[RADIATOR] Radiator 4.9 and cisco-avpair

Heikki Vatiainen hvn at open.com.au
Tue Nov 15 09:21:46 CST 2011


On 11/15/2011 05:08 PM, Kim, Steve wrote:

Hello Steve,

the AuthorizeGroup line does not match what Cisco requests. Try this:

#AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr
cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
AuthorizeGroup netadmin permit .*

The commented out AuthorizeGroup is replaced by one that matches what is
requested by the client.

Please let us know how this works.

Thanks!

> Tue Nov 15 09:42:02 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:27492
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 3401425457, 85
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>
> Tue Nov 15 09:42:02 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
> Tue Nov 15 09:42:02 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:27492
> Tue Nov 15 09:42:02 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:29655
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 1596600160, 128
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=148 timezone=est service=shell start_time=1321368122 priv-lvl=1 cmd=connect exitr <cr>
> Tue Nov 15 09:42:02 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
> Code:       Accounting-Request
> Identifier: UNDEF
> Authentic:  <140>N)<172><12>N<138><205><175><216><254><4><237><173>?<181>
> Attributes:
>                NAS-IP-Address = xxx.xxx.11.242
>                NAS-Port-Id = "tty1"
>                Calling-Station-Id = "xxx.xxx.11.1"
>                NAS-Identifier = "TACACS"
>                User-Name = "connolly"
>                Acct-Status-Type = Stop
>                Acct-Session-Id = "1596600160"
>                cisco-avpair = "task_id=148"
>                cisco-avpair = "timezone=est"
>                cisco-avpair = "service=shell"
>                cisco-avpair = "start_time=1321368122"
>                cisco-avpair = "priv-lvl=1"
>                cisco-avpair = "cmd=connect exitr <cr>"
>                OSC-Version-Identifier = "192"
> 
> Tue Nov 15 09:42:02 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 09:42:02 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242, 
> Tue Nov 15 09:42:02 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 09:42:02 2011: DEBUG: Handling with Radius::AuthLSA: 
> Tue Nov 15 09:42:02 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT, 
> Tue Nov 15 09:42:02 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Tue Nov 15 09:42:02 2011: DEBUG: Accounting accepted
> Tue Nov 15 09:42:02 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Accounting-Response
> Identifier: UNDEF
> Authentic:  <140>N)<172><12>N<138><205><175><216><254><4><237><173>?<181>
> Attributes:
> 
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection result Accounting-Response
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,  
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:29655
> Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:20179
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 2598084901, 68
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit cmd-arg=<cr>
> Tue Nov 15 09:42:03 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
> Tue Nov 15 09:42:03 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:20179
> Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:32440
> Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:16356
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 437970795, 119
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=149 timezone=est service=shell start_time=1321368123 priv-lvl=0 cmd=exit <cr>
> Tue Nov 15 09:42:03 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
> Code:       Accounting-Request
> Identifier: UNDEF
> Authentic:  [.P<238><29><162><193>-<149><197>Ae<131><12><203><251>
> Attributes:
>                NAS-IP-Address = xxx.xxx.11.242
>                NAS-Port-Id = "tty1"
>                Calling-Station-Id = "xxx.xxx.11.1"
>                NAS-Identifier = "TACACS"
>                User-Name = "connolly"
>                Acct-Status-Type = Stop
>                Acct-Session-Id = "437970795"
>                cisco-avpair = "task_id=149"
>                cisco-avpair = "timezone=est"
>                cisco-avpair = "service=shell"
>                cisco-avpair = "start_time=1321368123"
>                cisco-avpair = "priv-lvl=0"
>                cisco-avpair = "cmd=exit <cr>"
>                OSC-Version-Identifier = "192"
> 
> Tue Nov 15 09:42:03 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 09:42:03 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242, 
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthLSA: 
> Tue Nov 15 09:42:03 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT, 
> Tue Nov 15 09:42:03 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Tue Nov 15 09:42:03 2011: DEBUG: Accounting accepted
> Tue Nov 15 09:42:03 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Accounting-Response
> Identifier: UNDEF
> Authentic:  [.P<238><29><162><193>-<149><197>Ae<131><12><203><251>
> Attributes:
> 
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection result Accounting-Response
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,  
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:32440
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3584696603, 180
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 9, task_id=147 timezone=est service=shell start_time=1321368109 disc-cause=1 disc-cause-ext=9 pre-session-time=6 elapsed_time=14 stop_time=1321368123
> Tue Nov 15 09:42:03 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
> Code:       Accounting-Request
> Identifier: UNDEF
> Authentic:  ,<202>w<1><198><157>A<130><180>@<179> <218>H<225><193>
> Attributes:
>                NAS-IP-Address = xxx.xxx.11.242
>                NAS-Port-Id = "tty1"
>                Calling-Station-Id = "xxx.xxx.11.1"
>                NAS-Identifier = "TACACS"
>                User-Name = "connolly"
>                Acct-Status-Type = Stop
>                Acct-Session-Id = "3584696603"
>                cisco-avpair = "task_id=147"
>                cisco-avpair = "timezone=est"
>                cisco-avpair = "service=shell"
>                cisco-avpair = "start_time=1321368109"
>                cisco-avpair = "disc-cause=1"
>                cisco-avpair = "disc-cause-ext=9"
>                cisco-avpair = "pre-session-time=6"
>                cisco-avpair = "elapsed_time=14"
>                cisco-avpair = "stop_time=1321368123"
>                OSC-Version-Identifier = "192"
> 
> Tue Nov 15 09:42:03 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 09:42:03 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242, 
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthLSA: 
> Tue Nov 15 09:42:03 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT, 
> Tue Nov 15 09:42:03 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Tue Nov 15 09:42:03 2011: DEBUG: Accounting accepted
> Tue Nov 15 09:42:03 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Accounting-Response
> Identifier: UNDEF
> Authentic:  ,<202>w<1><198><157>A<130><180>@<179> <218>H<225><193>
> Attributes:
> 
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection result Accounting-Response
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,  
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:16356
> -----Original Message-----
> From: Heikki Vatiainen [mailto:hvn at open.com.au] 
> Sent: Monday, November 14, 2011 4:13 PM
> To: Kim, Steve
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
> 
> On 11/14/2011 10:27 PM, Kim, Steve wrote:
> 
>> Not sure what you meant by "configuring command authorization".
>> As far as I know, CISCO has been configured with following command set:
> 
> The config has "aaa authorization ..."  enabled so you should see
> TACACS+ "Authorization REQUEST" entries in Radiator log.
> 
> These requests should in turn match AuthorizeGroup lines in Radiator configuration file. Does Radiator log show any authorization requests from your Cisco?
> 
> If possible, please keep radiator at open.com.au in Cc:s.
> 
> Thanks!
> Heikki
> 
> 
>> aaa authentication login default group tacacs+ local enable aaa 
>> authentication login vty-access group tacacs+ local enable aaa 
>> authentication login console-access group tacacs+ local enable aaa 
>> authorization exec default group tacacs+ if-authenticated aaa 
>> authorization commands 0 default group tacacs+ if-authenticated aaa 
>> authorization commands 1 default group tacacs+ if-authenticated aaa 
>> authorization commands 15 default group tacacs+ if-authenticated aaa 
>> accounting exec default stop-only group tacacs+ aaa accounting 
>> commands 15 default stop-only group tacacs+
>>
>>
>> -----Original Message-----
>> From: Heikki Vatiainen [mailto:hvn at open.com.au]
>> Sent: Monday, November 14, 2011 2:50 PM
>> To: Kim, Steve
>> Cc: radiator at open.com.au
>> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
>>
>> On 11/14/2011 06:18 PM, Kim, Steve wrote:
>>
>> Hello Steve,
>>
>>> I'm trying to understand why I'm getting "cisco-avpair" during the 
>>> initial authentication as below log.
>>
>> Those come from the TACACS authentication request message header. See 
>> for example http://tools.ietf.org/html/draft-grant-tacacs-02 and 
>> section
>> "6.1 Authentication".
>>
>> The cisco-avpair attributes make the priv_lvl and other fields available for authentication request processing. In other words, those attributes are generated by Radiator when it processes the incoming authentication request.
>>
>>> The user xyz is authenticated via Authby LSA from AD calling this 
>>> handler from ServerTACACSPLUS clause.
>>>
>>> My objective is getting priv-lvl=15 and not being successful.
>>
>> See goodies/tacplus.txt and the discussion about configuring command authorization. If you enable command authorization, the client device should send TACACS+ authorization request once the authentication has completed successfully.
>>
>> You should start seeing something like this in Radiator log:
>>
>> Mon Nov 14 21:46:14 2011: DEBUG: TacacsplusConnection Authorization 
>> REQUEST 6, 0, 2, 0, mikem, 123, testclient, 2, service=shell cmd=* Mon 
>> Nov 14 21:46:14 2011: DEBUG: AuthorizeGroup rule match found: permit 
>> service=shell cmd=\* { cisco-avpair=priv-lvl=15 } Mon Nov 14 21:46:14 
>> 2011: INFO: Authorization permitted for mikem at 127.0.0.1, group 
>> netadmin, args service=shell cmd=* Mon Nov 14 21:46:14 2011: DEBUG: 
>> TacacsplusConnection Authorization RESPONSE 1, , , 
>> cisco-avpair=priv-lvl=15
>>
>>
>> For testing you can also try goodies/tacacsplus test with something 
>> like
>> this:
>>
>> First go to Radiator distribution directory. Then run tacacsplustest like this:
>>
>>   perl goodies/tacacsplustest -h
>>
>>   perl goodies/tacacsplustest -trace 4 -noacct -port 4949 -author_args
>> service=shell,cmd=\*
>>
>>> Here is my radius.cfg:
>>
>> The config looks good and the AuthorizeGroup lines should start matching once the client device starts sending authorization requests.
>>
>> Heikki
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list