I have a problem with TACACS+ command authorisation.
If I add am attribute to the authentication reply as shown below it seems that
it is also added to the authorisation reply (see RESPONSE line). This creates a
problem on the cisco router and the command is denied. Is this a bug ?
Thank you
Markus
<Handler Service-Type=Administrative-User>
AuthByPolicy ContinueUntilAccept
AuthBy Users
AuthLog LogAuthentication
AddToReply cisco-avpair="priv-lvl=15"
</Handler>
Code: Access-Accept
Identifier: UNDEF
Authentic: <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/
Attributes:
cisco-avpair = "priv-lvl=15"
Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result Access-Accept
Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication REPLY 1,
0, ,
Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from
10.10.10.10:37060
Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for
10.10.10.10:37061
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
4287547660, 88
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6,
1, 1, 1, xxx, tty1, 10.20.1.1, 4, service=
shell cmd=show cmd-arg=running-config cmd-arg=<cr>
Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit
service=shell { }
Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group test,
args service=shell cmd=show cmd-arg=running-c
onfig cmd-arg=<cr>
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 1,
, , priv-lvl=15
Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from
10.10.10.10:37061
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
