[RADIATOR] tacacs on cisco with command authorization results in AAA/AUTHOR/CMD Cannot replace commands

Patrik Forsberg patrik.forsberg at ip-only.se
Mon Aug 14 08:04:08 UTC 2017 

Hello,

Sorry for late response on this but I think you have a minor fault in your configuration.

Try the following

AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroup admin permit service=shell cmd= {priv-lvl=15}

This made a major difference on our setup because when cisco tries to authenticate/authorize it sends "cmd=<command>" and that is not catched by "cmd\*"(for whatever reason). Other devices sends "cmd cmd-arg=<command>" and that is catched by "cmd\*" ..

Regards,
Patrik Forsberg

> -----Original Message-----
> From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of
> Christian Kratzer
> Sent: den 28 juli 2017 16:09
> To: radiator at lists.open.com.au
> Subject: [RADIATOR] tacacs on cisco with command authorization results in
> AAA/AUTHOR/CMD Cannot replace commands
> 
> Hi,
> 
> I have a customer setup that uses tacacs and command authorization for
> shell users that is failing for the command authrization stage.
> 
> This is a new setup.  I have simplified and isolated the issue in my lab.
> 
> 
> The cisco is setup as follows:
> 
>  	aaa authentication login default group tacacs+ local
>  	aaa authorization console
>  	aaa authorization exec default group tacacs+ if-authenticated
>  	aaa authorization commands 1 default group tacacs+ none
>  	aaa authorization commands 15 default group tacacs+ none
> 
> The radiator is configured as follows:
> 
>  	<ServerTACACSPLUS>
>  		Key mysecret
>  		Port 49
>  		GroupMemberAttr tacacsgroup
> 
>  		AuthorizeGroup admin permit service=shell
> cmd\* {priv-lvl=15}
>  		AuthorizeGroup admin permit .*
> 
>  		AuthorizeGroup DEFAULT deny .*
>  	</ServerTACACSPLUS>
> 
>  	<AuthBy FILE>
>  		Identifier      Auth-File
>  		Filename        %D/users-tacacs
>  	</AuthBy>
> 
>  	<Handler>
>  		AuthBy          Auth-File
>  	</Handler>
> 
> 
> and users-tacacs has two users one with and one without a cisco-avpair
> 
>  	test1   User-Password = "test17"
>  		tacacsgroup=admin
> 
>  	test2   User-Password = "test17"
>  		tacacsgroup=admin,
>  		cisco-avpair=priv-lvl=15
> 
> User test1 is working ok. and the cisco logs following debug output:
> 
>  	Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> user=test1
>  	Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV service=shell
>  	Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV cmd=show
>  	Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV cmd-arg=version
>  	Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV cmd-arg=<cr>
>  	Jul 28 2017 13:57:35 UTC: AAA/AUTHOR (1842491926): Post
> authorization status = PASS_ADD
> 
> User test2 can login to the cisco but gets authorization failures for every
> command:
> 
>  	cons1#show ver
>  	Command authorization failed.
> 
> For this the cisco logs following debug output:
> 
>  	Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> user=test2
>  	Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV service=shell
>  	Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV cmd=show
>  	Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV cmd-arg=version
>  	Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV cmd-arg=<cr>
>  	Jul 28 2017 13:56:58 UTC: AAA/AUTHOR (2535147160): Post
> authorization status = PASS_ADD
>  	Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/CMD Cannot replace
> commands
> 
> 
> The difference in radiator logging is as follows:
> 
> 
>  	Fri Jul 28 15:57:35 2017: DEBUG: AuthorizeGroup rule match
> found: permit .* {  }
>  	Fri Jul 28 15:57:35 2017: INFO: Authorization permitted for test1
> at 192.168.64.40, group admin, args service=shell cmd=show cmd-
> arg=version cmd-arg=<cr>
>  	Fri Jul 28 15:57:35 2017: DEBUG: TacacsplusConnection
> Authorization RESPONSE 1, , ,
> 
> 
>  	Fri Jul 28 15:56:58 2017: DEBUG: AuthorizeGroup rule match
> found: permit .* {  }
>  	Fri Jul 28 15:56:58 2017: INFO: Authorization permitted for test2
> at 192.168.64.40, group admin, args service=shell cmd=show cmd-
> arg=version cmd-arg=<cr>
>  	Fri Jul 28 15:56:58 2017: DEBUG: TacacsplusConnection
> Authorization RESPONSE 1, , , priv-lvl=15
> 
> 
> The issue seems to be that radiator pases the cisco-avpair from
> authentication to each command authorization which the cisco does not like.
> 
> I know this seems to be working as documented in goodies/tacplus.txt
> 
>  	# Any cisco-avpair reply items that result from the Radius
> authentication will be used for
>  	# TACACS+ authorization..
> 
> I have temporarily patched ServerTACACSPLUS.pm to disable passing of reply
> values for later command authorization but am keeping it for the initial login.
> 
> How is command authorization supposed to work when the reply items
> include cisco-avpairs.
> 
> Greetings
> Christian
> 
> 
> --
> Christian Kratzer                   CK Software GmbH
> Email:   ck at cksoft.de               Wildberger Weg 24/2
> Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
> Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
> Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
> Web:     http://www.cksoft.de/
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list