Accounting accepted
Tue Nov 15 09:42:02 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Accounting-Response
Identifier: UNDEF
Authentic: <140>N)<172><12>N<138><205><175><216><254><4><237><173>?<181>
Attributes:
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection result Accounting-Response
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:29655
Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:20179
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 2598084901, 68
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 09:42:03 2011: DEBUG: AuthorizeGroup rule match found: permit .* { }
Tue Nov 15 09:42:03 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:20179
Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:32440
Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:16356
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 437970795, 119
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=149 timezone=est service=shell start_time=1321368123 priv-lvl=0 cmd=exit <cr>
Tue Nov 15 09:42:03 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code: Accounting-Request
Identifier: UNDEF
Authentic: [.P<238><29><162><193>-<149><197>Ae<131><12><203><251>
Attributes:
NAS-IP-Address = xxx.xxx.11.242
NAS-Port-Id = "tty1"
Calling-Station-Id = "xxx.xxx.11.1"
NAS-Identifier = "TACACS"
User-Name = "connolly"
Acct-Status-Type = Stop
Acct-Session-Id = "437970795"
cisco-avpair = "task_id=149"
cisco-avpair = "timezone=est"
cisco-avpair = "service=shell"
cisco-avpair = "start_time=1321368123"
cisco-avpair = "priv-lvl=0"
cisco-avpair = "cmd=exit <cr>"
OSC-Version-Identifier = "192"
Tue Nov 15 09:42:03 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Nov 15 09:42:03 2011: DEBUG: Deleting session for connolly, xxx.xxx.11.242,
Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthLSA:
Tue Nov 15 09:42:03 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
Tue Nov 15 09:42:03 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Nov 15 09:42:03 2011: DEBUG: Accounting accepted
Tue Nov 15 09:42:03 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Accounting-Response
Identifier: UNDEF
Authentic: [.P<238><29><162><193>-<149><197>Ae<131><12><203><251>
Attributes:
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection result Accounting-Response
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:32440
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3584696603, 180
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 9, task_id=147 timezone=est service=shell start_time=1321368109 disc-cause=1 disc-cause-ext=9 pre-session-time=6 elapsed_time=14 stop_time=1321368123
Tue Nov 15 09:42:03 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code: Accounting-Request
Identifier: UNDEF
Authentic: ,<202>w<1><198><157>A<130><180>@<179> <218>H<225><193>
Attributes:
NAS-IP-Address = xxx.xxx.11.242
NAS-Port-Id = "tty1"
Calling-Station-Id = "xxx.xxx.11.1"
NAS-Identifier = "TACACS"
User-Name = "connolly"
Acct-Status-Type = Stop
Acct-Session-Id = "3584696603"
cisco-avpair = "task_id=147"
cisco-avpair = "timezone=est"
cisco-avpair = "service=shell"
cisco-avpair = "start_time=1321368109"
cisco-avpair = "disc-cause=1"
cisco-avpair = "disc-cause-ext=9"
cisco-avpair = "pre-session-time=6"
cisco-avpair = "elapsed_time=14"
cisco-avpair = "stop_time=1321368123"
OSC-Version-Identifier = "192"
Tue Nov 15 09:42:03 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Nov 15 09:42:03 2011: DEBUG: Deleting session for connolly, xxx.xxx.11.242,
Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthLSA:
Tue Nov 15 09:42:03 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
Tue Nov 15 09:42:03 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Nov 15 09:42:03 2011: DEBUG: Accounting accepted
Tue Nov 15 09:42:03 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Accounting-Response
Identifier: UNDEF
Authentic: ,<202>w<1><198><157>A<130><180>@<179> <218>H<225><193>
Attributes:
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection result Accounting-Response
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:16356
-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au]
Sent: Monday, November 14, 2011 4:13 PM
To: Kim, Steve
Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
On 11/14/2011 10:27 PM, Kim, Steve wrote:
> Not sure what you meant by "configuring command authorization".
> As far as I know, CISCO has been configured with following command set:
The config has "aaa authorization ..." enabled so you should see
TACACS+ "Authorization REQUEST" entries in Radiator log.
These requests should in turn match AuthorizeGroup lines in Radiator configuration file. Does Radiator log show any authorization requests from your Cisco?
If possible, please keep radiator at open.com.au in Cc:s.
Thanks!
Heikki
> aaa authentication login default group tacacs+ local enable aaa
> authentication login vty-access group tacacs+ local enable aaa
> authentication login console-access group tacacs+ local enable aaa
> authorization exec default group tacacs+ if-authenticated aaa
> authorization commands 0 default group tacacs+ if-authenticated aaa
> authorization commands 1 default group tacacs+ if-authenticated aaa
> authorization commands 15 default group tacacs+ if-authenticated aaa
> accounting exec default stop-only group tacacs+ aaa accounting
> commands 15 default stop-only group tacacs+
>
>
> -----Original Message-----
> From: Heikki Vatiainen [mailto:hvn at open.com.au]
> Sent: Monday, November 14, 2011 2:50 PM
> To: Kim, Steve
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
>
> On 11/14/2011 06:18 PM, Kim, Steve wrote:
>
> Hello Steve,
>
>> I'm trying to understand why I'm getting "cisco-avpair" during the
>> initial authentication as below log.
>
> Those come from the TACACS authentication request message header. See
> for example http://tools.ietf.org/html/draft-grant-tacacs-02 and
> section
> "6.1 Authentication".
>
> The cisco-avpair attributes make the priv_lvl and other fields available for authentication request processing. In other words, those attributes are generated by Radiator when it processes the incoming authentication request.
>
>> The user xyz is authenticated via Authby LSA from AD calling this
>> handler from ServerTACACSPLUS clause.
>>
>> My objective is getting priv-lvl=15 and not being successful.
>
> See goodies/tacplus.txt and the discussion about configuring command authorization. If you enable command authorization, the client device should send TACACS+ authorization request once the authentication has completed successfully.
>
> You should start seeing something like this in Radiator log:
>
> Mon Nov 14 21:46:14 2011: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 0, 2, 0, mikem, 123, testclient, 2, service=shell cmd=* Mon
> Nov 14 21:46:14 2011: DEBUG: AuthorizeGroup rule match found: permit
> service=shell cmd=\* { cisco-avpair=priv-lvl=15 } Mon Nov 14 21:46:14
> 2011: INFO: Authorization permitted for mikem at 127.0.0.1, group
> netadmin, args service=shell cmd=* Mon Nov 14 21:46:14 2011: DEBUG:
> TacacsplusConnection Authorization RESPONSE 1, , ,
> cisco-avpair=priv-lvl=15
>
>
> For testing you can also try goodies/tacacsplus test with something
> like
> this:
>
> First go to Radiator distribution directory. Then run tacacsplustest like this:
>
> perl goodies/tacacsplustest -h
>
> perl goodies/tacacsplustest -trace 4 -noacct -port 4949 -author_args
> service=shell,cmd=\*
>
>> Here is my radius.cfg:
>
> The config looks good and the AuthorizeGroup lines should start matching once the client device starts sending authorization requests.
>
> Heikki
More information about the radiator
mailing list