Hello Patrick and Hugh,
Sorry for the late reply. I was on a short vacation.
What I miss in the examples that you gave is the capture of the Cisco IOS
commands in the authorization logging.
Regards,
Jan Gerrit
--- Begin Message ---
Hello Patrick, Hello Jan -
Nice to hear from both of you - I’ve know Patrick for *many* years, and I did a
consulting job for KPN *many* years ago.
Radiator by default uses an in-memory session database which you can use to get
started.
However, as Patrick says, to be most useful you would typically use an SQL
session database.
If you can give me a bit more detail I’ll try to make some suggestions.
regards
Hugh
> On 15 Aug 2019, at 23:34, Patrik Forsberg <[email protected]> wrote:
>
> Hello,
> I’d probably go for using a session database to keep track of where people
> are logged in and then also be able to limit number of sessions per device.
> The problem is to find something good to track sessions on.. here I failed
> and simply ignored the feature and use the devices own limitation features.
>
> Check the manual for session database feature.
>
> ---
> Regards,
> Patrik Forsberg
>
> From: radiator <[email protected]> On Behalf Of
> [email protected]
> Sent: den 15 augusti 2019 14:21
> To: [email protected]
> Subject: [RADIATOR] Radiator/Tacacs+ related question: How to manage the
> number of sessions to a specific device?
>
> Dear fellow Radiator users,
>
>
> A short intro for those who do not know my team. We work for a Telco called
> KPN in the Netherlands and we are new to Radiator and are setting up Radiator
> for various AAA solutions. Some other teams in our company mainly use
> Radiator for Radius AAA.
>
> While setting up Radiator for TACAS+ AAA, one of the projected user groups
> requests us to limit the number of user sessions to their devices. Currently
> we use <Auth by File>
> Do you know a way to set it up?
>
> We are not familiar with the use of <Auto by SQL>, so it is not yet a way for
> us to go, if it can be postponed that would be nice.
>
>
> Regards,
>
>
> ir. Jan Gerrit Kootstra
> On behalve of KPN ACN Present BeheerInfra Services
> _______________________________________________
> radiator mailing list
> [email protected]
> https://lists.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
--- End Message ---
--- Begin Message ---
Hello,
That is rather odd.. the setup I sent is what we have in production.
The output is similar to this:
Fri Aug 16 09:12:50 2019 REJECT user=<user> from=<client-ip> nas=<router-ip>
client=<calling-ip>
Reason I put %{Request:Calling-Station-Id} in as client is because %c and %N
often is the same, as the sender of the request is often the same as the nas-ip
...
I also split the success/failure into different AuthLog to make it clearer for
the reader what it is supposed to show :)
---
Regards,
Patrik Forsberg
From: [email protected] <[email protected]> On Behalf Of
[email protected]
Sent: den 15 augusti 2019 16:15
To: Patrik Forsberg <[email protected]>; [email protected]
Subject: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user
commands?
Hello Patrick,
Thanks for the quick reply, your suggestion we implemented like this:
<AuthLog FILE>
Identifier authlog-tac-file
Filename %L/auth-tacacs.log
LogSuccess
LogFailure
LogIgnore
SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}'
nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}'
calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' result='OK'
FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}'
nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}'
calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1'
result='FAIL'
IgnoreFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}'
nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}'
calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1'
result='IGNORE'
</AuthLog>
Result is something like this:
Thu Aug 15 11:28:56 2019 trace_id='fdee3200' user='some-user'
client='router-ip/' nas='router-ip/TACACS' handler=''
calling-station=’Radiator_server-ip/protocol’ called-station='' result='OK'
So it logs the login attempt, not the tacacs authorization request like, am I
allowed to perform “show ?”
We found funny results, a login with the correct username, but wrong password
the logs show result=’OK’, but the logins where denied, due to the user not
being added to a Tacacsgroup, so the AuthorizeGroup rules are all failing.
Regards,
Jan Gerrit Kootstra
Van: Patrik Forsberg
<[email protected]<mailto:[email protected]>>
Verzonden: donderdag 15 augustus 2019 15:37
Aan: BeheerInfra-OT <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Onderwerp: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user
commands?
Hello,
This is all possible.
Check the goodies directory for
tacacsplusserver.cfg
tacplus.txt
they give good hints on how to set this up.
As for success/fail you can use for example
<AuthLog FILE>
Identifier AuthLogger
Filename %L/fail-authlog
LogSuccess 0
LogFailure 1
FailureFormat %l REJECT user=%u from=%c nas=%N
client=%{Request:Calling-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier IdentSuccessAuthLogger
LogSuccess 1
LogFailure 0
Filename %L/success-authlog
SuccessFormat %l ACCEPT user=%u from=%c nas=%N
client=%{Request:Calling-Station-Id}
</AuthLog>
Which would create one success logfile and one failure logfile and also pick
out the interesting bits ..
---
Regards,
Patrik Forsberg
From: radiator
<[email protected]<mailto:[email protected]>>
On Behalf Of [email protected]<mailto:[email protected]>
Sent: den 15 augusti 2019 14:29
To: [email protected]<mailto:[email protected]>
Subject: [RADIATOR] Radiator TACACS+: How to log authorizations of user
commands?
Hello fellow Raditor AAA users,
We like to setup logging of Tacacs+ command authorization. We were only able to
find Authentication an Account logging examples.
Authentication successes and failures in a single line log entry would be a
great feature, instead of having to re-reading a complete user session in
/var/log/radiator/radiator.log to find out which commands where used.
Regards,
Jan Gerrit Kootstra
On behalve of KPN ACN Present BeheerInfra Services.
--- End Message ---
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
