Hi,

I have a customer setup that uses tacacs and command authorization for shell 
users that is failing for the command authrization stage.

This is a new setup.  I have simplified and isolated the issue in my lab.


The cisco is setup as follows:

        aaa authentication login default group tacacs+ local
        aaa authorization console
        aaa authorization exec default group tacacs+ if-authenticated
        aaa authorization commands 1 default group tacacs+ none
        aaa authorization commands 15 default group tacacs+ none

The radiator is configured as follows:

        <ServerTACACSPLUS>
                Key mysecret
                Port 49
                GroupMemberAttr tacacsgroup

                AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}
                AuthorizeGroup admin permit .*

                AuthorizeGroup DEFAULT deny .*
        </ServerTACACSPLUS>

        <AuthBy FILE>
                Identifier      Auth-File
                Filename        %D/users-tacacs
        </AuthBy>

        <Handler>
                AuthBy          Auth-File
        </Handler>


and users-tacacs has two users one with and one without a cisco-avpair

        test1   User-Password = "test17"
                tacacsgroup=admin

        test2   User-Password = "test17"
                tacacsgroup=admin,
                cisco-avpair=priv-lvl=15

User test1 is working ok. and the cisco logs following debug output:

        Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): user=test1
        Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV 
service=shell
        Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV 
cmd=show
        Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV 
cmd-arg=version
        Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926): send AV 
cmd-arg=<cr>
        Jul 28 2017 13:57:35 UTC: AAA/AUTHOR (1842491926): Post authorization 
status = PASS_ADD

User test2 can login to the cisco but gets authorization failures for every 
command:

        cons1#show ver
        Command authorization failed.

For this the cisco logs following debug output:

        Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): user=test2
        Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV 
service=shell
        Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV 
cmd=show
        Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV 
cmd-arg=version
        Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160): send AV 
cmd-arg=<cr>
        Jul 28 2017 13:56:58 UTC: AAA/AUTHOR (2535147160): Post authorization 
status = PASS_ADD
        Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/CMD Cannot replace commands


The difference in radiator logging is as follows:


        Fri Jul 28 15:57:35 2017: DEBUG: AuthorizeGroup rule match found: 
permit .* {  }
        Fri Jul 28 15:57:35 2017: INFO: Authorization permitted for test1 at 
192.168.64.40, group admin, args service=shell cmd=show cmd-arg=version 
cmd-arg=<cr>
        Fri Jul 28 15:57:35 2017: DEBUG: TacacsplusConnection Authorization 
RESPONSE 1, , ,


        Fri Jul 28 15:56:58 2017: DEBUG: AuthorizeGroup rule match found: 
permit .* {  }
        Fri Jul 28 15:56:58 2017: INFO: Authorization permitted for test2 at 
192.168.64.40, group admin, args service=shell cmd=show cmd-arg=version 
cmd-arg=<cr>
        Fri Jul 28 15:56:58 2017: DEBUG: TacacsplusConnection Authorization 
RESPONSE 1, , , priv-lvl=15


The issue seems to be that radiator pases the cisco-avpair from authentication 
to each command authorization which the cisco does not like.

I know this seems to be working as documented in goodies/tacplus.txt

        # Any cisco-avpair reply items that result from the Radius 
authentication will be used for
        # TACACS+ authorization..

I have temporarily patched ServerTACACSPLUS.pm to disable passing of reply 
values for later command authorization but am keeping it for the initial login.

How is command authorization supposed to work when the reply items include 
cisco-avpairs.

Greetings
Christian


--
Christian Kratzer                   CK Software GmbH
Email:   c...@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to