[RADIATOR] Radmin Web interface
Heikki Vatiainen
hvn at open.com.au
Tue Dec 4 07:43:05 CST 2012
On 12/04/2012 12:15 AM, Murat Bilal wrote:
> Thanks for your great support again:) Heikki. I solve the issue.i remove the {} character from OSC-Authorize-Group = "permit .* {}"
>
> And it works
Good to hear it works. However, there might still be one problem. The
OSC-Authorize-Group (or more specifically what is configured as
AuthorizeGroupAttr) order matters.
They must be returned in the same order as they are intended to be used.
In other words, the order matters the same as it does in the
configuration file.
Thanks,
Heikki
> -----Original Message-----
> From: Murat Bilal
> Sent: 03 Aralık 2012 Pazartesi 22:52
> To: 'Heikki Vatiainen'; radiator at open.com.au
> Subject: RE: [RADIATOR] Radmin Web interface
>
> Hi
>
> Thıs ıs my Acess*Accept reply as you said:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: <19><173><235><234><168><228><238><182><173><0>i<164>Q<130><219><221>
> Attributes:
> OSC-Group-Identifier = "DDAP6"
> OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
> OSC-Authorize-Group = "permit .* {}"
> OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
>
> Here is my debug message when I log in to router Mon Dec 3 22:08:51 2012: DEBUG: AuthorizeGroup rule match found: permit .* { } Mon Dec 3 22:08:51 2012: INFO: Authorization permitted for ddap6u at x.x.x.x, group DDAP6, args service=shell cmd* command-access* Mon Dec 3 22:08:51 2012: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
>
> But when I run show port I got;
> Mon Dec 3 22:10:17 2012: DEBUG: TacacsplusConnection Authorization REQUEST 6, 3, 1, 1, ddap6u, /dev/ttyp6, x.x.x.x, 3, service=shell cmd=show cmd-arg=port Mon Dec 3 22:10:17 2012: DEBUG: AuthorizeGroup rule match found: permit .* { }
>
> Why this command permitted? According to my rule(OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*") command should not authorized. I am confused here
>
> And this is my sql in radius.cfg
>
> AuthSelect select na.PASS_WORD,na.STATICADDRESS,na.TIMELEFT,\
> na.MAXLOGINS, na.SERVICENAME, na.BADLOGINS, na.VALIDFROM, na.VALIDTO,\
> na.TACACSGROUPID,ga.DEVICEGROUP,group_concat(ga.AUTHRULE),ga.ATTRIBUTE\
> from RADUSERS as na,RADGROUPAUTH as ga where\
> na.USERNAME='%n' and na.BADLOGINS < 5 and \
> na.VALIDFROM < %t and na.VALIDTO > %t and na.TACACSGROUPID=ga.USERGROUP
>
> AuthColumnDef 2,GENERIC,reply
> AuthColumnDef 0, OSC-Group-Identifier, reply
>
>
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: 03 Aralık 2012 Pazartesi 15:14
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] Radmin Web interface
>
> On 12/03/2012 11:32 AM, Murat Bilal wrote:
>
>> mysql> select * from RADGROUPAUTH;
>
> Hello Murat,
>
> having a number of rows works with AuthBy RADMIN since this module knows the user or service profile can have multiple check and reply attributes. This is one of the differences between AuthBy RADMIN and plain AuthBy SQL.
>
> The reason you get only one return attribute with AuthColumnDef is when the user information is looked up from the SQL, only the first returned row is used. If there are multiple rows, the values for those rows are not processed at all.
>
> This is also why type GENERIC is there. You should be able to specify all return attributes on one row by putting the attributes into on column with name1=val1,name2=val2,... syntax.
>
> If you want to use AuthSelect, then type GENERIC is they way to return all attributes.
>
>> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
>> | ATTRIBUTE | AUTHRULE | DEVICEGROUP | PRIORITY | PROTOCOL | TYPE | USERGROUP | VALUE |
>> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
>> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | test | NULL |
>> | NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
>> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | DDAP15 | NULL |
>> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | gm | NULL |
>> | NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
>> | NULL | permit .* {} | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
>> | NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
>> | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
>> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | AADP15 | NULL |
>> | NULL | NULL | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
>> | NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
>> | NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | DDAP6 | NULL |
>> | NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
>> | NULL | permit .* {} | x.x.x.x | NULL | NULL | NULL | test1 | NULL |
>> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
>>
>> I have 4 rules in AUTHRULE column.This is the debug log for
>> Access-Accept
>>
>> *** Reply to TACACSPLUS request:
>> Code: Access-Accept
>> Identifier: UNDEF
>> Authentic: ~<244>'Z<160>cB<211><31><171><171>ze<132><178><151>
>> Attributes:
>> OSC-Group-Identifier = "DDAP6"
>> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
>>
>> I cannot get other attributes.It returns only 1 one row How can I get the other Attributes?
>>
>> Here is my radmin config
>>
>> AuthSelect select na.PASS_WORD,na.STATICADDRESS,na.TIMELEFT,\
>> na.MAXLOGINS, na.SERVICENAME, na.BADLOGINS, na.VALIDFROM, na.VALIDTO,\
>> na.TACACSGROUPID,ga.DEVICEGROUP, ga.AUTHRULE\
>> from RADUSERS as na,RADGROUPAUTH as ga where\
>> na.USERNAME='%n' and na.BADLOGINS < 5 and \
>> na.VALIDFROM < %t and na.VALIDTO > %t and
>> na.TACACSGROUPID=ga.USERGROUP
>>
>>
>> AuthColumnDef 0, OSC-Group-Identifier, reply
>> AuthColumnDef 2,OSC-Authorize-Group,reply
>>
>> I also try GENERIC but no luck
>>
>> Thanks
>> -----Original Message-----
>> From: radiator-bounces at open.com.au
>> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
>> Sent: 30 Kasım 2012 Cuma 12:24
>> To: radiator at open.com.au
>> Subject: Re: [RADIATOR] Radmin Web interface
>>
>> On 11/30/2012 01:07 AM, Murat Bilal wrote:
>>
>>> I do not understand.i want to edit those commands from Radmin Web
>>> Interface, not in /etc/radiator/radiator.cfg
>>
>> Hello Murat,
>>
>> please see below, I was describing doing this with Radmin. With Radmin you need to add each line as a reply attribute. The attribute name (such as OSC-Authorize-Group) is then configured as AuthorizeGroupAttr in <ServerTACACSPLUS>.
>>
>> Thanks,
>> Heikki
>>
>>> -----Original Message-----
>>> From: radiator-bounces at open.com.au
>>> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
>>> Sent: 29 Kasım 2012 Perşembe 14:58
>>> To: radiator at open.com.au
>>> Subject: Re: [RADIATOR] Radmin Web interface
>>>
>>> On 11/28/2012 11:16 PM, Murat Bilal wrote:
>>>
>>>> In <ServerTACACSPlus> clause I have rules for command auth such as below:
>>>> AuthorizeGroup DDAP6 permit service=shell cmd\* {priv-lvl=6}
>>>> AuthorizeGroup DDAP6 deny service=shell cmd=show cmd-arg=.*
>>>> AuthorizeGroup DDAP6 deny service=shell cmd=ping cmd-arg=.*
>>>> AuthorizeGroup DDAP6 permit .* {}
>>>
>>>> Is it possible to write these rules from Radmin Web interface?If so
>>>> in which table .I am using the latest Radmin and Radiator version
>>>
>>> Hello Murat,
>>>
>>> yes, this is possible. Just add each line as e.g., OSC-Authorize-Group with Radmin. That is, the user should have four OSC-Authorize-Group reply attributes.
>>>
>>> Then configure your <ServerTACACSPLUS> with
>>> AuthorizeGroupAttr OSC-Authorize-Group
>>>
>>> When you authenticate, the Access-Accept should have:
>>> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
>>> OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
>>> OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
>>> OSC-Authorize-Group = "permit .* {}"
>>> OSC-Group-Identifier = "group1"
>>>
>>> Here OSC-Group-Identifier is configured as GroupMemberAttr. This will set 'group1' as the authorization group for the user. During the authorization the OSC-Authorize-Group attribute values are processed first followed by group1 values as defined by AuthorizeGroup configuration options.
>>>
>>> Thanks,
>>> Heikki
>>>
>>>
>>> --
>>> Heikki Vatiainen <hvn at open.com.au>
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list