[RADIATOR] Authorization denied for user, group DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd* command-access*

Murat Bilal murat.bilal at ericsson.com
Wed Nov 14 04:50:09 CST 2012 

Hi,

I try to make command authorization using TACACS with user mani

Wed Nov 14 12:37:14 2012: DEBUG: Handling request with Handler '', Identifier ''
Wed Nov 14 12:37:14 2012: DEBUG:  Deleting session for mani, *.*.*.*,
Wed Nov 14 12:37:14 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where NASIDENTIFIER='*.*.*.*' and NASPORT=0':
Wed Nov 14 12:37:14 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Nov 14 12:37:14 2012: DEBUG: Handling with Radius::AuthRADMIN:
Wed Nov 14 12:37:14 2012: DEBUG: Query to 'dbi:mysql:radmin:localhost': 'select PASS_WORD,USERGROUP, STATICADDRESS, TIMELEFT,MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from        RADUSERS where USERNAME=?': mani
Wed Nov 14 12:37:14 2012: DEBUG: Query to 'dbi:mysql:radmin:localhost': 'select ATTR_ID, VENDOR_ID, IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='mani' order by ITEM_TYPE':
Wed Nov 14 12:37:14 2012: DEBUG: Radius::AuthRADMIN looks for match with mani [mani]
Wed Nov 14 12:37:14 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'update RADUSERS set BADLOGINS=0 where USERNAME='mani'':
Wed Nov 14 12:37:14 2012: DEBUG: AuthBy RADMIN result: ACCEPT,
Wed Nov 14 12:37:14 2012: DEBUG: Access accepted for mani
Wed Nov 14 12:37:14 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  m<148><151>`<252><193>,5Z<175><230>(<174><31>~<143>
Attributes:
        Framed-IP-Address = group1

Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection result Access-Accept
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection disconnected from *.*.*.*:60147
Wed Nov 14 12:37:14 2012: DEBUG: New TacacsplusConnection created for *.*.*.*:57759
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529834797, 103
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mani at local, /dev/ttyp1, *.*.*.*, 4, start_time=1352889434 task_id=9384 timezone=GMT service=shell
Wed Nov 14 12:37:14 2012: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Accounting-Request
Identifier: UNDEF
Authentic:  A<225>~<209><154><168>2<217>V<185><163>!v/<179><21>
Attributes:
        NAS-IP-Address = *.*.*.*
        NAS-Port-Id = "/dev/ttyp1"
        Calling-Station-Id = "*.*.*.*"
        OSC-Environment-Identifier = "Tacacs"
        User-Name = "mani at local"
        Acct-Status-Type = Start
        Acct-Session-Id = "3529834797"
        cisco-avpair = "start_time=1352889434"
        cisco-avpair = "task_id=9384"
        cisco-avpair = "timezone=GMT"
        cisco-avpair = "service=shell"
        OSC-Version-Identifier = "192"

Wed Nov 14 12:37:14 2012: DEBUG: Handling request with Handler 'OSC-Environment-Identifier=Tacacs,Request-Type=Accounting-Request', Identifier 'TacacsAcctHandler'
Wed Nov 14 12:37:14 2012: DEBUG:  Adding session for mani at local, 93.155.11.
Wed Nov 14 12:37:14 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where NASIDENTIFIER='*.*.*.*' and NASPORT=00':
Wed Nov 14 12:37:14 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('mani at local', '*.*.*.*', 0, '3529834797', 1352889434, '', '', '')':
Wed Nov 14 12:37:14 2012: DEBUG: Handling with Radius::AuthSQL: SqlAcctTacacs
Wed Nov 14 12:37:14 2012: DEBUG: Handling accounting with Radius::AuthSQL
Wed Nov 14 12:37:14 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADCOMMANDAUDIT (ACCTSESSIONID,ACCTSTATUSTYPE,CMD,NASIPADDRESS,NASPORTID,TIME_STAMP,USERNAME) values ('3529834797',1,'start_time=1352889434,task_id=9384,timezone=GMT,service=shell,','*.*.*.*','/dev/ttyp1',1352889434,'mani at local')':
Wed Nov 14 12:37:14 2012: DEBUG: AuthBy SQL result: ACCEPT,
Wed Nov 14 12:37:14 2012: DEBUG: Accounting accepted
Wed Nov 14 12:37:14 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Accounting-Response
Identifier: UNDEF
Authentic:  A<225>~<209><154><168>2<217>V<185><163>!v/<179><21>
Attributes:

Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection result Accounting-Response
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection disconnected from *.*.*.*:57759
Wed Nov 14 12:37:14 2012: DEBUG: New TacacsplusConnection created for *.*.*.*:62302
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 896646501, 69
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection Authorization REQUEST 6, 0, 1, 1, mani, /dev/ttyp1, *.*.*.*, 3, service=shell cmd* command-access*
Wed Nov 14 12:37:14 2012: INFO: Authorization denied for mani, group DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd* command-access*
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection Authorization RESPONSE 16, denied, ,
Wed Nov 14 12:37:14 2012: DEBUG: TacacsplusConnection disconnected from *.*.*.*:62302

I change my Schema.pm in order to map user name with group name.I added a colum named USERGROUP into RADUSERS.After that as you can see a strange debug message come Framed-IP-Address = group1

Do I need a perl hook in order to match username and group name for making TACACS authorization.

Thanks






MURAT BİLAL
Services Engineer

Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
murat.bilal at ericsson.com<mailto:murat.bilal at ericsson.com>
www.ericsson.com


[cid:image001.png at 01CDC263.714B17F0]<http://www.ericsson.com/>

This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20121114/65732986/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2127 bytes
Desc: image001.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20121114/65732986/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 7353 bytes
Desc: radius.cfg
Url : http://www.open.com.au/pipermail/radiator/attachments/20121114/65732986/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Schema.pm
Type: application/octet-stream
Size: 16358 bytes
Desc: Schema.pm
Url : http://www.open.com.au/pipermail/radiator/attachments/20121114/65732986/attachment-0003.obj

More information about the radiator mailing list