[RADIATOR] TACACS+ not matching group

Heikki Vatiainen hvn at open.com.au
Thu Nov 1 12:01:47 CDT 2012 

On 11/01/2012 06:08 PM, Jim Tyrrell wrote:

> I'm just getting started with TACACS and have just tried to configure 
> support in Radiator 4.10, I think I have followed the examples but I 
> cant get it to match the correct group.  I have configured 
> "GroupMemberAttr tacacsgroup" under the ServerTACACSPLUS, and I can see 
> the Access-Accept includes 'tacacsgroup = group2', yet radiator uses the 
> group 'DEFAULT'?

Try this:

# Radius attribute (real or pseudo) in the Access-Accept to
# deduce the tacacs group name for user
GroupMemberAttr tacacsgroup

instead of having the comment on the same line as the option.

The hash mark must be the first non-whitespace character on the line.
This allows you to have hash marks in secrets and literal strings.

Thanks,
Heikki



> Relevant config below:
> 
> ---------------------
> <ServerTACACSPLUS>
>          Key tictactoe2
>          AddToRequest NAS-Identifier=TACACS
>          GroupMemberAttr tacacsgroup             #Radius attribute (real 
> or pseudo) in the Access-Accept to deduce the tacacs group name for user
>          AuthorizeGroup group2 permit .*
> </ServerTACACSPLUS>
> 
> <Handler NAS-Identifier=TACACS>
>          AcctLogFileName /var/log/radius/tacacs
>          <AuthBy FILE>
>                  Filename %D/users/tacacs_users.cfg
>          </AuthBy>
> </Handler>
> 
> 
> ==== %D/users/tacacs_users.cfg ===============
> tac2 User-Password=tac2
>        tacacsgroup=group2
> 
> 
> The incoming request is coming from a Cisco router and the debugging 
> shows the following:
> 
> Thu Nov  1 14:58:46 2012: DEBUG: TACACSPLUS derived Radius request 
> packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic: 5TL<206><13><151><206><180>cZ#<17>L*<193>i
> Attributes:
>          NAS-IP-Address = 192.168.32.104
>          NAS-Port-Id = "tty581"
>          Calling-Station-Id = "10.11.0.2"
>          Service-Type = Login-User
>          NAS-Identifier = "TACACS"
>          User-Name = "tac2"
>          User-Password = **obscured**
>          cisco-avpair = "action=1"
>          cisco-avpair = "authen_type=1"
>          cisco-avpair = "priv-lvl=1"
>          cisco-avpair = "service=1"
>          OSC-Version-Identifier = "192"
> 
> Thu Nov  1 14:58:46 2012: DEBUG: Reading users file 
> /etc/radiator/authentication/users/tacacs_users.cfg
> 
> Thu Nov  1 14:58:46 2012: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic: 5TL<206><13><151><206><180>cZ#<17>L*<193>i
> Attributes:
>          tacacsgroup = group2
> 
> Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection result Access-Accept
> Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection Authentication 
> REPLY 1, 0, ,
> Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection disconnected from 
> 192.168.32.104:37033
> Thu Nov  1 14:58:46 2012: DEBUG: New TacacsplusConnection created for 
> 192.168.32.104:62437
> Thu Nov  1 14:58:46 2012: WARNING: Could not find a Client for 
> 192.168.32.104:62437. Falling back to default Key
> Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection request 192, 2, 1, 
> 0, 3528935939, 47
> Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection Authorization 
> REQUEST 6, 1, 1, 1, tac2, tty581, 10.11.0.2, 2, service=shell cmd*
> Thu Nov  1 14:58:46 2012: INFO: Authorization denied for tac2, group 
> DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd*
> Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection Authorization 
> RESPONSE 16, denied, ,
> Thu Nov  1 14:58:46 2012: DEBUG: TacacsplusConnection disconnected from 
> 192.168.32.104:62437
> 
> 
> If I change the AuthorizeGroup to DEFAULT then it works, but why is it 
> not using and matching group2?  I'm sure its something obvious but I 
> cant see what?
> 
> Thanks.
> 
> Jim.
> 
> 
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list