Hello,

Sorry for late response on this but I think you have a minor fault in your 
configuration.

Try the following

AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroup admin permit service=shell cmd= {priv-lvl=15}

This made a major difference on our setup because when cisco tries to 
authenticate/authorize it sends "cmd=<command>" and that is not catched by 
"cmd\*"(for whatever reason). Other devices sends "cmd cmd-arg=<command>" and 
that is catched by "cmd\*" ..

Regards,
Patrik Forsberg

> -----Original Message-----
> From: radiator [mailto:radiator-boun...@lists.open.com.au] On Behalf Of
> Christian Kratzer
> Sent: den 28 juli 2017 16:09
> To: radiator@lists.open.com.au
> Subject: [RADIATOR] tacacs on cisco with command authorization results in
> AAA/AUTHOR/CMD Cannot replace commands
> 
> Hi,
> 
> I have a customer setup that uses tacacs and command authorization for
> shell users that is failing for the command authrization stage.
> 
> This is a new setup.  I have simplified and isolated the issue in my lab.
> 
> 
> The cisco is setup as follows:
> 
>       aaa authentication login default group tacacs+ local
>       aaa authorization console
>       aaa authorization exec default group tacacs+ if-authenticated
>       aaa authorization commands 1 default group tacacs+ none
>       aaa authorization commands 15 default group tacacs+ none
> 
> The radiator is configured as follows:
> 
>       <ServerTACACSPLUS>
>               Key mysecret
>               Port 49
>               GroupMemberAttr tacacsgroup
> 
>               AuthorizeGroup admin permit service=shell
> cmd\* {priv-lvl=15}
>               AuthorizeGroup admin permit .*
> 
>               AuthorizeGroup DEFAULT deny .*
>       </ServerTACACSPLUS>
> 
>       <AuthBy FILE>
>               Identifier      Auth-File
>               Filename        %D/users-tacacs
>       </AuthBy>
> 
>       <Handler>
>               AuthBy          Auth-File
>       </Handler>
> 
> 
> and users-tacacs has two users one with and one without a cisco-avpair
> 
>       test1   User-Password = "test17"
>               tacacsgroup=admin
> 
>       test2   User-Password = "test17"
>               tacacsgroup=admin,
>               cisco-avpair=priv-lvl=15
> 
> User test1 is working ok. and the cisco logs following debug output:
> 
>       Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> user=test1
>       Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV service=shell
>       Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV cmd=show
>       Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV cmd-arg=version
>       Jul 28 2017 13:57:35 UTC: AAA/AUTHOR/TAC+: (1842491926):
> send AV cmd-arg=<cr>
>       Jul 28 2017 13:57:35 UTC: AAA/AUTHOR (1842491926): Post
> authorization status = PASS_ADD
> 
> User test2 can login to the cisco but gets authorization failures for every
> command:
> 
>       cons1#show ver
>       Command authorization failed.
> 
> For this the cisco logs following debug output:
> 
>       Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> user=test2
>       Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV service=shell
>       Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV cmd=show
>       Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV cmd-arg=version
>       Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/TAC+: (2535147160):
> send AV cmd-arg=<cr>
>       Jul 28 2017 13:56:58 UTC: AAA/AUTHOR (2535147160): Post
> authorization status = PASS_ADD
>       Jul 28 2017 13:56:58 UTC: AAA/AUTHOR/CMD Cannot replace
> commands
> 
> 
> The difference in radiator logging is as follows:
> 
> 
>       Fri Jul 28 15:57:35 2017: DEBUG: AuthorizeGroup rule match
> found: permit .* {  }
>       Fri Jul 28 15:57:35 2017: INFO: Authorization permitted for test1
> at 192.168.64.40, group admin, args service=shell cmd=show cmd-
> arg=version cmd-arg=<cr>
>       Fri Jul 28 15:57:35 2017: DEBUG: TacacsplusConnection
> Authorization RESPONSE 1, , ,
> 
> 
>       Fri Jul 28 15:56:58 2017: DEBUG: AuthorizeGroup rule match
> found: permit .* {  }
>       Fri Jul 28 15:56:58 2017: INFO: Authorization permitted for test2
> at 192.168.64.40, group admin, args service=shell cmd=show cmd-
> arg=version cmd-arg=<cr>
>       Fri Jul 28 15:56:58 2017: DEBUG: TacacsplusConnection
> Authorization RESPONSE 1, , , priv-lvl=15
> 
> 
> The issue seems to be that radiator pases the cisco-avpair from
> authentication to each command authorization which the cisco does not like.
> 
> I know this seems to be working as documented in goodies/tacplus.txt
> 
>       # Any cisco-avpair reply items that result from the Radius
> authentication will be used for
>       # TACACS+ authorization..
> 
> I have temporarily patched ServerTACACSPLUS.pm to disable passing of reply
> values for later command authorization but am keeping it for the initial 
> login.
> 
> How is command authorization supposed to work when the reply items
> include cisco-avpairs.
> 
> Greetings
> Christian
> 
> 
> --
> Christian Kratzer                   CK Software GmbH
> Email:   c...@cksoft.de               Wildberger Weg 24/2
> Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
> Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
> Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
> Web:     http://www.cksoft.de/
> _______________________________________________
> radiator mailing list
> radiator@lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to