Hi Hugh
Is this anywhere documented ? I can't find anything in the reference manual
(e.g. what are the arguments) . Looking at the code I see $action and
$authen_type are handed over but not privilege level.
Also it looks more like the Hook is replacing the standard authentication
handling and is not what I want.
Anyway why does this basic TACACS attribute need special treatment ?
Thank you
Markus
----- Original Message -----
From: "Hugh Irvine" <h...@open.com.au>
To: "Markus Moeller" <hua...@moeller.plus.com>
Cc: <radiator@open.com.au>
Sent: Friday, September 24, 2010 11:51 PM
Subject: Re: [RADIATOR] (RADIATOR) enable privilege levels for TACACS+
server
Hello Markus -
You can do this already with the AuthenticationStartHook.
See the code immediately following what you show below.
regards
Hugh
On 25 Sep 2010, at 03:09, Markus Moeller wrote:
> Hi,
>
> Would it be possible to map also the privilege level from the tacacs
> request into a radius attribute ? This will allow to differentiate in
> Radiator if a user typed enable or enable 5 or enable 7.
>
> Thank you
> Markus
>
>
> ####################################################################
> # Handle a TACACS+ authentication START request
> sub authentication_start
> {
> my ($self, $body) = @_;
>
> $self->{user} = undef;
> $self->{password} = undef;
>
> my ($action, $priv_lvl, $authen_type, $service,
> $user_len, $port_len, $rem_addr_len, $data_len,
> $fields) = unpack('CCCCCCCCa*', $body);
> if ($user_len + $port_len + $rem_addr_len + $data_len >
> length($fields))
> {
> $self->{parent}->log($main::LOG_ERR, "Inconsistent lengths in
> Tacacs Authentication request from $self->{peeraddr}:$self->{peerport}.
> Bad Key?");
>
> $self->authentication_reply($Radius::Tacacsplus::TAC_PLUS_AUTHEN_STATUS_ERROR,
> 0, 'Inconsistent lengths');
> $self->disconnect();
> return;
> }
> # Decode the variable length fields
> my $i = 0;
> my $user = substr($fields, $i, $user_len); $i += $user_len;
> my $port = substr($fields, $i, $port_len); $i += $port_len;
> my $rem_addr = substr($fields, $i, $rem_addr_len); $i +=
> $rem_addr_len;
> my $data = substr($fields, $i, $data_len); $i += $data_len;
>
> $self->{parent}->log($main::LOG_DEBUG, "TacacsplusConnection
> Authentication START $action, $authen_type, $service for $user, $port,
> $rem_addr");
>
> $self->{user} = $user;
> $self->{port} = $port;
> $self->{service} = $service;
> $self->{rem_addr} = $rem_addr;
> my $tp = $self->create_radius_request('Access-Request');
>
> The Tacacs request contains the following, but only user, port, servicve
> and remote address are converted not the privelege level.
>
> > Decrypted Request
> > Action: Inbound Login
> > Privilege Level: 15
> > Authentication type: ASCII
> > Service: ENABLE
> > User len: 6
> > User: fred
> > Port len: 5
> > Port: tty18
> > Remaddr len: 12
> > Remote Address: 192.168.1.1
> > Data: 0 (not used)
>
>
> ----- Original Message -----
> From: Markus Moeller
> To: radiator@open.com.au
> Sent: Tuesday, January 29, 2008 11:17 PM
> Subject: (RADIATOR) enable privilege levels for TACACS+ server
>
> I try to run in addition to the Radius server the TACACS+ server. On
> cisco router you can get into different privilege leves by using enable #
> where # is a number between 1 and 15. On a normal TACACS+ server this
> corresponds to users enable# e.g. 15 different users and passwords.
>
> The Tacacs+ client sends among others the following AV pairs
>
> Service = ENABLE
> Privilege Level = #
> User-name = fred
> User-password = fred
>
> In the Radiator log I can only see among others the following attributes:
>
> Service-Type = Administrative-Login
> User-name = fred
> User-password = fred
>
> The Service Type changes from User-Login to Administrative-Login but I
> can't identify the privilege level attribute ?
>
> How can I get access to the privilege level attribute from TACACS+ ?
>
> Thank you
> Markus
>
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
