[RADIATOR] Radiator TACACS+: How to log authorizations of user commands?
Patrik Forsberg
patrik.forsberg at ip-only.se
Fri Aug 16 07:19:55 UTC 2019
Hello,
That is rather odd.. the setup I sent is what we have in production.
The output is similar to this:
Fri Aug 16 09:12:50 2019 REJECT user=<user> from=<client-ip> nas=<router-ip> client=<calling-ip>
Reason I put %{Request:Calling-Station-Id} in as client is because %c and %N often is the same, as the sender of the request is often the same as the nas-ip ...
I also split the success/failure into different AuthLog to make it clearer for the reader what it is supposed to show :)
---
Regards,
Patrik Forsberg
From: jangerrit.kootstra at kpn.com <jangerrit.kootstra at kpn.com> On Behalf Of BeheerInfra-OT at kpn.com
Sent: den 15 augusti 2019 16:15
To: Patrik Forsberg <patrik.forsberg at ip-only.se>; radiator at lists.open.com.au
Subject: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?
Hello Patrick,
Thanks for the quick reply, your suggestion we implemented like this:
<AuthLog FILE>
Identifier authlog-tac-file
Filename %L/auth-tacacs.log
LogSuccess
LogFailure
LogIgnore
SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' result='OK'
FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1' result='FAIL'
IgnoreFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1' result='IGNORE'
</AuthLog>
Result is something like this:
Thu Aug 15 11:28:56 2019 trace_id='fdee3200' user='some-user' client='router-ip/' nas='router-ip/TACACS' handler='' calling-station='Radiator_server-ip/protocol' called-station='' result='OK'
So it logs the login attempt, not the tacacs authorization request like, am I allowed to perform "show ?"
We found funny results, a login with the correct username, but wrong password the logs show result='OK', but the logins where denied, due to the user not being added to a Tacacsgroup, so the AuthorizeGroup rules are all failing.
Regards,
Jan Gerrit Kootstra
Van: Patrik Forsberg <patrik.forsberg at ip-only.se<mailto:patrik.forsberg at ip-only.se>>
Verzonden: donderdag 15 augustus 2019 15:37
Aan: BeheerInfra-OT <BeheerInfra-OT at kpn.com<mailto:BeheerInfra-OT at kpn.com>>; radiator at lists.open.com.au<mailto:radiator at lists.open.com.au>
Onderwerp: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?
Hello,
This is all possible.
Check the goodies directory for
tacacsplusserver.cfg
tacplus.txt
they give good hints on how to set this up.
As for success/fail you can use for example
<AuthLog FILE>
Identifier AuthLogger
Filename %L/fail-authlog
LogSuccess 0
LogFailure 1
FailureFormat %l REJECT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier IdentSuccessAuthLogger
LogSuccess 1
LogFailure 0
Filename %L/success-authlog
SuccessFormat %l ACCEPT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}
</AuthLog>
Which would create one success logfile and one failure logfile and also pick out the interesting bits ..
---
Regards,
Patrik Forsberg
From: radiator <radiator-bounces at lists.open.com.au<mailto:radiator-bounces at lists.open.com.au>> On Behalf Of BeheerInfra-OT at kpn.com<mailto:BeheerInfra-OT at kpn.com>
Sent: den 15 augusti 2019 14:29
To: radiator at lists.open.com.au<mailto:radiator at lists.open.com.au>
Subject: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?
Hello fellow Raditor AAA users,
We like to setup logging of Tacacs+ command authorization. We were only able to find Authentication an Account logging examples.
Authentication successes and failures in a single line log entry would be a great feature, instead of having to re-reading a complete user session in /var/log/radiator/radiator.log to find out which commands where used.
Regards,
Jan Gerrit Kootstra
On behalve of KPN ACN Present BeheerInfra Services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190816/85663942/attachment-0001.html>
More information about the radiator
mailing list