[RADIATOR] Radiator 4.9 and cisco-avpair

Kim, Steve steve.kim at davispolk.com
Tue Nov 15 10:25:22 CST 2011 

Well... it did not work. The user gets level-1 permission. Here is the initial tacacs+ log.

 Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for , tty1, xxx.xxx.11.1
Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username:,  
Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 128798430, 13
Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication CONTINUE 0, connolly, 
Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password:,  
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 128798430, 16
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication CONTINUE 0, **obscured**, 
Tue Nov 15 11:14:25 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
Attributes:
	NAS-IP-Address = xxx.xxx.11.242
	NAS-Port-Id = "tty1"
	Calling-Station-Id = "xxx.xxx.11.1"
	Service-Type = Login-User
	NAS-Identifier = "TACACS"
	User-Name = "connolly"
	User-Password = **obscured**
	cisco-avpair = "action=1"
	cisco-avpair = "authen_type=1"
	cisco-avpair = "priv-lvl=1"
	cisco-avpair = "service=1"
	OSC-Version-Identifier = "192"

Tue Nov 15 11:14:25 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Tue Nov 15 11:14:25 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242, 
Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthLSA: 
Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA looks for match with connolly [connolly]
Tue Nov 15 11:14:25 2011: DEBUG: Checking LSA Group membership for dcny001, networking_staff, connolly
Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly [connolly]
Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT, 
Tue Nov 15 11:14:25 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
Tue Nov 15 11:14:25 2011: DEBUG: Access accepted for connolly
Tue Nov 15 11:14:25 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
Attributes:
	tacacsgroup = netadmin

Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection result Access-Accept
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,  
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:46059
Tue Nov 15 11:14:25 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:34694
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 1978405596, 51
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
Tue Nov 15 11:14:25 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
Tue Nov 15 11:14:25 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd*
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:34694
Tue Nov 15 11:16:07 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:62601
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 2743768762, 68
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 11:16:07 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
Tue Nov 15 11:16:07 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:62601

-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au] 
Sent: Tuesday, November 15, 2011 10:52 AM
To: Kim, Steve
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair

On 11/15/2011 05:42 PM, Kim, Steve wrote:

Hmm, let's see now. The first authorization request is this:

Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*

The request should be matched by this AuthorizeGroup:

AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"}



Your previous message had this:
09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>

That would have matched by this:

AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}

Taking a better look at this, this is just a command with typo (extir) so what you should have is:

AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*


If it will not work, please reply with a log that shows the initial
TACACAS+ authentication and the authorization that follows.

Thanks!
Heikki

More information about the radiator mailing list