On 28.7.2017 17.09, Christian Kratzer wrote:

The issue seems to be that radiator pases the cisco-avpair from authentication to each command authorization which the cisco does not like.

I know this seems to be working as documented in goodies/tacplus.txt

# Any cisco-avpair reply items that result from the Radius authentication will be used for
     # TACACS+ authorization..

I have temporarily patched ServerTACACSPLUS.pm to disable passing of reply values for later command authorization but am keeping it for the initial login.

How is command authorization supposed to work when the reply items include cisco-avpairs.

I'd say your configuration does not need cisco-avpair attributes received with authentication accept. If you only had 'aaa authorization exec ...' configured on cisco, then the reply avpair could set the privilege level, but the other command authorisation seems to break in that case.

The parameter below should already set the enable level after the login and the cisco-avpair for test2 user is not needed. This is the authorisation that happens immediately after login.

   AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}

Also, login does not need cisco-avpair, so if everything can be handled with AuthorizeGroup, then there is no need to return cisco-avpair attributes during authentication.

Note that I did not test it with cisco this time but if I remember correctly the above is how it goes.

In other words, the returned cisco-avpair could be useful when exec authorisation is configured but not with full command authorisation.

Also, the documented functionality has been part of ServerTACACSPLUS since its first versions, so it might have been more useful then but not that useful anymore when AuthorizeGroup is available.


Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
radiator mailing list

Reply via email to