[RADIATOR] Radiator 4.9 and cisco-avpair

Kim, Steve steve.kim at davispolk.com
Tue Nov 15 09:42:38 CST 2011 

Hi Heikki,



It did not work. It was no effect.

Thanks,


Tue Nov 15 10:25:28 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Nov 15 10:25:28 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242,
Tue Nov 15 10:25:28 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 10:25:28 2011: DEBUG: Handling with Radius::AuthLSA:
Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthLSA looks for match with connolly [connolly]
Tue Nov 15 10:25:28 2011: DEBUG: Checking LSA Group membership for dcny001, networking_staff, connolly
Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly [connolly]
Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT,
Tue Nov 15 10:25:28 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Nov 15 10:25:28 2011: DEBUG: Access accepted for connolly
Tue Nov 15 10:25:28 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <221><30><24><221>-<186> <182>@K<23><196>~<172><171><180>
Attributes:
      tacacsgroup = netadmin

Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection result Access-Accept
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:11934
Tue Nov 15 10:25:28 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:62567
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 3452448878, 51
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
Tue Nov 15 10:25:28 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
Tue Nov 15 10:25:28 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd*
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:62567
Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:46572
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 470062485, 68
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 10:25:32 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
Tue Nov 15 10:25:32 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:46572
Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:57867
Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:34089
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 109442261, 119
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=151 timezone=est service=shell start_time=1321370732 priv-lvl=0 cmd=exit <cr>
Tue Nov 15 10:25:32 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  0<142><185><169>8<222>/=3<18>JQ<27><215><174><128>
Attributes:
      NAS-IP-Address = xxx.xxx.11.242
      NAS-Port-Id = "tty1"
      Calling-Station-Id = "xxx.xxx.11.1"
      NAS-Identifier = "TACACS"
      User-Name = "connolly"
      Acct-Status-Type = Stop
      Acct-Session-Id = "109442261"
      cisco-avpair = "task_id=151"
      cisco-avpair = "timezone=est"
      cisco-avpair = "service=shell"
      cisco-avpair = "start_time=1321370732"
      cisco-avpair = "priv-lvl=0"
      cisco-avpair = "cmd=exit <cr>"
      OSC-Version-Identifier = "192"

Tue Nov 15 10:25:32 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Nov 15 10:25:32 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242,
Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthLSA:
Tue Nov 15 10:25:32 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT,
Tue Nov 15 10:25:32 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Nov 15 10:25:32 2011: DEBUG: Accounting accepted
Tue Nov 15 10:25:32 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Accounting-Response
Identifier: UNDEF
Authentic:  0<142><185><169>8<222>/=3<18>JQ<27><215><174><128>
Attributes:

Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection result Accounting-Response
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:57867
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 2169240497, 179
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 9, task_id=151 timezone=est service=shell start_time=1321370728 disc-cause=1 disc-cause-ext=9 pre-session-time=7 elapsed_time=4 stop_time=1321370732
Tue Nov 15 10:25:32 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:   0'j<209><138><137><180>S<209><156><243><175><7>hS
Attributes:
      NAS-IP-Address = xxx.xxx.11.242
      NAS-Port-Id = "tty1"
      Calling-Station-Id = "xxx.xxx.11.1"
      NAS-Identifier = "TACACS"
      User-Name = "connolly"
      Acct-Status-Type = Stop
      Acct-Session-Id = "2169240497"
      cisco-avpair = "task_id=151"
      cisco-avpair = "timezone=est"
      cisco-avpair = "service=shell"
      cisco-avpair = "start_time=1321370728"
      cisco-avpair = "disc-cause=1"
      cisco-avpair = "disc-cause-ext=9"
      cisco-avpair = "pre-session-time=7"
      cisco-avpair = "elapsed_time=4"
      cisco-avpair = "stop_time=1321370732"
      OSC-Version-Identifier = "192"

Tue Nov 15 10:25:32 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Nov 15 10:25:32 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242,
Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthLSA:
Tue Nov 15 10:25:32 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT,
Tue Nov 15 10:25:32 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Nov 15 10:25:32 2011: DEBUG: Accounting accepted
Tue Nov 15 10:25:32 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Accounting-Response
Identifier: UNDEF
Authentic:   0'j<209><138><137><180>S<209><156><243><175><7>hS
Attributes:

Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection result Accounting-Response
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:34089





-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au]
Sent: Tuesday, November 15, 2011 10:22 AM
To: Kim, Steve
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair



On 11/15/2011 05:08 PM, Kim, Steve wrote:



Hello Steve,



the AuthorizeGroup line does not match what Cisco requests. Try this:



#AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*



The commented out AuthorizeGroup is replaced by one that matches what is requested by the client.



Please let us know how this works.



Thanks!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111115/213e3816/attachment-0001.html

More information about the radiator mailing list