Hi,
Would it be possible to map also the privilege level from the tacacs request
into a radius attribute ? This will allow to differentiate in Radiator if a
user typed enable or enable 5 or enable 7.
Thank you
Markus
####################################################################
# Handle a TACACS+ authentication START request
sub authentication_start
{
my ($self, $body) = @_;
$self->{user} = undef;
$self->{password} = undef;
my ($action, $priv_lvl, $authen_type, $service,
$user_len, $port_len, $rem_addr_len, $data_len,
$fields) = unpack('CCCCCCCCa*', $body);
if ($user_len + $port_len + $rem_addr_len + $data_len > length($fields))
{
$self->{parent}->log($main::LOG_ERR, "Inconsistent lengths in Tacacs
Authentication request from $self->{peeraddr}:$self->{peerport}. Bad Key?");
$self->authentication_reply($Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_ERROR,
0, 'Inconsistent lengths');
$self->disconnect();
return;
}
# Decode the variable length fields
my $i = 0;
my $user = substr($fields, $i, $user_len); $i += $user_len;
my $port = substr($fields, $i, $port_len); $i += $port_len;
my $rem_addr = substr($fields, $i, $rem_addr_len); $i += $rem_addr_len;
my $data = substr($fields, $i, $data_len); $i += $data_len;
$self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection Authentication
START $action, $authen_type, $service for $user, $port, $rem_addr");
$self->{user} = $user;
$self->{port} = $port;
$self->{service} = $service;
$self->{rem_addr} = $rem_addr;
my $tp = $self->create_radius_request('Access-Request');
The Tacacs request contains the following, but only user, port, servicve and
remote address are converted not the privelege level.
> Decrypted Request
> Action: Inbound Login
> Privilege Level: 15
> Authentication type: ASCII
> Service: ENABLE
> User len: 6
> User: fred
> Port len: 5
> Port: tty18
> Remaddr len: 12
> Remote Address: 192.168.1.1
> Data: 0 (not used)
----- Original Message -----
From: Markus Moeller
To: radiator@open.com.au
Sent: Tuesday, January 29, 2008 11:17 PM
Subject: (RADIATOR) enable privilege levels for TACACS+ server
I try to run in addition to the Radius server the TACACS+ server. On cisco
router you can get into different privilege leves by using enable # where # is
a number between 1 and 15. On a normal TACACS+ server this corresponds to
users enable# e.g. 15 different users and passwords.
The Tacacs+ client sends among others the following AV pairs
Service = ENABLE
Privilege Level = #
User-name = fred
User-password = fred
In the Radiator log I can only see among others the following attributes:
Service-Type = Administrative-Login
User-name = fred
User-password = fred
The Service Type changes from User-Login to Administrative-Login but I can't
identify the privilege level attribute ?
How can I get access to the privilege level attribute from TACACS+ ?
Thank you
Markus
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
