[RADIATOR] Radiator 4.9 and cisco-avpair

Heikki Vatiainen hvn at open.com.au
Tue Nov 15 12:52:05 CST 2011


On 11/15/2011 07:20 PM, Kim, Steve wrote:

> I think this time it looks better. However, my user tells me that he still gets level-1 as below:

Radiator is now sending cisco-avpair=priv-lvl=15 back to the client. If
this does not work you could try changing the last parameter of
AuthorizeGroup to {priv-lvl=15}

If that still does not work, you need to check the client device's
manual to see what it expects back when changing the privilege level.

Thanks!
Heikki


> Username:connolly
> Password:
> 
> tacacs-test>
> tacacs-test>
> tacacs-test>
> tacacs-test> 
> tacacs-test>enable  (I had to enter this command)
> Password: 
> tacacs-test#
> 
> I am still only being put in level 1.
> 
> 
> Here is log that reflect above:
> 
> Tue Nov 15 12:10:27 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <216><16><173><169><212><173>l<216>|<163><6><164><11><221>z_
> Attributes:
> 	tacacsgroup = netadmin
> 
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection result Access-Accept
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,  
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:44082
> Tue Nov 15 12:10:27 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:62420
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 2531823864, 51
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
> Tue Nov 15 12:10:27 2011: DEBUG: AuthorizeGroup rule match found: permit service=shell cmd\* { cisco-avpair=priv-lvl=15 }
> Tue Nov 15 12:10:27 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd*
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , cisco-avpair=priv-lvl=15
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:62420
> Tue Nov 15 12:13:19 2011: DEBUG: New TacacsplusConnection created for xxx.xxx.11.242:29509
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 1514782278, 70
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=enable cmd-arg=<cr>
> Tue Nov 15 12:13:19 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
> Tue Nov 15 12:13:19 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, group netadmin, args service=shell cmd=enable cmd-arg=<cr>
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection disconnected from xxx.xxx.11.242:29509


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list