[RADIATOR] AddToReply tacacsgroup

Murat Bilal murat.bilal at ericsson.com
Thu Nov 15 14:34:17 CST 2012 

Hi everyone

I have three dıfferent groups and  for TACACS authorization.My radius .cfg is like that
<ServerTACACSPLUS>
        Key *****
      AddToRequest NAS-Identifier=TACACS
        GroupMemberAttr tacacsgroup
        AuthorizeGroup group1  permit service=shell cmd=show cmd-args=.*
         AuthorizeGroup group1 permit .*
#         AuthorizeGroup DEFAULT  deny .*
         AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15}
</ServerTACACSPLUS>

<Handler>
        <AuthBy SQL>
                # Change DBSource, DBUsername, DBAuth for your database
                # See the reference manual. You will also have to
                # change the one in <SessionDatabse SQL> below
                # so its the same
                DBSource        dbi:mysql:radius:localhost
               DBUsername      raduser
                DBAuth          raduser

                # Never look up the DEFAULT user
                NoDefault
# You can customise the SQL query used to get user details with the
        # AuthSelect parameter:
          AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1 group2 group3"' from SUBSCRIBERS where USERNAME=%0
        -----
------------
        AddToReply tacacsgroup= group1
        AddToReply tacacsgroup= group3
        AddToReply tacacsgroup= DEFAULT

I try with user mikem in group1.And the trace log


Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1 group2 group3"' from SUBSCRIBERS where USERNAME='mikem'':
Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]
Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'':
Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]
Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT,
Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)':
Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  p<146><26><192>4H<235><16>\<21><252>v.<142><152><28>
Attributes:
        tacacsgroup = DEFAULT

Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517
Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem at local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell
Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j
Attributes:
        NAS-IP-Address = 93.155.11.54
        NAS-Port-Id = "/dev/ttyp3"
        Calling-Station-Id = "78.169.249.3"
        NAS-Identifier = "TACACS"
        User-Name = "mikem at local"
        Acct-Status-Type = Start
        Acct-Session-Id = "3529830477"
        cisco-avpair = "start_time=1353011477"
        cisco-avpair = "task_id=10700"
        cisco-avpair = "timezone=GMT"
        cisco-avpair = "service=shell"
        OSC-Version-Identifier = "192"

Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '', Identifier ''
Thu Nov 15 22:31:17 2012: DEBUG:  Adding session for mikem at local, 93.155.11.54,
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where NASIDENTIFIER='93.155.11.54' and NASPORT=00':
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('mikem at local', '93.155.11.54', 0, '3529830477', 1353011477, '', '', '')':
Thu Nov 15 22:31:17 2012: DEBUG: Handling with Radius::AuthSQL:
Thu Nov 15 22:31:17 2012: DEBUG: Handling accounting with Radius::AuthSQL
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radius:localhost': 'insert into ACCOUNTING (ACCTSESSIONID,ACCTSTATUSTYPE,NASIDENTIFIER,TIME_STAMP,USERNAME) values ('3529830477','Start','TACACS',1353011477,'mikem at local')':
Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT,
Thu Nov 15 22:31:17 2012: DEBUG: Accounting accepted
Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Accounting-Response
Identifier: UNDEF
Authentic:  p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j
Attributes:

Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Accounting-Response
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:61939
Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:64085
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 2033174599, 70
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization REQUEST 6, 0, 1, 1, mikem, /dev/ttyp3, 78.169.249.3, 3, service=shell cmd* command-access*
Thu Nov 15 22:31:17 2012: INFO: Authorization denied for mikem, group DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd* command-access*
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization RESPONSE 16, denied, ,
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:64085

Reply message always say group default.is smt wrong with my AddtoReply clause.Why always reply says group DEFAULT?
And strange issue if group 3 is at he end of line for AddToReply clause then the reply message comes as Group3.


MURAT BİLAL
Services Engineer

Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
murat.bilal at ericsson.com<mailto:murat.bilal at ericsson.com>
www.ericsson.com


[cid:image001.png at 01CDC380.73471180]<http://www.ericsson.com/>

This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20121115/bf870a34/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2127 bytes
Desc: image001.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20121115/bf870a34/attachment-0001.png

More information about the radiator mailing list