[RADIATOR] AddToReply tacacsgroup

Murat Bilal murat.bilal at ericsson.com
Fri Nov 16 09:25:02 CST 2012


Then how to define AddToReply OSC-Group-Identifier clause if you have two different priv groups.AuthSQL accepts only one AddToReply clause.If you do not define AddToReply clause I got this:

Authorization denied for user, group DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd* command-access*

-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: 16 Kasım 2012 Cuma 16:03
To: radiator at open.com.au
Subject: Re: [RADIATOR] AddToReply tacacsgroup

On 11/16/2012 01:56 PM, Murat Bilal wrote:
> Actually I mean If I have 2 different privilege level groups.For 
> example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I 
> need 2 different AuthBy

This is done (usually) with one AuthBy. The correct value for AuthorizeGroupAttr depends on the user. The user has the correct authorization group configured as the reply attribute.

For AuthBy SQL, see AuthSelect and AuthColumnDef documentation for more information.

Thanks,
Heikki



> Thanks
> 
> -----Original Message-----
> From: radiator-bounces at open.com.au 
> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: 16 Kasım 2012 Cuma 13:31
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] AddToReply tacacsgroup
> 
> On 11/15/2012 10:34 PM, Murat Bilal wrote:
> 
>> I have three dıfferent groups and  for TACACS authorization.My radius 
>> .cfg is like that
> 
> Hello Murat,
> 
> you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3.
> 
> The authorize arguments the device sends are:
>   service=shell cmd* command-access*
> 
> The matching AuthorizeGroup for group3 would be this:
>   AuthorizeGroup group3 permit service=shell cmd\* command-access\* 
> {priv-lvl=15}
> 
> Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'.
> 
> I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator.
> 
> Thanks,
> Heikki
> 
> 
>> <ServerTACACSPLUS>
>>
>>         Key *****
>>
>>       AddToRequest NAS-Identifier=TACACS
>>
>>         GroupMemberAttr tacacsgroup
>>
>>         AuthorizeGroup group1  permit service=shell cmd=show
>> cmd-args=.*
>>
>>          AuthorizeGroup group1 permit .*
>>
>> #         AuthorizeGroup DEFAULT  deny .*
>>
>>          AuthorizeGroup group3 permit service=shell cmd\* 
>> {priv-lvl=15}
>>
>> </ServerTACACSPLUS>
>>
>>  
>>
>> <Handler>
>>
>>         <AuthBy SQL>
>>
>>                 # Change DBSource, DBUsername, DBAuth for your 
>> database
>>
>>                 # See the reference manual. You will also have to
>>
>>                 # change the one in <SessionDatabse SQL> below
>>
>>                 # so its the same
>>
>>                 DBSource        dbi:mysql:radius:localhost
>>
>>                DBUsername      raduser
>>
>>                 DBAuth          raduser
>>
>>  
>>
>>                 # Never look up the DEFAULT user
>>
>>                 NoDefault
>>
>> # You can customise the SQL query used to get user details with the
>>
>>         # AuthSelect parameter:
>>
>>           AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
>> 'GroupList="group1 group2 group3"' from SUBSCRIBERS where USERNAME=%0
>>
>>         -----
>>
>> ------------
>>
>>         AddToReply tacacsgroup= group1
>>
>>         AddToReply tacacsgroup= group3
>>
>>         AddToReply tacacsgroup= DEFAULT
>>
>>  
>>
>> *I try with user mikem in group1.And the trace log*
>>
>> * *
>>
>> * *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
>> 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1 group2 group3"'
>> from SUBSCRIBERS where USERNAME='mikem'': *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match 
>> with mikem [mikem]*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
>> 'select GROUPNAME from GROUPS where USERNAME='mikem' and
>> GROUPNAME='group1'': *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem
>> [mikem]*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
>> 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, 
>> USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
>>
>> **** Reply to TACACSPLUS request:*
>>
>> *Code:       Access-Accept*
>>
>> *Identifier: UNDEF*
>>
>> *Authentic:  p<146><26><192>4H<235><16>\<21><252>v.<142><152><28>*
>>
>> *Attributes:*
>>
>> *        tacacsgroup = DEFAULT*
>>
>> * *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
>> Access-Accept*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication 
>> REPLY 1, 0, ,  *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected 
>> from
>> 93.155.11.54:58517*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created 
>> for
>> 93.155.11.54:61939*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 
>> 3, 1, 0, 3529830477, 105*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting 
>> REQUEST 2, 6, 0, 1, 1, mikem at local, /dev/ttyp3, 78.169.249.3, 4,
>> start_time=1353011477 task_id=10700 timezone=GMT service=shell*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request 
>> packet dump:*
>>
>> *Code:       Accounting-Request*
>>
>> *Identifier: UNDEF*
>>
>> *Authentic:  p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
>>
>> *Attributes:*
>>
>> *        NAS-IP-Address = 93.155.11.54*
>>
>> *        NAS-Port-Id = "/dev/ttyp3"*
>>
>> *        Calling-Station-Id = "78.169.249.3"*
>>
>> *        NAS-Identifier = "TACACS"*
>>
>> *        User-Name = "mikem at local"*
>>
>> *        Acct-Status-Type = Start*
>>
>> *        Acct-Session-Id = "3529830477"*
>>
>> *        cisco-avpair = "start_time=1353011477"*
>>
>> *        cisco-avpair = "task_id=10700"*
>>
>> *        cisco-avpair = "timezone=GMT"*
>>
>> *        cisco-avpair = "service=shell"*
>>
>> *        OSC-Version-Identifier = "192"*
>>
>> * *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '', 
>> Identifier ''*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG:  Adding session for mikem at local, 
>> 93.155.11.54, *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
>> 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where 
>> NASIDENTIFIER='93.155.11.54' and NASPORT=00': *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
>> 'dbi:mysql:radmin:localhost': 'insert into RADONLINE (USERNAME, 
>> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, 
>> NASPORTTYPE, SERVICETYPE) values ('mikem at local', '93.155.11.54', 0, 
>> '3529830477', 1353011477, '', '', '')': *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Handling with Radius::AuthSQL: *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Handling accounting with
>> Radius::AuthSQL*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
>> 'dbi:mysql:radius:localhost': 'insert into ACCOUNTING
>> (ACCTSESSIONID,ACCTSTATUSTYPE,NASIDENTIFIER,TIME_STAMP,USERNAME)
>> values
>> ('3529830477','Start','TACACS',1353011477,'mikem at local')': *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Accounting accepted*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
>>
>> **** Reply to TACACSPLUS request:*
>>
>> *Code:       Accounting-Response*
>>
>> *Identifier: UNDEF*
>>
>> *Authentic:  p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
>>
>> *Attributes:*
>>
>> * *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
>> Accounting-Response*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting 
>> REPLY 1, ,  *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected 
>> from
>> 93.155.11.54:61939*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created 
>> for
>> 93.155.11.54:64085*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 
>> 2, 1, 0, 2033174599, 70*
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization 
>> REQUEST 6, 0, 1, 1, mikem, /dev/ttyp3, 78.169.249.3, 3, service=shell
>> cmd* command-access**
>>
>> *Thu Nov 15 22:31:17 2012: INFO: Authorization denied for mikem, 
>> group DEFAULT. No matching AuthorizeGroup rule for args service=shell 
>> cmd*
>> command-access**
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization 
>> RESPONSE 16, denied, , *
>>
>> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected 
>> from
>> 93.155.11.54:64085*
>>
>> * *
>>
>> *Reply message always say group default.is smt wrong with my 
>> AddtoReply clause.Why always reply says group DEFAULT?*
>>
>> *And strange issue if group 3 is at he end of line for AddToReply 
>> clause then the reply message comes as Group3.*
>>
>> * *
>>
>> * *
>>
>> *MURAT BİLAL *
>> *Services Engineer*
>>
>>
>> Ericsson Turkey
>> CU Customer Support
>> Cyber Plaza C Blok Kat:1 No:146
>> Cyberpark 6800 Bilkent/Ankara
>> Mobile +90 554 898 98 43
>> murat.bilal at ericsson.com <mailto:murat.bilal at ericsson.com> 
>> www.ericsson.com
>>
>>
>>
>> <http://www.ericsson.com/>
>>
>>
>> This Communication is Confidential. We only send and receive email on 
>> the basis of the terms set out at www.ericsson.com/email_disclaimer 
>> <http://www.ericsson.com/email_disclaimer>
>>
>>  
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
> 
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list