On 11/15/2012 10:34 PM, Murat Bilal wrote:
> I have three dıfferent groups and for TACACS authorization.My radius
> .cfg is like that
Hello Murat,
you can have only one AddToReply line in an AuthBy. This is why you get
DEFAULT with the Access-Accept. Try removing all except one that adds
group3.
The authorize arguments the device sends are:
service=shell cmd* command-access*
The matching AuthorizeGroup for group3 would be this:
AuthorizeGroup group3 permit service=shell cmd\* command-access\*
{priv-lvl=15}
Since the patterns, such as cmd\*, are regular expressions, you need to
escape any special characters such as '*'.
I suggest you should re-read the reference manual ServerTACACSPLUS entry
with goodies/servertacacsplus.cfg. I'd you are currently changing too
many things simultaneously fixing some things while breaking others. Now
would be good time to review how TACACS+ authentication and
authorization works with Radiator.
Thanks,
Heikki
> <ServerTACACSPLUS>
>
> Key *****
>
> AddToRequest NAS-Identifier=TACACS
>
> GroupMemberAttr tacacsgroup
>
> AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.*
>
> AuthorizeGroup group1 permit .*
>
> # AuthorizeGroup DEFAULT deny .*
>
> AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15}
>
> </ServerTACACSPLUS>
>
>
>
> <Handler>
>
> <AuthBy SQL>
>
> # Change DBSource, DBUsername, DBAuth for your database
>
> # See the reference manual. You will also have to
>
> # change the one in <SessionDatabse SQL> below
>
> # so its the same
>
> DBSource dbi:mysql:radius:localhost
>
> DBUsername raduser
>
> DBAuth raduser
>
>
>
> # Never look up the DEFAULT user
>
> NoDefault
>
> # You can customise the SQL query used to get user details with the
>
> # AuthSelect parameter:
>
> AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
> 'GroupList="group1 group2 group3"' from SUBSCRIBERS where USERNAME=%0
>
> -----
>
> ------------
>
> AddToReply tacacsgroup= group1
>
> AddToReply tacacsgroup= group3
>
> AddToReply tacacsgroup= DEFAULT
>
>
>
> *I try with user mikem in group1.And the trace log*
>
> * *
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
> 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1 group2 group3"'
> from SUBSCRIBERS where USERNAME='mikem'': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with
> mikem [mikem]*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
> 'select GROUPNAME from GROUPS where USERNAME='mikem' and
> GROUPNAME='group1'': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP,
> USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
>
> **** Reply to TACACSPLUS request:*
>
> *Code: Access-Accept*
>
> *Identifier: UNDEF*
>
> *Authentic: p<146><26><192>4H<235><16>\<21><252>v.<142><152><28>*
>
> *Attributes:*
>
> * tacacsgroup = DEFAULT*
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication
> REPLY 1, 0, , *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
> 93.155.11.54:58517*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
> 93.155.11.54:61939*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3,
> 1, 0, 3529830477, 105*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting
> REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4,
> start_time=1353011477 task_id=10700 timezone=GMT service=shell*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request
> packet dump:*
>
> *Code: Accounting-Request*
>
> *Identifier: UNDEF*
>
> *Authentic: p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
>
> *Attributes:*
>
> * NAS-IP-Address = 93.155.11.54*
>
> * NAS-Port-Id = "/dev/ttyp3"*
>
> * Calling-Station-Id = "78.169.249.3"*
>
> * NAS-Identifier = "TACACS"*
>
> * User-Name = "mikem@local"*
>
> * Acct-Status-Type = Start*
>
> * Acct-Session-Id = "3529830477"*
>
> * cisco-avpair = "start_time=1353011477"*
>
> * cisco-avpair = "task_id=10700"*
>
> * cisco-avpair = "timezone=GMT"*
>
> * cisco-avpair = "service=shell"*
>
> * OSC-Version-Identifier = "192"*
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '',
> Identifier ''*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Adding session for mikem@local,
> 93.155.11.54, *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'delete from RADONLINE where
> NASIDENTIFIER='93.155.11.54' and NASPORT=00': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radmin:localhost': 'insert into RADONLINE (USERNAME,
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS,
> NASPORTTYPE, SERVICETYPE) values ('mikem@local', '93.155.11.54', 0,
> '3529830477', 1353011477, '', '', '')': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling with Radius::AuthSQL: *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Handling accounting with Radius::AuthSQL*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: do query to
> 'dbi:mysql:radius:localhost': 'insert into ACCOUNTING
> (ACCTSESSIONID,ACCTSTATUSTYPE,NASIDENTIFIER,TIME_STAMP,USERNAME) values
> ('3529830477','Start','TACACS',1353011477,'mikem@local')': *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Accounting accepted*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
>
> **** Reply to TACACSPLUS request:*
>
> *Code: Accounting-Response*
>
> *Identifier: UNDEF*
>
> *Authentic: p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j*
>
> *Attributes:*
>
> * *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
> Accounting-Response*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REPLY
> 1, , *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
> 93.155.11.54:61939*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
> 93.155.11.54:64085*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 2,
> 1, 0, 2033174599, 70*
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 0, 1, 1, mikem, /dev/ttyp3, 78.169.249.3, 3, service=shell
> cmd* command-access**
>
> *Thu Nov 15 22:31:17 2012: INFO: Authorization denied for mikem, group
> DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd*
> command-access**
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization
> RESPONSE 16, denied, , *
>
> *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
> 93.155.11.54:64085*
>
> * *
>
> *Reply message always say group default.is smt wrong with my AddtoReply
> clause.Why always reply says group DEFAULT?*
>
> *And strange issue if group 3 is at he end of line for AddToReply clause
> then the reply message comes as Group3.*
>
> * *
>
> * *
>
> *MURAT BİLAL *
> *Services Engineer*
>
>
> Ericsson Turkey
> CU Customer Support
> Cyber Plaza C Blok Kat:1 No:146
> Cyberpark 6800 Bilkent/Ankara
> Mobile +90 554 898 98 43
> murat.bi...@ericsson.com <mailto:murat.bi...@ericsson.com>
> www.ericsson.com
>
>
>
> <http://www.ericsson.com/>
>
>
> This Communication is Confidential. We only send and receive email on
> the basis of the terms set out at www.ericsson.com/email_disclaimer
> <http://www.ericsson.com/email_disclaimer>
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
