[RADIATOR] AddToReply tacacsgroup

Murat Bilal murat.bilal at ericsson.com
Fri Nov 16 05:56:17 CST 2012 

Actually I mean If I have 2 different privilege level groups.For example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy

Thanks

-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: 16 Kasım 2012 Cuma 13:31
To: radiator at open.com.au
Subject: Re: [RADIATOR] AddToReply tacacsgroup

On 11/15/2012 10:34 PM, Murat Bilal wrote:

> I have three dıfferent groups and  for TACACS authorization.My radius 
> .cfg is like that

Hello Murat,

you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3.

The authorize arguments the device sends are:
  service=shell cmd* command-access*

The matching AuthorizeGroup for group3 would be this:
  AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15}

Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'.

I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator.

Thanks,
Heikki


> <ServerTACACSPLUS>
> 
>         Key *****
> 
>       AddToRequest NAS-Identifier=TACACS
> 
>         GroupMemberAttr tacacsgroup
> 
>         AuthorizeGroup group1  permit service=shell cmd=show 
> cmd-args=.*
> 
>          AuthorizeGroup group1 permit .*
> 
> #         AuthorizeGroup DEFAULT  deny .*
> 
>          AuthorizeGroup group3 permit service=shell cmd\* 
> {priv-lvl=15}
> 
> </ServerTACACSPLUS>
> 
>  
> 
> <Handler>
> 
>         <AuthBy SQL>
> 
>                 # Change DBSource, DBUsername, DBAuth for your 
> database
> 
>                 # See the reference manual. You will also have to
> 
>                 # change the one in <SessionDatabse SQL> below
> 
>                 # so its the same
> 
>                 DBSource        dbi:mysql:radius:localhost
> 
>                DBUsername      raduser
> 
>                 DBAuth          raduser
> 
>  
> 
>                 # Never look up the DEFAULT user
> 
>                 NoDefault
> 
> # You can customise the SQL query used to get user details with the
> 
>         # AuthSelect parameter:
> 
>           AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
> 'GroupList="group1 group2 group3"' from SUBSCRIBERS where USERNAME=%0
> 
>         -----
> 
> ------------
> 
>         AddToReply tacacsgroup= group1
> 
>         AddToReply tacacsgroup= group3
> 
>         AddToReply tacacsgroup= DEFAULT
> 
>  
> 
> *I try with user mikem in group1.And the trace log*
> 
> * *
> 
> * *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
> 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1 group2 group3"'
> from SUBSCRIBERS where USERNAME='mikem'': *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with 
> mikem [mikem]*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
> 'select GROUPNAME from GROUPS where USERNAME='mikem' and
> GROUPNAME='group1'': *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem 
> [mikem]*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, 
> USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
> 
> **** Reply to TACACSPLUS request:*
> 
> *Code:       Access-Accept*
> 
> *Identifier: UNDEF*
> 
> *Authentic:  p<146><26><192>4H<235><16>\<21><252>v.<142><152><28>*
> 
> *Attributes:*
> 
> *        tacacsgroup = DEFAULT*
> 
> * *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result 
> Access-Accept*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication 
> REPLY 1, 0, ,  *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected 
> from
> 93.155.11.54:58517*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
> 93.155.11.54:61939*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 
> 1, 0, 3529830477, 105*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting 
> REQUEST 2, 6, 0, 1, 1, mikem at local, /dev/ttyp3, 78.169.249.3, 4,
> start_time=1353011477 task_id=10700 timezone=GMT service=shell*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request 
> packet dump:*
> 
> *Code:       Accounting-Request*
> 
> *Identifier: UNDEF*
> 
> *Authentic:  p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
> 
> *Attributes:*
> 
> *        NAS-IP-Address = 93.155.11.54*
> 
> *        NAS-Port-Id = "/dev/ttyp3"*
> 
> *        Calling-Station-Id = "78.169.249.3"*
> 
> *        NAS-Identifier = "TACACS"*
> 
> *        User-Name = "mikem at local"*
> 
> *        Acct-Status-Type = Start*
> 
> *        Acct-Session-Id = "3529830477"*
> 
> *        cisco-avpair = "start_time=1353011477"*
> 
> *        cisco-avpair = "task_id=10700"*
> 
> *        cisco-avpair = "timezone=GMT"*
> 
> *        cisco-avpair = "service=shell"*
> 
> *        OSC-Version-Identifier = "192"*
> 
> * *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '', 
> Identifier ''*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG:  Adding session for mikem at local, 
> 93.155.11.54, *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where 
> NASIDENTIFIER='93.155.11.54' and NASPORT=00': *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'insert into RADONLINE (USERNAME, 
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, 
> NASPORTTYPE, SERVICETYPE) values ('mikem at local', '93.155.11.54', 0, 
> '3529830477', 1353011477, '', '', '')': *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling with Radius::AuthSQL: *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling accounting with 
> Radius::AuthSQL*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radius:localhost': 'insert into ACCOUNTING
> (ACCTSESSIONID,ACCTSTATUSTYPE,NASIDENTIFIER,TIME_STAMP,USERNAME) 
> values
> ('3529830477','Start','TACACS',1353011477,'mikem at local')': *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Accounting accepted*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
> 
> **** Reply to TACACSPLUS request:*
> 
> *Code:       Accounting-Response*
> 
> *Identifier: UNDEF*
> 
> *Authentic:  p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
> 
> *Attributes:*
> 
> * *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
> Accounting-Response*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting 
> REPLY 1, ,  *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected 
> from
> 93.155.11.54:61939*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
> 93.155.11.54:64085*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 2, 
> 1, 0, 2033174599, 70*
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization 
> REQUEST 6, 0, 1, 1, mikem, /dev/ttyp3, 78.169.249.3, 3, service=shell
> cmd* command-access**
> 
> *Thu Nov 15 22:31:17 2012: INFO: Authorization denied for mikem, group 
> DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd*
> command-access**
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization 
> RESPONSE 16, denied, , *
> 
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected 
> from
> 93.155.11.54:64085*
> 
> * *
> 
> *Reply message always say group default.is smt wrong with my 
> AddtoReply clause.Why always reply says group DEFAULT?*
> 
> *And strange issue if group 3 is at he end of line for AddToReply 
> clause then the reply message comes as Group3.*
> 
> * *
> 
> * *
> 
> *MURAT BİLAL *
> *Services Engineer*
> 
> 
> Ericsson Turkey
> CU Customer Support
> Cyber Plaza C Blok Kat:1 No:146
> Cyberpark 6800 Bilkent/Ankara
> Mobile +90 554 898 98 43
> murat.bilal at ericsson.com <mailto:murat.bilal at ericsson.com> 
> www.ericsson.com
> 
> 
> 
> <http://www.ericsson.com/>
> 
> 
> This Communication is Confidential. We only send and receive email on 
> the basis of the terms set out at www.ericsson.com/email_disclaimer 
> <http://www.ericsson.com/email_disclaimer>
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list