[RADIATOR] Radiator 4.9 and cisco-avpair
Heikki Vatiainen
hvn at open.com.au
Tue Nov 15 09:51:41 CST 2011
On 11/15/2011 05:42 PM, Kim, Steve wrote:
Hmm, let's see now. The first authorization request is this:
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
The request should be matched by this AuthorizeGroup:
AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
Your previous message had this:
09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1,
1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect
cmd-arg=exitr cmd-arg=<cr>
That would have matched by this:
AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr
cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
Taking a better look at this, this is just a command with typo (extir)
so what you should have is:
AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
AuthorizeGroup netadmin permit .*
If it will not work, please reply with a log that shows the initial
TACACAS+ authentication and the authorization that follows.
Thanks!
Heikki
> Tue Nov 15 10:25:28 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
>
> Tue Nov 15 10:25:28 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
>
> Tue Nov 15 10:25:28 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
>
> Tue Nov 15 10:25:28 2011: DEBUG: Handling with Radius::AuthLSA:
>
> Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthLSA looks for match with
> connolly [connolly]
>
> Tue Nov 15 10:25:28 2011: DEBUG: Checking LSA Group membership for
> dcny001, networking_staff, connolly
>
> Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly
> [connolly]
>
> Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
>
> Tue Nov 15 10:25:28 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>
> Tue Nov 15 10:25:28 2011: DEBUG: Access accepted for connolly
>
> Tue Nov 15 10:25:28 2011: DEBUG: Packet dump:
>
> *** Reply to TACACSPLUS request:
>
> Code: Access-Accept
>
> Identifier: UNDEF
>
> Authentic: <221><30><24><221>-<186> <182>@K<23><196>~<172><171><180>
>
> Attributes:
>
> tacacsgroup = netadmin
>
>
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection result Access-Accept
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authentication
> REPLY 1, 0, ,
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:11934
>
> Tue Nov 15 10:25:28 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:62567
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 3452448878, 51
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
>
> Tue Nov 15 10:25:28 2011: DEBUG: AuthorizeGroup rule match found: permit
> .* { }
>
> Tue Nov 15 10:25:28 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd*
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , ,
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:62567
>
> Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:46572
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 470062485, 68
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Authorization
> REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell
> cmd=exit cmd-arg=<cr>
>
> Tue Nov 15 10:25:32 2011: DEBUG: AuthorizeGroup rule match found: permit
> .* { }
>
> Tue Nov 15 10:25:32 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , ,
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:46572
>
> Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:57867
>
> Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:34089
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 3, 1,
> 0, 109442261, 119
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REQUEST
> 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=151 timezone=est
> service=shell start_time=1321370732 priv-lvl=0 cmd=exit <cr>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TACACSPLUS derived Radius request
> packet dump:
>
> Code: Accounting-Request
>
> Identifier: UNDEF
>
> Authentic: 0<142><185><169>8<222>/=3<18>JQ<27><215><174><128>
>
> Attributes:
>
> NAS-IP-Address = xxx.xxx.11.242
>
> NAS-Port-Id = "tty1"
>
> Calling-Station-Id = "xxx.xxx.11.1"
>
> NAS-Identifier = "TACACS"
>
> User-Name = "connolly"
>
> Acct-Status-Type = Stop
>
> Acct-Session-Id = "109442261"
>
> cisco-avpair = "task_id=151"
>
> cisco-avpair = "timezone=est"
>
> cisco-avpair = "service=shell"
>
> cisco-avpair = "start_time=1321370732"
>
> cisco-avpair = "priv-lvl=0"
>
> cisco-avpair = "cmd=exit <cr>"
>
> OSC-Version-Identifier = "192"
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
>
> Tue Nov 15 10:25:32 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthLSA:
>
> Tue Nov 15 10:25:32 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Accounting accepted
>
> Tue Nov 15 10:25:32 2011: DEBUG: Packet dump:
>
> *** Reply to TACACSPLUS request:
>
> Code: Accounting-Response
>
> Identifier: UNDEF
>
> Authentic: 0<142><185><169>8<222>/=3<18>JQ<27><215><174><128>
>
> Attributes:
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection result
> Accounting-Response
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REPLY
> 1, ,
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:57867
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 3, 1,
> 0, 2169240497, 179
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REQUEST
> 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 9, task_id=151 timezone=est
> service=shell start_time=1321370728 disc-cause=1 disc-cause-ext=9
> pre-session-time=7 elapsed_time=4 stop_time=1321370732
>
> Tue Nov 15 10:25:32 2011: DEBUG: TACACSPLUS derived Radius request
> packet dump:
>
> Code: Accounting-Request
>
> Identifier: UNDEF
>
> Authentic: 0'j<209><138><137><180>S<209><156><243><175><7>hS
>
> Attributes:
>
> NAS-IP-Address = xxx.xxx.11.242
>
> NAS-Port-Id = "tty1"
>
> Calling-Station-Id = "xxx.xxx.11.1"
>
> NAS-Identifier = "TACACS"
>
> User-Name = "connolly"
>
> Acct-Status-Type = Stop
>
> Acct-Session-Id = "2169240497"
>
> cisco-avpair = "task_id=151"
>
> cisco-avpair = "timezone=est"
>
> cisco-avpair = "service=shell"
>
> cisco-avpair = "start_time=1321370728"
>
> cisco-avpair = "disc-cause=1"
>
> cisco-avpair = "disc-cause-ext=9"
>
> cisco-avpair = "pre-session-time=7"
>
> cisco-avpair = "elapsed_time=4"
>
> cisco-avpair = "stop_time=1321370732"
>
> OSC-Version-Identifier = "192"
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
>
> Tue Nov 15 10:25:32 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthLSA:
>
> Tue Nov 15 10:25:32 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Accounting accepted
>
> Tue Nov 15 10:25:32 2011: DEBUG: Packet dump:
>
> *** Reply to TACACSPLUS request:
>
> Code: Accounting-Response
>
> Identifier: UNDEF
>
> Authentic: 0'j<209><138><137><180>S<209><156><243><175><7>hS
>
> Attributes:
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection result
> Accounting-Response
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REPLY
> 1, ,
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:34089
>
>
>
>
>
> -----Original Message-----
> From: Heikki Vatiainen [mailto:hvn at open.com.au]
> Sent: Tuesday, November 15, 2011 10:22 AM
> To: Kim, Steve
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
>
>
>
> On 11/15/2011 05:08 PM, Kim, Steve wrote:
>
>
>
> Hello Steve,
>
>
>
> the AuthorizeGroup line does not match what Cisco requests. Try this:
>
>
>
> #AuthorizeGroup netadmin permit service=shell cmd=\*
> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit
> service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>
> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*
>
>
>
> The commented out AuthorizeGroup is replaced by one that matches what is
> requested by the client.
>
>
>
> Please let us know how this works.
>
>
>
> Thanks!
>
>
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list