Hi
Thıs ıs my Acess*Accept reply as you said:
Code: Access-Accept
Identifier: UNDEF
Authentic:
<19><173><235><234><168><228><238><182><173><0>i<164>Q<130><219><221>
Attributes:
OSC-Group-Identifier = "DDAP6"
OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
OSC-Authorize-Group = "permit .* {}"
OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
Here is my debug message when I log in to router
Mon Dec 3 22:08:51 2012: DEBUG: AuthorizeGroup rule match found: permit .* { }
Mon Dec 3 22:08:51 2012: INFO: Authorization permitted for ddap6u at x.x.x.x,
group DDAP6, args service=shell cmd* command-access*
Mon Dec 3 22:08:51 2012: DEBUG: TacacsplusConnection Authorization RESPONSE 1,
, ,
But when I run show port I got;
Mon Dec 3 22:10:17 2012: DEBUG: TacacsplusConnection Authorization REQUEST 6,
3, 1, 1, ddap6u, /dev/ttyp6, x.x.x.x, 3, service=shell cmd=show cmd-arg=port
Mon Dec 3 22:10:17 2012: DEBUG: AuthorizeGroup rule match found: permit .* { }
Why this command permitted? According to my rule(OSC-Authorize-Group = "deny
service=shell cmd=show cmd-arg=.*") command should not authorized. I am
confused here
And this is my sql in radius.cfg
AuthSelect select na.PASS_WORD,na.STATICADDRESS,na.TIMELEFT,\
na.MAXLOGINS, na.SERVICENAME, na.BADLOGINS, na.VALIDFROM,
na.VALIDTO,\
na.TACACSGROUPID,ga.DEVICEGROUP,group_concat(ga.AUTHRULE),ga.ATTRIBUTE\
from RADUSERS as na,RADGROUPAUTH as ga where\
na.USERNAME='%n' and na.BADLOGINS < 5 and \
na.VALIDFROM < %t and na.VALIDTO > %t and
na.TACACSGROUPID=ga.USERGROUP
AuthColumnDef 2,GENERIC,reply
AuthColumnDef 0, OSC-Group-Identifier, reply
-----Original Message-----
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
Behalf Of Heikki Vatiainen
Sent: 03 Aralık 2012 Pazartesi 15:14
To: radiator@open.com.au
Subject: Re: [RADIATOR] Radmin Web interface
On 12/03/2012 11:32 AM, Murat Bilal wrote:
> mysql> select * from RADGROUPAUTH;
Hello Murat,
having a number of rows works with AuthBy RADMIN since this module knows the
user or service profile can have multiple check and reply attributes. This is
one of the differences between AuthBy RADMIN and plain AuthBy SQL.
The reason you get only one return attribute with AuthColumnDef is when the
user information is looked up from the SQL, only the first returned row is
used. If there are multiple rows, the values for those rows are not processed
at all.
This is also why type GENERIC is there. You should be able to specify all
return attributes on one row by putting the attributes into on column with
name1=val1,name2=val2,... syntax.
If you want to use AuthSelect, then type GENERIC is they way to return all
attributes.
> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
> | ATTRIBUTE | AUTHRULE | DEVICEGROUP |
> PRIORITY | PROTOCOL | TYPE | USERGROUP | VALUE |
> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
> | NULL | NULL | x.x.x.x | NULL |
> NULL | NULL | test | NULL |
> | NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL |
> NULL | NULL | DDAP6 | NULL |
> | NULL | NULL | x.x.x.x | NULL |
> NULL | NULL | DDAP15 | NULL |
> | NULL | NULL | x.x.x.x | NULL |
> NULL | NULL | gm | NULL |
> | NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL |
> NULL | NULL | test1 | NULL |
> | NULL | permit .* {} | x.x.x.x | NULL |
> NULL | NULL | DDAP6 | NULL |
> | NULL | permit service=shell cmd\* {priv-lvl=6} | x.x.x.x | NULL |
> NULL | NULL | test1 | NULL |
> | NULL | NULL | NULL |
> NULL | NULL | NULL | NULL | NULL |
> | NULL | NULL | x.x.x.x | NULL |
> NULL | NULL | AADP15 | NULL |
> | NULL | NULL | x.x.x.x | NULL |
> NULL | NULL | DDAP6 | NULL |
> | NULL | deny service=shell cmd=show cmd-arg=.* | x.x.x.x | NULL |
> NULL | NULL | DDAP6 | NULL |
> | NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL |
> NULL | NULL | DDAP6 | NULL |
> | NULL | deny service=shell cmd=ping cmd-arg=.* | x.x.x.x | NULL |
> NULL | NULL | test1 | NULL |
> | NULL | permit .* {} | x.x.x.x | NULL |
> NULL | NULL | test1 | NULL |
> +-----------+-----------------------------------------+--------------+----------+----------+------+-----------+-------+
>
> I have 4 rules in AUTHRULE column.This is the debug log for
> Access-Accept
>
> *** Reply to TACACSPLUS request:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: ~<244>'Z<160>cB<211><31><171><171>ze<132><178><151>
> Attributes:
> OSC-Group-Identifier = "DDAP6"
> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
>
> I cannot get other attributes.It returns only 1 one row How can I get the
> other Attributes?
>
> Here is my radmin config
>
> AuthSelect select na.PASS_WORD,na.STATICADDRESS,na.TIMELEFT,\
> na.MAXLOGINS, na.SERVICENAME, na.BADLOGINS, na.VALIDFROM,
> na.VALIDTO,\
> na.TACACSGROUPID,ga.DEVICEGROUP, ga.AUTHRULE\
> from RADUSERS as na,RADGROUPAUTH as ga where\
> na.USERNAME='%n' and na.BADLOGINS < 5 and \
> na.VALIDFROM < %t and na.VALIDTO > %t and
> na.TACACSGROUPID=ga.USERGROUP
>
>
> AuthColumnDef 0, OSC-Group-Identifier, reply
> AuthColumnDef 2,OSC-Authorize-Group,reply
>
> I also try GENERIC but no luck
>
> Thanks
> -----Original Message-----
> From: radiator-boun...@open.com.au
> [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen
> Sent: 30 Kasım 2012 Cuma 12:24
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] Radmin Web interface
>
> On 11/30/2012 01:07 AM, Murat Bilal wrote:
>
>> I do not understand.i want to edit those commands from Radmin Web
>> Interface, not in /etc/radiator/radiator.cfg
>
> Hello Murat,
>
> please see below, I was describing doing this with Radmin. With Radmin you
> need to add each line as a reply attribute. The attribute name (such as
> OSC-Authorize-Group) is then configured as AuthorizeGroupAttr in
> <ServerTACACSPLUS>.
>
> Thanks,
> Heikki
>
>> -----Original Message-----
>> From: radiator-boun...@open.com.au
>> [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen
>> Sent: 29 Kasım 2012 Perşembe 14:58
>> To: radiator@open.com.au
>> Subject: Re: [RADIATOR] Radmin Web interface
>>
>> On 11/28/2012 11:16 PM, Murat Bilal wrote:
>>
>>> In <ServerTACACSPlus> clause I have rules for command auth such as below:
>>> AuthorizeGroup DDAP6 permit service=shell cmd\* {priv-lvl=6}
>>> AuthorizeGroup DDAP6 deny service=shell cmd=show cmd-arg=.*
>>> AuthorizeGroup DDAP6 deny service=shell cmd=ping cmd-arg=.*
>>> AuthorizeGroup DDAP6 permit .* {}
>>
>>> Is it possible to write these rules from Radmin Web interface?If so
>>> in which table .I am using the latest Radmin and Radiator version
>>
>> Hello Murat,
>>
>> yes, this is possible. Just add each line as e.g., OSC-Authorize-Group with
>> Radmin. That is, the user should have four OSC-Authorize-Group reply
>> attributes.
>>
>> Then configure your <ServerTACACSPLUS> with
>> AuthorizeGroupAttr OSC-Authorize-Group
>>
>> When you authenticate, the Access-Accept should have:
>> OSC-Authorize-Group = "permit service=shell cmd\* {priv-lvl=6}"
>> OSC-Authorize-Group = "deny service=shell cmd=show cmd-arg=.*"
>> OSC-Authorize-Group = "deny service=shell cmd=ping cmd-arg=.*"
>> OSC-Authorize-Group = "permit .* {}"
>> OSC-Group-Identifier = "group1"
>>
>> Here OSC-Group-Identifier is configured as GroupMemberAttr. This will set
>> 'group1' as the authorization group for the user. During the authorization
>> the OSC-Authorize-Group attribute values are processed first followed by
>> group1 values as defined by AuthorizeGroup configuration options.
>>
>> Thanks,
>> Heikki
>>
>>
>> --
>> Heikki Vatiainen <h...@open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
> --
> Heikki Vatiainen <h...@open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS,
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full
> source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere.
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside,
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX,
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix,
Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
