On 11/15/2011 05:08 PM, Kim, Steve wrote:
Hello Steve,
the AuthorizeGroup line does not match what Cisco requests. Try this:
#AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr
cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
AuthorizeGroup netadmin permit .*
The commented out AuthorizeGroup is replaced by one that matches what is
requested by the client.
Please let us know how this works.
Thanks!
> Tue Nov 15 09:42:02 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:27492
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
> 3401425457, 85
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST
> 1, 1, 1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect
> cmd-arg=exitr cmd-arg=<cr>
> Tue Nov 15 09:42:02 2011: DEBUG: AuthorizeGroup rule match found: permit .* {
> }
> Tue Nov 15 09:42:02 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd=connect cmd-arg=exitr
> cmd-arg=<cr>
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Authorization RESPONSE
> 1, , ,
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:27492
> Tue Nov 15 09:42:02 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:29655
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
> 1596600160, 128
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4,
> 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=148 timezone=est
> service=shell start_time=1321368122 priv-lvl=1 cmd=connect exitr <cr>
> Tue Nov 15 09:42:02 2011: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Accounting-Request
> Identifier: UNDEF
> Authentic: <140>N)<172><12>N<138><205><175><216><254><4><237><173>?<181>
> Attributes:
> NAS-IP-Address = xxx.xxx.11.242
> NAS-Port-Id = "tty1"
> Calling-Station-Id = "xxx.xxx.11.1"
> NAS-Identifier = "TACACS"
> User-Name = "connolly"
> Acct-Status-Type = Stop
> Acct-Session-Id = "1596600160"
> cisco-avpair = "task_id=148"
> cisco-avpair = "timezone=est"
> cisco-avpair = "service=shell"
> cisco-avpair = "start_time=1321368122"
> cisco-avpair = "priv-lvl=1"
> cisco-avpair = "cmd=connect exitr <cr>"
> OSC-Version-Identifier = "192"
>
> Tue Nov 15 09:42:02 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 09:42:02 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
> Tue Nov 15 09:42:02 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 09:42:02 2011: DEBUG: Handling with Radius::AuthLSA:
> Tue Nov 15 09:42:02 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
> Tue Nov 15 09:42:02 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Nov 15 09:42:02 2011: DEBUG: Accounting accepted
> Tue Nov 15 09:42:02 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Accounting-Response
> Identifier: UNDEF
> Authentic: <140>N)<172><12>N<138><205><175><216><254><4><237><173>?<181>
> Attributes:
>
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection result
> Accounting-Response
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
> Tue Nov 15 09:42:02 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:29655
> Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:20179
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
> 2598084901, 68
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Authorization REQUEST
> 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit
> cmd-arg=<cr>
> Tue Nov 15 09:42:03 2011: DEBUG: AuthorizeGroup rule match found: permit .* {
> }
> Tue Nov 15 09:42:03 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Authorization RESPONSE
> 1, , ,
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:20179
> Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:32440
> Tue Nov 15 09:42:03 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:16356
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
> 437970795, 119
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4,
> 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=149 timezone=est
> service=shell start_time=1321368123 priv-lvl=0 cmd=exit <cr>
> Tue Nov 15 09:42:03 2011: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Accounting-Request
> Identifier: UNDEF
> Authentic: [.P<238><29><162><193>-<149><197>Ae<131><12><203><251>
> Attributes:
> NAS-IP-Address = xxx.xxx.11.242
> NAS-Port-Id = "tty1"
> Calling-Station-Id = "xxx.xxx.11.1"
> NAS-Identifier = "TACACS"
> User-Name = "connolly"
> Acct-Status-Type = Stop
> Acct-Session-Id = "437970795"
> cisco-avpair = "task_id=149"
> cisco-avpair = "timezone=est"
> cisco-avpair = "service=shell"
> cisco-avpair = "start_time=1321368123"
> cisco-avpair = "priv-lvl=0"
> cisco-avpair = "cmd=exit <cr>"
> OSC-Version-Identifier = "192"
>
> Tue Nov 15 09:42:03 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 09:42:03 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthLSA:
> Tue Nov 15 09:42:03 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
> Tue Nov 15 09:42:03 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Nov 15 09:42:03 2011: DEBUG: Accounting accepted
> Tue Nov 15 09:42:03 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Accounting-Response
> Identifier: UNDEF
> Authentic: [.P<238><29><162><193>-<149><197>Ae<131><12><203><251>
> Attributes:
>
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection result
> Accounting-Response
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:32440
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
> 3584696603, 180
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REQUEST 4,
> 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 9, task_id=147 timezone=est
> service=shell start_time=1321368109 disc-cause=1 disc-cause-ext=9
> pre-session-time=6 elapsed_time=14 stop_time=1321368123
> Tue Nov 15 09:42:03 2011: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Accounting-Request
> Identifier: UNDEF
> Authentic: ,<202>w<1><198><157>A<130><180>@<179> <218>H<225><193>
> Attributes:
> NAS-IP-Address = xxx.xxx.11.242
> NAS-Port-Id = "tty1"
> Calling-Station-Id = "xxx.xxx.11.1"
> NAS-Identifier = "TACACS"
> User-Name = "connolly"
> Acct-Status-Type = Stop
> Acct-Session-Id = "3584696603"
> cisco-avpair = "task_id=147"
> cisco-avpair = "timezone=est"
> cisco-avpair = "service=shell"
> cisco-avpair = "start_time=1321368109"
> cisco-avpair = "disc-cause=1"
> cisco-avpair = "disc-cause-ext=9"
> cisco-avpair = "pre-session-time=6"
> cisco-avpair = "elapsed_time=14"
> cisco-avpair = "stop_time=1321368123"
> OSC-Version-Identifier = "192"
>
> Tue Nov 15 09:42:03 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 09:42:03 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 09:42:03 2011: DEBUG: Handling with Radius::AuthLSA:
> Tue Nov 15 09:42:03 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
> Tue Nov 15 09:42:03 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Nov 15 09:42:03 2011: DEBUG: Accounting accepted
> Tue Nov 15 09:42:03 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Accounting-Response
> Identifier: UNDEF
> Authentic: ,<202>w<1><198><157>A<130><180>@<179> <218>H<225><193>
> Attributes:
>
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection result
> Accounting-Response
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
> Tue Nov 15 09:42:03 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:16356
> -----Original Message-----
> From: Heikki Vatiainen [mailto:[email protected]]
> Sent: Monday, November 14, 2011 4:13 PM
> To: Kim, Steve
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
>
> On 11/14/2011 10:27 PM, Kim, Steve wrote:
>
>> Not sure what you meant by "configuring command authorization".
>> As far as I know, CISCO has been configured with following command set:
>
> The config has "aaa authorization ..." enabled so you should see
> TACACS+ "Authorization REQUEST" entries in Radiator log.
>
> These requests should in turn match AuthorizeGroup lines in Radiator
> configuration file. Does Radiator log show any authorization requests from
> your Cisco?
>
> If possible, please keep [email protected] in Cc:s.
>
> Thanks!
> Heikki
>
>
>> aaa authentication login default group tacacs+ local enable aaa
>> authentication login vty-access group tacacs+ local enable aaa
>> authentication login console-access group tacacs+ local enable aaa
>> authorization exec default group tacacs+ if-authenticated aaa
>> authorization commands 0 default group tacacs+ if-authenticated aaa
>> authorization commands 1 default group tacacs+ if-authenticated aaa
>> authorization commands 15 default group tacacs+ if-authenticated aaa
>> accounting exec default stop-only group tacacs+ aaa accounting
>> commands 15 default stop-only group tacacs+
>>
>>
>> -----Original Message-----
>> From: Heikki Vatiainen [mailto:[email protected]]
>> Sent: Monday, November 14, 2011 2:50 PM
>> To: Kim, Steve
>> Cc: [email protected]
>> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
>>
>> On 11/14/2011 06:18 PM, Kim, Steve wrote:
>>
>> Hello Steve,
>>
>>> I'm trying to understand why I'm getting "cisco-avpair" during the
>>> initial authentication as below log.
>>
>> Those come from the TACACS authentication request message header. See
>> for example http://tools.ietf.org/html/draft-grant-tacacs-02 and
>> section
>> "6.1 Authentication".
>>
>> The cisco-avpair attributes make the priv_lvl and other fields available for
>> authentication request processing. In other words, those attributes are
>> generated by Radiator when it processes the incoming authentication request.
>>
>>> The user xyz is authenticated via Authby LSA from AD calling this
>>> handler from ServerTACACSPLUS clause.
>>>
>>> My objective is getting priv-lvl=15 and not being successful.
>>
>> See goodies/tacplus.txt and the discussion about configuring command
>> authorization. If you enable command authorization, the client device should
>> send TACACS+ authorization request once the authentication has completed
>> successfully.
>>
>> You should start seeing something like this in Radiator log:
>>
>> Mon Nov 14 21:46:14 2011: DEBUG: TacacsplusConnection Authorization
>> REQUEST 6, 0, 2, 0, mikem, 123, testclient, 2, service=shell cmd=* Mon
>> Nov 14 21:46:14 2011: DEBUG: AuthorizeGroup rule match found: permit
>> service=shell cmd=\* { cisco-avpair=priv-lvl=15 } Mon Nov 14 21:46:14
>> 2011: INFO: Authorization permitted for mikem at 127.0.0.1, group
>> netadmin, args service=shell cmd=* Mon Nov 14 21:46:14 2011: DEBUG:
>> TacacsplusConnection Authorization RESPONSE 1, , ,
>> cisco-avpair=priv-lvl=15
>>
>>
>> For testing you can also try goodies/tacacsplus test with something
>> like
>> this:
>>
>> First go to Radiator distribution directory. Then run tacacsplustest like
>> this:
>>
>> perl goodies/tacacsplustest -h
>>
>> perl goodies/tacacsplustest -trace 4 -noacct -port 4949 -author_args
>> service=shell,cmd=\*
>>
>>> Here is my radius.cfg:
>>
>> The config looks good and the AuthorizeGroup lines should start matching
>> once the client device starts sending authorization requests.
>>
>> Heikki
>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
