[RADIATOR] tacacs on cisco with command authorization results in AAA/AUTHOR/CMD Cannot replace commands
Heikki Vatiainen
hvn at open.com.au
Fri Aug 4 14:49:42 UTC 2017
On 28.7.2017 17.09, Christian Kratzer wrote:
> The issue seems to be that radiator pases the cisco-avpair from
> authentication to each command authorization which the cisco does not like.
>
> I know this seems to be working as documented in goodies/tacplus.txt
>
> # Any cisco-avpair reply items that result from the Radius
> authentication will be used for
> # TACACS+ authorization..
>
> I have temporarily patched ServerTACACSPLUS.pm to disable passing of
> reply values for later command authorization but am keeping it for the
> initial login.
>
> How is command authorization supposed to work when the reply items
> include cisco-avpairs.
I'd say your configuration does not need cisco-avpair attributes
received with authentication accept. If you only had 'aaa authorization
exec ...' configured on cisco, then the reply avpair could set the
privilege level, but the other command authorisation seems to break in
that case.
The parameter below should already set the enable level after the login
and the cisco-avpair for test2 user is not needed. This is the
authorisation that happens immediately after login.
AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}
Also, login does not need cisco-avpair, so if everything can be handled
with AuthorizeGroup, then there is no need to return cisco-avpair
attributes during authentication.
Note that I did not test it with cisco this time but if I remember
correctly the above is how it goes.
In other words, the returned cisco-avpair could be useful when exec
authorisation is configured but not with full command authorisation.
Also, the documented functionality has been part of ServerTACACSPLUS
since its first versions, so it might have been more useful then but not
that useful anymore when AuthorizeGroup is available.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list