[RADIATOR] Tacacsplus and OSC-Authorize-Group

Patrik Forsberg patrik.forsberg at globalconnect.se
Thu Apr 29 07:31:52 UTC 2021


Hms yea.. it was me handing Radiator options wrongly .. so SBS .. soz!

I used AddToReplyIfNotExist and that seems to only use the first OSC-Authorize-Group option it reaches and just ignores the rest.. a AddToReply fixed that ..

Tacacs:
GroupMemberAttr         OSC-Group-Identifier
AuthorizeGroupAttr      OSC-Authorize-Group

Radius:
AddToReplyIfNotExist \
  Service-Type = "Administrative-User",\
  OSC-Group-Identifier = "%N",\
  OSC-Authorize-Group = "permit service=shell cmd=show cmd-arg=running-config",\
  OSC-Authorize-Group = "deny service=shell cmd=*",\
  OSC-Authorize-Group = "permit .* {priv-lvl=15}"

vs.

AddToReply \
  Service-Type = "Administrative-User",\
  OSC-Group-Identifier = "%N",\
  OSC-Authorize-Group = "permit service=shell cmd=show cmd-arg=running-config",\
  OSC-Authorize-Group = "deny service=shell cmd=*",\
  OSC-Authorize-Group = "permit .* {priv-lvl=15}"

Thanks for your reply it cleared that up ??

---
Regards,
Patrik Forsberg

-----Original Message-----
From: radiator <radiator-bounces at lists.open.com.au> On Behalf Of Heikki Vatiainen
Sent: den 28 april 2021 17:47
To: radiator at lists.open.com.au
Subject: Re: [RADIATOR] Tacacsplus and OSC-Authorize-Group

On 28.4.2021 10.41, Patrik Forsberg wrote:

> I’m looking at using AuthorizeGroupAttr and the attribute 
> OSC-Authorize-Group to add commands a user is (not )allowed to run 
> when using tacacs.. but I can’t find any documentation on how to add 
> multiple rules to this attribute ?
> 
> Adding the same multiple times are, of course, not working and just 
> adding a comma(,) between the permit/deny clauses doesn’t work.. ?

Here's an example. First Radiator configuration:

<ServerTACACSPLUS>
         Identifier default-tacacs-server
         Key mysecret
         AddToRequest NAS-Identifier=TACACS
	AuthorizeGroupAttr OSC-Authorize-Group
         GroupMemberAttr tacacsgroup

         AuthorizeGroup group2 permit service=shell cmd=show cmd-arg=line
         AuthorizeGroup group2 deny .*
</ServerTACACSPLUS>


The users file for AuthBy FILE is:

mikem User-Password = fred
         OSC-Authorize-Group = "deny   service=shell cmd=show cmd-arg=line",
         OSC-Authorize-Group = "permit service=shell cmd=someallowedcommand",
         OSC-Authorize-Group = "deny   service=shell 
cmd=someforbiddencommand",
         OSC-Authorize-Group = "permit service=shell cmd=show cmd-arg=run",
         tacacsgroup = group2


Then test. Note that authorisation fails. The reason is that user 
specific rules have 'show line' denied while the configuration has this 
explicitly allowed. The user specific rules override the configuration 
file group specific rules. The end result is that the user can run 
'someallowedcommand' and 'show run'.

% perl goodies/tacacsplustest -trace 4 -key somekey -noacct -author_args 
service=shell,cmd=show,cmd-arg=line
Connecting to TACACS+ server localhost:49
sending Authentication request...
authentication response: 193, 1, 2, 0, 1234, 1, 0, ,
Disconnect from localhost:49
OK
sending Authorization request...
authorization response: 192, 2, 2, 0, 1234, 16, denied, ,
Disconnect from localhost:49
FAIL



Here's Radiator's log. First shown is authentication and then authorisation:

200d64b0 Wed Apr 28 18:39:45 2021 178522: DEBUG: Reading users file ./users
200d64b0 Wed Apr 28 18:39:45 2021 188117: DEBUG: Radius::AuthFILE looks 
for match with 'mikem' [mikem]
200d64b0 Wed Apr 28 18:39:45 2021 188487: DEBUG: Radius::AuthFILE 
ACCEPT: : 'mikem' [mikem]
200d64b0 Wed Apr 28 18:39:45 2021 188812: DEBUG: AuthBy FILE result: 
ACCEPT,
200d64b0 Wed Apr 28 18:39:45 2021 188998: DEBUG: Access accepted for mikem
200d64b0 Wed Apr 28 18:39:45 2021 189237: DEBUG: Packet dump:
200d64b0 *** Reply to TACACSPLUS request:
200d64b0 Code:       Access-Accept
200d64b0 Identifier: UNDEF
200d64b0 Authentic:  <19>:<165><233><192><247><181>9z<5>-<159>K<226>oY
200d64b0 Attributes:
200d64b0        OSC-Authorize-Group = "deny   service=shell cmd=show 
cmd-arg=line"
200d64b0        OSC-Authorize-Group = "permit service=shell 
cmd=someallowedcommand"
200d64b0        OSC-Authorize-Group = "deny   service=shell 
cmd=someforbiddencommand"
200d64b0        OSC-Authorize-Group = "permit service=shell cmd=show 
cmd-arg=run"
200d64b0        tacacsgroup = group2
200d64b0
00000000 Wed Apr 28 18:39:45 2021 189426: DEBUG: TacacsplusConnection 
result Access-Accept
00000000 Wed Apr 28 18:39:45 2021 189804: DEBUG: TacacsplusConnection 
Authentication REPLY 1, 0, ,

00000000 Wed Apr 28 18:39:45 2021 192004: DEBUG: TacacsplusConnection 
request 192, 2, 1, 0, 1234, 62
00000000 Wed Apr 28 18:39:45 2021 192270: DEBUG: TacacsplusConnection 
Authorization REQUEST 6, 0, 2, 0, mikem, 123, testclient, 3, 
service=shell cmd=show cmd-arg=line
00000000 Wed Apr 28 18:39:45 2021 192565: DEBUG: AuthorizeGroup rule 
match found: deny service=shell cmd=show cmd-arg=line {  } {  }
00000000 Wed Apr 28 18:39:45 2021 192713: INFO: Authorization denied for 
mikem at 127.0.0.1, group group2, args service=shell cmd=show cmd-arg=line
00000000 Wed Apr 28 18:39:45 2021 192902: DEBUG: TacacsplusConnection 
Authorization RESPONSE 16, denied, ,


Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Cpatrik.forsberg%40globalconnect.se%7C43028cd13a674a5882c908d90a5d1b47%7Cdfbb0d3b8276458197a42b844a84ea35%7C0%7C0%7C637552217277636235%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I%2FW7Lzu%2Bn30dfU13Nt%2B30dK1cNCOn1sxdh2eUsLVHOI%3D&reserved=0


More information about the radiator mailing list