[RADIATOR] tacacs on cisco with command authorization results in AAA/AUTHOR/CMD Cannot replace commands

Heikki Vatiainen hvn at open.com.au
Fri Aug 4 14:49:42 UTC 2017


On 28.7.2017 17.09, Christian Kratzer wrote:

> The issue seems to be that radiator pases the cisco-avpair from 
> authentication to each command authorization which the cisco does not like.
> 
> I know this seems to be working as documented in goodies/tacplus.txt
> 
>      # Any cisco-avpair reply items that result from the Radius 
> authentication will be used for
>      # TACACS+ authorization..
> 
> I have temporarily patched ServerTACACSPLUS.pm to disable passing of 
> reply values for later command authorization but am keeping it for the 
> initial login.
> 
> How is command authorization supposed to work when the reply items 
> include cisco-avpairs.

I'd say your configuration does not need cisco-avpair attributes 
received with authentication accept. If you only had 'aaa authorization 
exec ...' configured on cisco, then the reply avpair could set the 
privilege level, but the other command authorisation seems to break in 
that case.

The parameter below should already set the enable level after the login 
and the cisco-avpair for test2 user is not needed. This is the 
authorisation that happens immediately after login.

    AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}

Also, login does not need cisco-avpair, so if everything can be handled 
with AuthorizeGroup, then there is no need to return cisco-avpair 
attributes during authentication.

Note that I did not test it with cisco this time but if I remember 
correctly the above is how it goes.

In other words, the returned cisco-avpair could be useful when exec 
authorisation is configured but not with full command authorisation.

Also, the documented functionality has been part of ServerTACACSPLUS 
since its first versions, so it might have been more useful then but not 
that useful anymore when AuthorizeGroup is available.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.


More information about the radiator mailing list