[RADIATOR] Radiator 4.9 and cisco-avpair

Kim, Steve steve.kim at davispolk.com
Tue Nov 15 13:38:32 CST 2011


It worked!!!

Thanks for your help.

Steve.

-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au] 
Sent: Tuesday, November 15, 2011 1:52 PM
To: Kim, Steve
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair

On 11/15/2011 07:20 PM, Kim, Steve wrote:

> I think this time it looks better. However, my user tells me that he still gets level-1 as below:

Radiator is now sending cisco-avpair=priv-lvl=15 back to the client. If this does not work you could try changing the last parameter of AuthorizeGroup to {priv-lvl=15}

If that still does not work, you need to check the client device's manual to see what it expects back when changing the privilege level.

Thanks!
Heikki


> Username:connolly
> Password:
> 
> tacacs-test>
> tacacs-test>
> tacacs-test>
> tacacs-test> 
> tacacs-test>enable  (I had to enter this command)
> Password: 
> tacacs-test#
> 
> I am still only being put in level 1.
> 
> 
> Here is log that reflect above:
> 
> Tue Nov 15 12:10:27 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  
> <216><16><173><169><212><173>l<216>|<163><6><164><11><221>z_
> Attributes:
> 	tacacsgroup = netadmin
> 
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection result 
> Access-Accept Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection 
> Authentication REPLY 1, 0, , Tue Nov 15 12:10:27 2011: DEBUG: 
> TacacsplusConnection disconnected from xxx.xxx.11.242:44082 Tue Nov 15 
> 12:10:27 2011: DEBUG: New TacacsplusConnection created for 
> xxx.xxx.11.242:62420 Tue Nov 15 12:10:27 2011: DEBUG: 
> TacacsplusConnection request 192, 2, 1, 0, 2531823864, 51 Tue Nov 15 
> 12:10:27 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 
> 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd* Tue Nov 15 
> 12:10:27 2011: DEBUG: AuthorizeGroup rule match found: permit 
> service=shell cmd\* { cisco-avpair=priv-lvl=15 } Tue Nov 15 12:10:27 
> 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, 
> group netadmin, args service=shell cmd* Tue Nov 15 12:10:27 2011: 
> DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , 
> cisco-avpair=priv-lvl=15 Tue Nov 15 12:10:27 2011: DEBUG: 
> TacacsplusConnection disconnected from xxx.xxx.11.242:62420 Tue Nov 15 
> 12:13:19 2011: DEBUG: New TacacsplusConnection created for 
> xxx.xxx.11.242:29509 Tue Nov 15 12:13:19 2011: DEBUG: 
> TacacsplusConnection request 192, 2, 1, 0, 1514782278, 70 Tue Nov 15 
> 12:13:19 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 0, 
> 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=enable 
> cmd-arg=<cr> Tue Nov 15 12:13:19 2011: DEBUG: AuthorizeGroup rule 
> match found: permit .* {  } Tue Nov 15 12:13:19 2011: INFO: 
> Authorization permitted for connolly at xxx.xxx.11.242, group 
> netadmin, args service=shell cmd=enable cmd-arg=<cr> Tue Nov 15 
> 12:13:19 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , 
> , Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection disconnected 
> from xxx.xxx.11.242:29509


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list