[RADIATOR] Radiator TACACS+: How to log authorizations of user commands?

Patrik Forsberg patrik.forsberg at ip-only.se
Fri Aug 16 07:19:55 UTC 2019 

Hello,
That is rather odd.. the setup I sent is what we have in production.
The output is similar to this:
Fri Aug 16 09:12:50 2019 REJECT user=<user> from=<client-ip> nas=<router-ip> client=<calling-ip>

Reason I put %{Request:Calling-Station-Id} in as client is because %c and %N often is the same, as the sender of the request is often the same as the nas-ip ...
I also split the success/failure into different AuthLog to make it clearer for the reader what it is supposed to show :)

---
Regards,
Patrik Forsberg

From: jangerrit.kootstra at kpn.com <jangerrit.kootstra at kpn.com> On Behalf Of BeheerInfra-OT at kpn.com
Sent: den 15 augusti 2019 16:15
To: Patrik Forsberg <patrik.forsberg at ip-only.se>; radiator at lists.open.com.au
Subject: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?

Hello Patrick,


Thanks for the quick reply, your suggestion we implemented like this:

<AuthLog FILE>
    Identifier authlog-tac-file

    Filename %L/auth-tacacs.log
    LogSuccess
    LogFailure
    LogIgnore

    SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' result='OK'
    FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' result='FAIL'
    IgnoreFormat  %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' result='IGNORE'
</AuthLog>

Result is something like this:
    Thu Aug 15 11:28:56 2019 trace_id='fdee3200' user='some-user' client='router-ip/' nas='router-ip/TACACS' handler='' calling-station='Radiator_server-ip/protocol' called-station='' result='OK'

So it logs the login attempt, not the tacacs authorization request like, am I allowed to perform "show ?"
We found  funny results, a login with the correct username, but wrong password the logs show result='OK', but the logins where denied, due to the user not being added to a Tacacsgroup, so the AuthorizeGroup rules are all failing.


Regards,


Jan Gerrit Kootstra
Van: Patrik Forsberg <patrik.forsberg at ip-only.se<mailto:patrik.forsberg at ip-only.se>>
Verzonden: donderdag 15 augustus 2019 15:37
Aan: BeheerInfra-OT <BeheerInfra-OT at kpn.com<mailto:BeheerInfra-OT at kpn.com>>; radiator at lists.open.com.au<mailto:radiator at lists.open.com.au>
Onderwerp: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?

Hello,
This is all possible.
Check the goodies directory for
tacacsplusserver.cfg
tacplus.txt

they give good hints on how to set this up.

As for success/fail you can use for example
        <AuthLog FILE>
                Identifier      AuthLogger
                Filename        %L/fail-authlog
                LogSuccess      0
                LogFailure      1
                FailureFormat   %l REJECT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}
        </AuthLog>
        <AuthLog FILE>
                Identifier      IdentSuccessAuthLogger
                LogSuccess      1
                LogFailure      0
                Filename        %L/success-authlog
                SuccessFormat   %l ACCEPT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}
        </AuthLog>

Which would create one success logfile and one failure logfile and also pick out the interesting bits ..


---
Regards,
Patrik Forsberg

From: radiator <radiator-bounces at lists.open.com.au<mailto:radiator-bounces at lists.open.com.au>> On Behalf Of BeheerInfra-OT at kpn.com<mailto:BeheerInfra-OT at kpn.com>
Sent: den 15 augusti 2019 14:29
To: radiator at lists.open.com.au<mailto:radiator at lists.open.com.au>
Subject: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?

Hello fellow Raditor AAA users,


We like to setup logging of Tacacs+ command authorization. We were only able to find Authentication an Account logging examples.
Authentication successes and failures in a single line log entry would be a great feature, instead of having to re-reading a complete user session in /var/log/radiator/radiator.log to find out which commands where used.

Regards,


Jan Gerrit Kootstra
On behalve of KPN ACN Present BeheerInfra Services.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190816/85663942/attachment-0001.html>

More information about the radiator mailing list