Hello,
I'm trying to understand why I'm getting "cisco-avpair" during the initial
authentication as below log.
The user xyz is authenticated via Authby LSA from AD calling this handler from
ServerTACACSPLUS clause.
My objective is getting priv-lvl=15 and not being successful.
Here is my radius.cfg:
<Realm DEFAULT>
AcctLogFileName %D/acct.log
AuthByPolicy ContinueWhileIgnore
<AuthBy GROUP>
Identifier GetUser
AuthByPolicy ContinueUntilAccept
<AuthBy LSA>
Domain abc.def.com
Group networking_staff
DomainController abcd001
EAPType MSCHAP-V2
AddToReply tacacsgroup = netadmin
</AuthBy>
</Realm>
<ServerTACACSPLUS >
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup
AuthorizationTimeout 600
AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
AuthorizeGroup netadmin permit .*
AuthorizeGroup users permit service=shell cmd\* {priv-lvl=1}
AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=0}
AuthorizeGroup DEFAULT deny .*
BindAddress 0.0.0.0
GroupCacheFile %L/radiator-tacacs-usergroup.cache
IdleTimeout 180
MaxBufferSize 100000
PasswordPrompt Password:
Port 49
SingleSession 1
UsernamePrompt Username:
<Log FILE>
Filename %L/tacacs.log
Trace 4
</Log>
</ServerTACACSPLUS>
<Handler NAS-Identifier=TACACS>
AuthBy GetUser
</Handler>
LOG:
Mon Nov 14 10:20:53 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <143><162><7>B<16>wd<228><1><251><28><14>C<234>i9
Attributes:
NAS-IP-Address = xx.xx.xx.142
NAS-Port-Id = "tty1"
Calling-Station-Id = "xx.xx.xx.1"
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "xyz"
User-Password = **obscured**
cisco-avpair = "action=1"
cisco-avpair = "authen_type=1"
cisco-avpair = "priv-lvl=1"
cisco-avpair = "service=1"
OSC-Version-Identifier = "192"
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
