Re: [RADIATOR] Radiator TACACS+: How to log authorizations of user commands?

[Patrik Forsberg]

Hello,
That is rather odd.. the setup I sent is what we have in production.
The output is similar to this:
Fri Aug 16 09:12:50 2019 REJECT user=<user> from=<client-ip> nas=<router-ip> 
client=<calling-ip>

Reason I put %{Request:Calling-Station-Id} in as client is because %c and %N 
often is the same, as the sender of the request is often the same as the nas-ip 
...
I also split the success/failure into different AuthLog to make it clearer for 
the reader what it is supposed to show :)

---
Regards,
Patrik Forsberg

From: jangerrit.koots...@kpn.com <jangerrit.koots...@kpn.com> On Behalf Of 
beheerinfra...@kpn.com
Sent: den 15 augusti 2019 16:15
To: Patrik Forsberg <patrik.forsb...@ip-only.se>; radiator@lists.open.com.au
Subject: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user 
commands?

Hello Patrick,


Thanks for the quick reply, your suggestion we implemented like this:

<AuthLog FILE>
    Identifier authlog-tac-file

    Filename %L/auth-tacacs.log
    LogSuccess
    LogFailure
    LogIgnore

    SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' 
nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' 
calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' result='OK'
    FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' 
nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' 
calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' 
result='FAIL'
    IgnoreFormat  %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' 
nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' 
calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' 
result='IGNORE'
</AuthLog>

Result is something like this:
    Thu Aug 15 11:28:56 2019 trace_id='fdee3200' user='some-user' 
client='router-ip/' nas='router-ip/TACACS' handler='' 
calling-station='Radiator_server-ip/protocol' called-station='' result='OK'

So it logs the login attempt, not the tacacs authorization request like, am I 
allowed to perform "show ?"
We found  funny results, a login with the correct username, but wrong password 
the logs show result='OK', but the logins where denied, due to the user not 
being added to a Tacacsgroup, so the AuthorizeGroup rules are all failing.


Regards,


Jan Gerrit Kootstra
Van: Patrik Forsberg 
<patrik.forsb...@ip-only.se<mailto:patrik.forsb...@ip-only.se>>
Verzonden: donderdag 15 augustus 2019 15:37
Aan: BeheerInfra-OT <beheerinfra...@kpn.com<mailto:beheerinfra...@kpn.com>>; 
radiator@lists.open.com.au<mailto:radiator@lists.open.com.au>
Onderwerp: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user 
commands?

Hello,
This is all possible.
Check the goodies directory for
tacacsplusserver.cfg
tacplus.txt

they give good hints on how to set this up.

As for success/fail you can use for example
        <AuthLog FILE>
                Identifier      AuthLogger
                Filename        %L/fail-authlog
                LogSuccess      0
                LogFailure      1
                FailureFormat   %l REJECT user=%u from=%c nas=%N 
client=%{Request:Calling-Station-Id}
        </AuthLog>
        <AuthLog FILE>
                Identifier      IdentSuccessAuthLogger
                LogSuccess      1
                LogFailure      0
                Filename        %L/success-authlog
                SuccessFormat   %l ACCEPT user=%u from=%c nas=%N 
client=%{Request:Calling-Station-Id}
        </AuthLog>

Which would create one success logfile and one failure logfile and also pick 
out the interesting bits ..


---
Regards,
Patrik Forsberg

From: radiator 
<radiator-boun...@lists.open.com.au<mailto:radiator-boun...@lists.open.com.au>> 
On Behalf Of beheerinfra...@kpn.com<mailto:beheerinfra...@kpn.com>
Sent: den 15 augusti 2019 14:29
To: radiator@lists.open.com.au<mailto:radiator@lists.open.com.au>
Subject: [RADIATOR] Radiator TACACS+: How to log authorizations of user 
commands?

Hello fellow Raditor AAA users,


We like to setup logging of Tacacs+ command authorization. We were only able to 
find Authentication an Account logging examples.
Authentication successes and failures in a single line log entry would be a 
great feature, instead of having to re-reading a complete user session in 
/var/log/radiator/radiator.log to find out which commands where used.

Regards,


Jan Gerrit Kootstra
On behalve of KPN ACN Present BeheerInfra Services.



_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator