<Client DEFAULT>
DupInterval 0
FramedGroupMaxPortsPerClassC 255
LivingstonHole 2
LivingstonOffs 29
NasType unknown
SNMPCommunity asdfasdfaf
Secret asdfasdfasdf
</Client>
<AuthBy LDAP2>
AuthDN somedn
AuthPassword somepw
BaseDN basedn
CachePasswordExpiry 86400
Deref find
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_MaxFragmentSize 2048
EAPTLS_PEAPVersion 1
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
FailureBackoffTime 600
Host somedomaincontroller
Identifier CheckAD
LDAPRejectEmptyPassword 1
MaxRecords 1
PasswordPrompt password
Port 636
SASLMechanism DIGEST-MD5
SIPDigestRealm DefaultSipRealm
SSLCAFile
SSLCiphers ALL
SSLVerify none
Scope sub
SearchFilter (%0=%1)
ServerChecksPassword 1
Timeout 10
UseSSL 1
UsernameAttr sAMAccountName
Version 3
</AuthBy>
<Realm DEFAULT>
AuthByPolicy ContinueWhileIgnore
AuthBy CheckAD
</Realm>
<ServerTACACSPLUS >
AddToRequest NAS-Identifier=TACACS
AuthorizationTimeout 600
AuthorizeGroup DEFAULT permit service=shell cmd\* {priv-lvl=15}
BindAddress 0.0.0.0
GroupCacheFile /tmp/radiator-tacacs-usergroup.cache
IdleTimeout 180
Key asdfasdfasdfasdf
MaxBufferSize 100000
PasswordPrompt Password:
Port 49
UsernamePrompt Username:
</ServerTACACSPLUS>
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection result
Access-Accept
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, ,
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection disconnected from
x.x.x.x:44643
Thu Feb 24 13:34:06 2011: DEBUG: New TacacsplusConnection created for
x.x.x.x:44644
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection request 192, 2, 1,
0, 35453611, 77
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 2, 1, username, 0, xxxxxxxxxx, 4, service=shell cmd=
cisco-av-pair* shell:roles*
Thu Feb 24 13:34:06 2011: INFO: Authorization denied for username, group
DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd=
cisco-av-pair* shell:roles*
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Authorization
RESPONSE 16, denied, ,
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection disconnected from
x.x.x.x:44644
Thu Feb 24 13:34:06 2011: DEBUG: New TacacsplusConnection created for
x.x.x.x:44645
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection request 192, 3, 1,
0, 1201619601, 113
Thu Feb 24 13:34:06 2011: DEBUG: TacacsplusConnection Accounting REQUEST
2, 6, 0, 2, 0, username, 3009, , 4, task_id=/dev/pts/9_10.192.144.33
start_time=Thu Feb 24 13:34:04 2011
From: Mark Bassett
Sent: Thursday, February 24, 2011 12:40 PM
To: Mark Bassett; radiator@open.com.au
Subject: RE: [RADIATOR] Tacacs role reply.
I am currently using this in AuthorizeGroup
DEFAULT permit service=shell cmd\* {priv-lvl=15}
I tried adding roles="network-admin" but that did not work
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au]
On Behalf Of Mark Bassett
Sent: Thursday, February 24, 2011 12:09 PM
To: radiator@open.com.au
Subject: [RADIATOR] Tacacs role reply.
Hi guys, I'm using tacacs+ on some cisco SanOS fiber switches. I am
able to authenticate and log in properly, but I am not being assigned
the proper tacacs role
"network-admin"
I need to add this pair
cisco-av-pair=shell:roles="network-admin"
but I am not sure where to add it.
Thu Feb 24 11:53:20 2011: DEBUG: TACACSPLUS derived Radius request
packet dump:
Code: Accounting-Request
Identifier: UNDEF
Authentic: <179><7><222><214><0>N<217><154><14><164>E<243>AXt<150>
Attributes:
NAS-IP-Address = xxxxxxx
NAS-Port-Id = "3009"
NAS-Identifier = "TACACS"
User-Name = "username"
Acct-Status-Type = Stop
Acct-Session-Id = "307300720"
cisco-avpair = "task_id=/dev/pts/9_10.192.144.33"
cisco-avpair = "stop_time=Thu Feb 24 11:53:20 2011<10>"
cisco-avpair = "err_msg=shell terminated<0>"
cisco-avpair = "service=none"
OSC-Version-Identifier = "192"
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
