[RADIATOR] Radiator TACACS+: How to log authorizations of user commands?
BeheerInfra-OT at kpn.com
BeheerInfra-OT at kpn.com
Thu Aug 15 14:14:47 UTC 2019
Hello Patrick,
Thanks for the quick reply, your suggestion we implemented like this:
<AuthLog FILE>
Identifier authlog-tac-file
Filename %L/auth-tacacs.log
LogSuccess
LogFailure
LogIgnore
SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' result='OK'
FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1' result='FAIL'
IgnoreFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1' result='IGNORE'
</AuthLog>
Result is something like this:
Thu Aug 15 11:28:56 2019 trace_id='fdee3200' user='some-user' client='router-ip/' nas='router-ip/TACACS' handler='' calling-station='Radiator_server-ip/protocol' called-station='' result='OK'
So it logs the login attempt, not the tacacs authorization request like, am I allowed to perform "show ?"
We found funny results, a login with the correct username, but wrong password the logs show result='OK', but the logins where denied, due to the user not being added to a Tacacsgroup, so the AuthorizeGroup rules are all failing.
Regards,
Jan Gerrit Kootstra
Van: Patrik Forsberg <patrik.forsberg at ip-only.se>
Verzonden: donderdag 15 augustus 2019 15:37
Aan: BeheerInfra-OT <BeheerInfra-OT at kpn.com>; radiator at lists.open.com.au
Onderwerp: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?
Hello,
This is all possible.
Check the goodies directory for
tacacsplusserver.cfg
tacplus.txt
they give good hints on how to set this up.
As for success/fail you can use for example
<AuthLog FILE>
Identifier AuthLogger
Filename %L/fail-authlog
LogSuccess 0
LogFailure 1
FailureFormat %l REJECT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier IdentSuccessAuthLogger
LogSuccess 1
LogFailure 0
Filename %L/success-authlog
SuccessFormat %l ACCEPT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}
</AuthLog>
Which would create one success logfile and one failure logfile and also pick out the interesting bits ..
---
Regards,
Patrik Forsberg
From: radiator <radiator-bounces at lists.open.com.au<mailto:radiator-bounces at lists.open.com.au>> On Behalf Of BeheerInfra-OT at kpn.com<mailto:BeheerInfra-OT at kpn.com>
Sent: den 15 augusti 2019 14:29
To: radiator at lists.open.com.au<mailto:radiator at lists.open.com.au>
Subject: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?
Hello fellow Raditor AAA users,
We like to setup logging of Tacacs+ command authorization. We were only able to find Authentication an Account logging examples.
Authentication successes and failures in a single line log entry would be a great feature, instead of having to re-reading a complete user session in /var/log/radiator/radiator.log to find out which commands where used.
Regards,
Jan Gerrit Kootstra
On behalve of KPN ACN Present BeheerInfra Services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190815/9f9eb9d7/attachment.html>
More information about the radiator
mailing list