[RADIATOR] Radiator 4.9 and cisco-avpair

Heikki Vatiainen hvn at open.com.au
Tue Nov 15 10:58:44 CST 2011 

On 11/15/2011 06:25 PM, Kim, Steve wrote:
> Well... it did not work. The user gets level-1 permission. Here is the initial tacacs+ log.

I think I've got it now. Note the authorization request arguments:

Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*

The config should have this:
AuthorizeGroup netadmin permit service=shell cmd\*
{cisco-avpair="priv-lvl=15"}

instead of this:

AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}

Notice Cisco sends cmd*, not cmd=*

Heikki



>  Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for , tty1, xxx.xxx.11.1
> Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username:,  
> Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 128798430, 13
> Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication CONTINUE 0, connolly, 
> Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password:,  
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 128798430, 16
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication CONTINUE 0, **obscured**, 
> Tue Nov 15 11:14:25 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
> 	NAS-IP-Address = xxx.xxx.11.242
> 	NAS-Port-Id = "tty1"
> 	Calling-Station-Id = "xxx.xxx.11.1"
> 	Service-Type = Login-User
> 	NAS-Identifier = "TACACS"
> 	User-Name = "connolly"
> 	User-Password = **obscured**
> 	cisco-avpair = "action=1"
> 	cisco-avpair = "authen_type=1"
> 	cisco-avpair = "priv-lvl=1"
> 	cisco-avpair = "service=1"
> 	OSC-Version-Identifier = "192"
> 
> Tue Nov 15 11:14:25 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 11:14:25 2011: DEBUG:  Deleting session for connolly, xxx.xxx.11.242, 
> Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthLSA: 
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA looks for match with connolly [connolly]
> Tue Nov 15 11:14:25 2011: DEBUG: Checking LSA Group membership for dcny001, networking_staff, connolly
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly [connolly]
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthGROUP:GetUser  result: ACCEPT, 
> Tue Nov 15 11:14:25 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Tue Nov 15 11:14:25 2011: DEBUG: Access accepted for connolly
> Tue Nov 15 11:14:25 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
> 	tacacsgroup = netadmin
> 
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection result Access-Accept
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,  
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:46059
> Tue Nov 15 11:14:25 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:34694
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 1978405596, 51
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
> Tue Nov 15 11:14:25 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
> Tue Nov 15 11:14:25 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd*
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:34694
> Tue Nov 15 11:16:07 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:62601
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 2743768762, 68
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit cmd-arg=<cr>
> Tue Nov 15 11:16:07 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
> Tue Nov 15 11:16:07 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:62601
> 
> -----Original Message-----
> From: Heikki Vatiainen [mailto:hvn at open.com.au] 
> Sent: Tuesday, November 15, 2011 10:52 AM
> To: Kim, Steve
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
> 
> On 11/15/2011 05:42 PM, Kim, Steve wrote:
> 
> Hmm, let's see now. The first authorization request is this:
> 
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
> 
> The request should be matched by this AuthorizeGroup:
> 
> AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"}
> 
> 
> 
> Your previous message had this:
> 09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>
> 
> That would have matched by this:
> 
> AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
> 
> Taking a better look at this, this is just a command with typo (extir) so what you should have is:
> 
> AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*
> 
> 
> If it will not work, please reply with a log that shows the initial
> TACACAS+ authentication and the authorization that follows.
> 
> Thanks!
> Heikki
> 
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list