[RADIATOR] TACACS+ not matching group

Jim Tyrrell jim at scusting.com
Thu Nov 1 11:08:52 CDT 2012 

Hi,

I'm just getting started with TACACS and have just tried to configure 
support in Radiator 4.10, I think I have followed the examples but I 
cant get it to match the correct group.  I have configured 
"GroupMemberAttr tacacsgroup" under the ServerTACACSPLUS, and I can see 
the Access-Accept includes 'tacacsgroup = group2', yet radiator uses the 
group 'DEFAULT'?

Relevant config below:

---------------------
<ServerTACACSPLUS>
         Key tictactoe2
         AddToRequest NAS-Identifier=TACACS
         GroupMemberAttr tacacsgroup             #Radius attribute (real 
or pseudo) in the Access-Accept to deduce the tacacs group name for user
         AuthorizeGroup group2 permit .*
</ServerTACACSPLUS>

<Handler NAS-Identifier=TACACS>
         AcctLogFileName /var/log/radius/tacacs
         <AuthBy FILE>
                 Filename %D/users/tacacs_users.cfg
         </AuthBy>
</Handler>


==== %D/users/tacacs_users.cfg ===============
tac2 User-Password=tac2
       tacacsgroup=group2


The incoming request is coming from a Cisco router and the debugging 
shows the following:

Thu Nov  1 14:58:46 2012: DEBUG: TACACSPLUS derived Radius request 
packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic: 5TL<206><13><151><206><180>cZ#<17>L*<193>i
Attributes:
         NAS-IP-Address = 192.168.32.104
         NAS-Port-Id = "tty581"
         Calling-Station-Id = "10.11.0.2"
         Service-Type = Login-User
         NAS-Identifier = "TACACS"
         User-Name = "tac2"
         User-Password = **obscured**
         cisco-avpair = "action=1"
         cisco-avpair = "authen_type=1"
         cisco-avpair = "priv-lvl=1"
         cisco-avpair = "service=1"
         OSC-Version-Identifier = "192"

Thu Nov  1 14:58:46 2012: DEBUG: Reading users file 
/etc/radiator/authentication/users/tacacs_users.cfg

Thu Nov  1 14:58:46 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic: 5TL<206><13><151><206><180>cZ#<17>L*<193>i
Attributes:
         tacacsgroup = group2

Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection result Access-Accept
Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection Authentication 
REPLY 1, 0, ,
Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection disconnected from 
192.168.32.104:37033
Thu Nov  1 14:58:46 2012: DEBUG: New TacacsplusConnection created for 
192.168.32.104:62437
Thu Nov  1 14:58:46 2012: WARNING: Could not find a Client for 
192.168.32.104:62437. Falling back to default Key
Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection request 192, 2, 1, 
0, 3528935939, 47
Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection Authorization 
REQUEST 6, 1, 1, 1, tac2, tty581, 10.11.0.2, 2, service=shell cmd*
Thu Nov  1 14:58:46 2012: INFO: Authorization denied for tac2, group 
DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd*
Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection Authorization 
RESPONSE 16, denied, ,
Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection disconnected from 
192.168.32.104:62437


If I change the AuthorizeGroup to DEFAULT then it works, but why is it 
not using and matching group2?  I'm sure its something obvious but I 
cant see what?

Thanks.

Jim.

More information about the radiator mailing list