On 11/15/2011 05:42 PM, Kim, Steve wrote:
Hmm, let's see now. The first authorization request is this:
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
The request should be matched by this AuthorizeGroup:
AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
Your previous message had this:
09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1,
1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect
cmd-arg=exitr cmd-arg=<cr>
That would have matched by this:
AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr
cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
Taking a better look at this, this is just a command with typo (extir)
so what you should have is:
AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
AuthorizeGroup netadmin permit .*
If it will not work, please reply with a log that shows the initial
TACACAS+ authentication and the authorization that follows.
Thanks!
Heikki
> Tue Nov 15 10:25:28 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
>
> Tue Nov 15 10:25:28 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
>
> Tue Nov 15 10:25:28 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
>
> Tue Nov 15 10:25:28 2011: DEBUG: Handling with Radius::AuthLSA:
>
> Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthLSA looks for match with
> connolly [connolly]
>
> Tue Nov 15 10:25:28 2011: DEBUG: Checking LSA Group membership for
> dcny001, networking_staff, connolly
>
> Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly
> [connolly]
>
> Tue Nov 15 10:25:28 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
>
> Tue Nov 15 10:25:28 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>
> Tue Nov 15 10:25:28 2011: DEBUG: Access accepted for connolly
>
> Tue Nov 15 10:25:28 2011: DEBUG: Packet dump:
>
> *** Reply to TACACSPLUS request:
>
> Code: Access-Accept
>
> Identifier: UNDEF
>
> Authentic: <221><30><24><221>-<186> <182>@K<23><196>~<172><171><180>
>
> Attributes:
>
> tacacsgroup = netadmin
>
>
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection result Access-Accept
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authentication
> REPLY 1, 0, ,
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:11934
>
> Tue Nov 15 10:25:28 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:62567
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 3452448878, 51
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
>
> Tue Nov 15 10:25:28 2011: DEBUG: AuthorizeGroup rule match found: permit
> .* { }
>
> Tue Nov 15 10:25:28 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd*
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , ,
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:62567
>
> Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:46572
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 2, 1,
> 0, 470062485, 68
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Authorization
> REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell
> cmd=exit cmd-arg=<cr>
>
> Tue Nov 15 10:25:32 2011: DEBUG: AuthorizeGroup rule match found: permit
> .* { }
>
> Tue Nov 15 10:25:32 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Authorization
> RESPONSE 1, , ,
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:46572
>
> Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:57867
>
> Tue Nov 15 10:25:32 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:34089
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 3, 1,
> 0, 109442261, 119
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REQUEST
> 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 6, task_id=151 timezone=est
> service=shell start_time=1321370732 priv-lvl=0 cmd=exit <cr>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TACACSPLUS derived Radius request
> packet dump:
>
> Code: Accounting-Request
>
> Identifier: UNDEF
>
> Authentic: 0<142><185><169>8<222>/=3<18>JQ<27><215><174><128>
>
> Attributes:
>
> NAS-IP-Address = xxx.xxx.11.242
>
> NAS-Port-Id = "tty1"
>
> Calling-Station-Id = "xxx.xxx.11.1"
>
> NAS-Identifier = "TACACS"
>
> User-Name = "connolly"
>
> Acct-Status-Type = Stop
>
> Acct-Session-Id = "109442261"
>
> cisco-avpair = "task_id=151"
>
> cisco-avpair = "timezone=est"
>
> cisco-avpair = "service=shell"
>
> cisco-avpair = "start_time=1321370732"
>
> cisco-avpair = "priv-lvl=0"
>
> cisco-avpair = "cmd=exit <cr>"
>
> OSC-Version-Identifier = "192"
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
>
> Tue Nov 15 10:25:32 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthLSA:
>
> Tue Nov 15 10:25:32 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Accounting accepted
>
> Tue Nov 15 10:25:32 2011: DEBUG: Packet dump:
>
> *** Reply to TACACSPLUS request:
>
> Code: Accounting-Response
>
> Identifier: UNDEF
>
> Authentic: 0<142><185><169>8<222>/=3<18>JQ<27><215><174><128>
>
> Attributes:
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection result
> Accounting-Response
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REPLY
> 1, ,
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:57867
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection request 192, 3, 1,
> 0, 2169240497, 179
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REQUEST
> 4, 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 9, task_id=151 timezone=est
> service=shell start_time=1321370728 disc-cause=1 disc-cause-ext=9
> pre-session-time=7 elapsed_time=4 stop_time=1321370732
>
> Tue Nov 15 10:25:32 2011: DEBUG: TACACSPLUS derived Radius request
> packet dump:
>
> Code: Accounting-Request
>
> Identifier: UNDEF
>
> Authentic: 0'j<209><138><137><180>S<209><156><243><175><7>hS
>
> Attributes:
>
> NAS-IP-Address = xxx.xxx.11.242
>
> NAS-Port-Id = "tty1"
>
> Calling-Station-Id = "xxx.xxx.11.1"
>
> NAS-Identifier = "TACACS"
>
> User-Name = "connolly"
>
> Acct-Status-Type = Stop
>
> Acct-Session-Id = "2169240497"
>
> cisco-avpair = "task_id=151"
>
> cisco-avpair = "timezone=est"
>
> cisco-avpair = "service=shell"
>
> cisco-avpair = "start_time=1321370728"
>
> cisco-avpair = "disc-cause=1"
>
> cisco-avpair = "disc-cause-ext=9"
>
> cisco-avpair = "pre-session-time=7"
>
> cisco-avpair = "elapsed_time=4"
>
> cisco-avpair = "stop_time=1321370732"
>
> OSC-Version-Identifier = "192"
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
>
> Tue Nov 15 10:25:32 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
>
> Tue Nov 15 10:25:32 2011: DEBUG: Handling with Radius::AuthLSA:
>
> Tue Nov 15 10:25:32 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>
> Tue Nov 15 10:25:32 2011: DEBUG: Accounting accepted
>
> Tue Nov 15 10:25:32 2011: DEBUG: Packet dump:
>
> *** Reply to TACACSPLUS request:
>
> Code: Accounting-Response
>
> Identifier: UNDEF
>
> Authentic: 0'j<209><138><137><180>S<209><156><243><175><7>hS
>
> Attributes:
>
>
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection result
> Accounting-Response
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection Accounting REPLY
> 1, ,
>
> Tue Nov 15 10:25:32 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:34089
>
>
>
>
>
> -----Original Message-----
> From: Heikki Vatiainen [mailto:[email protected]]
> Sent: Tuesday, November 15, 2011 10:22 AM
> To: Kim, Steve
> Cc: [email protected]
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
>
>
>
> On 11/15/2011 05:08 PM, Kim, Steve wrote:
>
>
>
> Hello Steve,
>
>
>
> the AuthorizeGroup line does not match what Cisco requests. Try this:
>
>
>
> #AuthorizeGroup netadmin permit service=shell cmd=\*
> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit
> service=shell cmd=connect cmd-arg=exitr cmd-arg=<cr>
> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*
>
>
>
> The commented out AuthorizeGroup is replaced by one that matches what is
> requested by the client.
>
>
>
> Please let us know how this works.
>
>
>
> Thanks!
>
>
>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
