Apologies. I didn't read it correctly. Thank you Markus
----- Original Message ----- From: "Hugh Irvine" <[email protected]> To: "Markus Moeller" <[email protected]> Cc: <[email protected]> Sent: Sunday, October 17, 2010 11:42 PM Subject: Re: [RADIATOR] TACACS+ authorisation problem Hello Markus - >From section 5.86 in the manual: …. Incoming TACACS+ authorization requests are approved subject to any Command- Auth parameters, and any cisco-avpair reply items from the previous authentication RADIUS Access-Accept are used as authorization attribute-value pairs. …. Perhaps I am not understanding what you are wanting? regards Hugh On 18 Oct 2010, at 09:07, Markus Moeller wrote: > Sorry Hugh, > > I may have not been clear. As far as I understood a line like: > > AuthorizeGroup group1 permit service=shell {cisco-avpair="priv-lvl=12"} > > would add priv-lvl=12 to the authorization reply and I agree with that. > > But would a handler like: > > <Handler Service-Type=Administrative-User> > AuthByPolicy ContinueUntilAccept > AuthBy Users > AuthLog LogAuthentication > AddToReply cisco-avpair="priv-lvl=12" > </Handler> > > mean that all authentication AND authorization replys have priv-lvl=12 in > their reply ? That is what I see and not expect and can't see in the > documentation. > > Markus > > ----- Original Message ----- From: "Hugh Irvine" <[email protected]> > To: "Markus Moeller" <[email protected]> > Cc: <[email protected]> > Sent: Sunday, October 17, 2010 10:13 PM > Subject: Re: [RADIATOR] TACACS+ authorisation problem > > > > Hello Markus - > > Radiator is operating as intended. > > See section 5.86 in the Radiator 4.7 reference manual ("doc/ref.pdf"). > > regards > > Hugh > > > On 18 Oct 2010, at 07:27, Markus Moeller wrote: > >> With bug I mean is it intended to add the av pair to the authorisation >> exchange ? I would have thought this would be only done as part of the >> authorisationgroup command >> >> Thank you >> Markus >> ----- Original Message ----- >> From: Markus Moeller >> To: [email protected] >> Sent: Sunday, October 17, 2010 1:35 PM >> Subject: [RADIATOR] TACACS+ authorisation problem >> >> >> I have a problem with TACACS+ command authorisation. >> >> If I add am attribute to the authentication reply as shown below it seems >> that it is also added to the authorisation reply (see RESPONSE line). >> This creates a problem on the cisco router and the command is denied. Is >> this a bug ? >> >> Thank you >> Markus >> >> <Handler Service-Type=Administrative-User> >> AuthByPolicy ContinueUntilAccept >> AuthBy Users >> AuthLog LogAuthentication >> AddToReply cisco-avpair="priv-lvl=15" >> </Handler> >> >> >> Code: Access-Accept >> Identifier: UNDEF >> Authentic: <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/ >> Attributes: >> cisco-avpair = "priv-lvl=15" >> >> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result >> Access-Accept >> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication >> REPLY 1, 0, , >> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from >> 10.10.10.10:37060 >> Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for >> 10.10.10.10:37061 >> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, >> 0, 4287547660, 88 >> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization >> REQUEST 6, 1, 1, 1, xxx, tty1, 10.20.1.1, 4, service= >> shell cmd=show cmd-arg=running-config cmd-arg=<cr> >> Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit >> service=shell { } >> Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group >> test, args service=shell cmd=show cmd-arg=running-c >> onfig cmd-arg=<cr> >> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization >> RESPONSE 1, , , priv-lvl=15 >> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from >> 10.10.10.10:37061 >> >> >> >> >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator >> _______________________________________________ >> radiator mailing list >> [email protected] >> http://www.open.com.au/mailman/listinfo/radiator > > > > NB: > > Have you read the reference manual ("doc/ref.html")? > Have you searched the mailing list archive > (www.open.com.au/archives/radiator)? > Have you had a quick look on Google (www.google.com)? > Have you included a copy of your configuration file (no secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows, MacOS X. > Includes support for reliable RADIUS transport (RadSec), > and DIAMETER translation agent. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > > > > > > > NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
