[RADIATOR] Radiator 4.9 and cisco-avpair

Kim, Steve steve.kim at davispolk.com
Tue Nov 15 11:20:27 CST 2011


I think this time it looks better. However, my user tells me that he still gets level-1 as below:

Username:connolly
Password:

tacacs-test>
tacacs-test>
tacacs-test>
tacacs-test> 
tacacs-test>enable  (I had to enter this command)
Password: 
tacacs-test#

I am still only being put in level 1.


Here is log that reflect above:

Tue Nov 15 12:10:27 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <216><16><173><169><212><173>l<216>|<163><6><164><11><221>z_
Attributes:
	tacacsgroup = netadmin

Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection result Access-Accept
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,  
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:44082
Tue Nov 15 12:10:27 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:62420
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 2531823864, 51
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
Tue Nov 15 12:10:27 2011: DEBUG: AuthorizeGroup rule match found: permit service=shell cmd\* { cisco-avpair=priv-lvl=15 }
Tue Nov 15 12:10:27 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd*
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , cisco-avpair=priv-lvl=15
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:62420
Tue Nov 15 12:13:19 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:29509
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 1514782278, 70
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=enable cmd-arg=<cr>
Tue Nov 15 12:13:19 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
Tue Nov 15 12:13:19 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=enable cmd-arg=<cr>
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:29509

-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au] 
Sent: Tuesday, November 15, 2011 11:59 AM
To: Kim, Steve
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair

On 11/15/2011 06:25 PM, Kim, Steve wrote:
> Well... it did not work. The user gets level-1 permission. Here is the initial tacacs+ log.

I think I've got it now. Note the authorization request arguments:

Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*

The config should have this:
AuthorizeGroup netadmin permit service=shell cmd\* {cisco-avpair="priv-lvl=15"}

instead of this:

AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"}

Notice Cisco sends cmd*, not cmd=*

Heikki



>  Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication 
> START 1, 1, 1 for , tty1, xxx.xxx.11.1 Tue Nov 15 11:14:19 2011: 
> DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username:, Tue 
> Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection request 192, 1, 3, 
> 0, 128798430, 13 Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection 
> Authentication CONTINUE 0, connolly, Tue Nov 15 11:14:22 2011: DEBUG: 
> TacacsplusConnection Authentication REPLY 5, 1, Password:, Tue Nov 15 
> 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 128798430, 16 Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication CONTINUE 0, **obscured**, Tue Nov 15 11:14:25 2011: DEBUG: TACACSPLUS derived Radius request packet dump:

> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
> 	NAS-IP-Address = xxx.xxx.11.242
> 	NAS-Port-Id = "tty1"
> 	Calling-Station-Id = "xxx.xxx.11.1"
> 	Service-Type = Login-User
> 	NAS-Identifier = "TACACS"
> 	User-Name = "connolly"
> 	User-Password = **obscured**
> 	cisco-avpair = "action=1"
> 	cisco-avpair = "authen_type=1"
> 	cisco-avpair = "priv-lvl=1"
> 	cisco-avpair = "service=1"
> 	OSC-Version-Identifier = "192"
> 
> Tue Nov 15 11:14:25 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 11:14:25 2011: DEBUG:  Deleting session for connolly, 
> xxx.xxx.11.242, Tue Nov 15 11:14:25 2011: DEBUG: Handling with 
> Radius::AuthGROUP: GetUser Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthLSA:
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA looks for match with 
> connolly [connolly] Tue Nov 15 11:14:25 2011: DEBUG: Checking LSA 
> Group membership for dcny001, networking_staff, connolly Tue Nov 15 
> 11:14:25 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly [connolly] 
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthGROUP:GetUser  result: 
> ACCEPT, Tue Nov 15 11:14:25 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Tue Nov 15 11:14:25 2011: DEBUG: Access accepted for connolly Tue Nov 15 11:14:25 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
> 	tacacsgroup = netadmin
> 
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection result 
> Access-Accept Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection 
> Authentication REPLY 1, 0, , Tue Nov 15 11:14:25 2011: DEBUG: 
> TacacsplusConnection disconnected from xxx.xxx.11.242:46059 Tue Nov 15 
> 11:14:25 2011: DEBUG: New TacacsplusConnection created for 
> xxx.xxx.11.242:34694 Tue Nov 15 11:14:25 2011: DEBUG: 
> TacacsplusConnection request 192, 2, 1, 0, 1978405596, 51 Tue Nov 15 
> 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 
> 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd* Tue Nov 15 
> 11:14:25 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  } 
> Tue Nov 15 11:14:25 2011: INFO: Authorization permitted for connolly 
> at xxx.xxx.11.242, group netadmin, args service=shell cmd* Tue Nov 15 
> 11:14:25 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , 
> , Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected 
> from xxx.xxx.11.242:34694 Tue Nov 15 11:16:07 2011: DEBUG: New 
> TacacsplusConnection created for xxx.xxx.11.242:62601 Tue Nov 15 
> 11:16:07 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 
> 2743768762, 68 Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection 
> Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, 
> service=shell cmd=exit cmd-arg=<cr> Tue Nov 15 11:16:07 2011: DEBUG: 
> AuthorizeGroup rule match found: permit .* {  } Tue Nov 15 11:16:07 
> 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, 
> group netadmin, args service=shell cmd=exit cmd-arg=<cr> Tue Nov 15 
> 11:16:07 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , 
> , Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection disconnected 
> from xxx.xxx.11.242:62601
> 
> -----Original Message-----
> From: Heikki Vatiainen [mailto:hvn at open.com.au]
> Sent: Tuesday, November 15, 2011 10:52 AM
> To: Kim, Steve
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
> 
> On 11/15/2011 05:42 PM, Kim, Steve wrote:
> 
> Hmm, let's see now. The first authorization request is this:
> 
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization 
> REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell 
> cmd*
> 
> The request should be matched by this AuthorizeGroup:
> 
> AuthorizeGroup netadmin permit service=shell cmd=\* 
> {cisco-avpair="priv-lvl=15"}
> 
> 
> 
> Your previous message had this:
> 09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 
> 1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect 
> cmd-arg=exitr cmd-arg=<cr>
> 
> That would have matched by this:
> 
> AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr 
> cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
> 
> Taking a better look at this, this is just a command with typo (extir) so what you should have is:
> 
> AuthorizeGroup netadmin permit service=shell cmd=\* 
> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*
> 
> 
> If it will not work, please reply with a log that shows the initial
> TACACAS+ authentication and the authorization that follows.
> 
> Thanks!
> Heikki
> 
> 


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list