[RADIATOR] tacacs on cisco with command authorization results in AAA/AUTHOR/CMD Cannot replace commands
Christian Kratzer
ck-lists at cksoft.de
Fri Jul 28 14:09:20 UTC 2017
Hi,
I have a customer setup that uses tacacs and command authorization for shell users that is failing for the command authrization stage.
This is a new setup. I have simplified and isolated the issue in my lab.
The cisco is setup as follows:
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
The radiator is configured as follows:
<ServerTACACSPLUS>
Key mysecret
Port 49
GroupMemberAttr tacacsgroup
AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroup admin permit .*
AuthorizeGroup DEFAULT deny .*
</ServerTACACSPLUS>
<AuthBy FILE>
Identifier Auth-File
Filename %D/users-tacacs
</AuthBy>
<Handler>
AuthBy Auth-File
</Handler>
and users-tacacs has two users one with and one without a cisco-avpair
test1 User-Password = "test17"
tacacsgroup=admin
test2 User-Password = "test17"
tacacsgroup=admin,
cisco-avpair=priv-lvl=15
User test1 is working ok. and the cisco logs following debug output:
Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): user=test1
Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV service=shell
Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV cmd=show
Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV cmd-arg=version
Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV cmd-arg=<cr>
Jul 28 2017 13:57:35 UTC: AAA/AUTHOR (1842491926): Post authorization status = PASS_ADD
User test2 can login to the cisco but gets authorization failures for every command:
cons1#show ver
Command authorization failed.
For this the cisco logs following debug output:
Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): user=test2
Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV service=shell
Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV cmd=show
Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV cmd-arg=version
Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV cmd-arg=<cr>
Jul 28 2017 13:56:58 UTC: AAA/AUTHOR (2535147160): Post authorization status = PASS_ADD
Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/CMD Cannot replace commands
The difference in radiator logging is as follows:
Fri Jul 28 15:57:35 2017: DEBUG: AuthorizeGroup rule match found: permit .* { }
Fri Jul 28 15:57:35 2017: INFO: Authorization permitted for test1 at 192.168.64.40, group admin, args service=shell cmd=show cmd-arg=version cmd-arg=<cr>
Fri Jul 28 15:57:35 2017: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Fri Jul 28 15:56:58 2017: DEBUG: AuthorizeGroup rule match found: permit .* { }
Fri Jul 28 15:56:58 2017: INFO: Authorization permitted for test2 at 192.168.64.40, group admin, args service=shell cmd=show cmd-arg=version cmd-arg=<cr>
Fri Jul 28 15:56:58 2017: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , priv-lvl=15
The issue seems to be that radiator pases the cisco-avpair from authentication to each command authorization which the cisco does not like.
I know this seems to be working as documented in goodies/tacplus.txt
# Any cisco-avpair reply items that result from the Radius authentication will be used for
# TACACS+ authorization..
I have temporarily patched ServerTACACSPLUS.pm to disable passing of reply values for later command authorization but am keeping it for the initial login.
How is command authorization supposed to work when the reply items include cisco-avpairs.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck at cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
More information about the radiator
mailing list