On 11/14/2011 06:18 PM, Kim, Steve wrote: Hello Steve,
> I’m trying to understand why I’m getting “cisco-avpair” during the > initial authentication as below log. Those come from the TACACS authentication request message header. See for example http://tools.ietf.org/html/draft-grant-tacacs-02 and section "6.1 Authentication". The cisco-avpair attributes make the priv_lvl and other fields available for authentication request processing. In other words, those attributes are generated by Radiator when it processes the incoming authentication request. > The user xyz is authenticated via Authby LSA from AD calling this > handler from ServerTACACSPLUS clause. > > My objective is getting priv-lvl=15 and not being successful. See goodies/tacplus.txt and the discussion about configuring command authorization. If you enable command authorization, the client device should send TACACS+ authorization request once the authentication has completed successfully. You should start seeing something like this in Radiator log: Mon Nov 14 21:46:14 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 0, 2, 0, mikem, 123, testclient, 2, service=shell cmd=* Mon Nov 14 21:46:14 2011: DEBUG: AuthorizeGroup rule match found: permit service=shell cmd=\* { cisco-avpair=priv-lvl=15 } Mon Nov 14 21:46:14 2011: INFO: Authorization permitted for mikem at 127.0.0.1, group netadmin, args service=shell cmd=* Mon Nov 14 21:46:14 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , cisco-avpair=priv-lvl=15 For testing you can also try goodies/tacacsplus test with something like this: First go to Radiator distribution directory. Then run tacacsplustest like this: perl goodies/tacacsplustest -h perl goodies/tacacsplustest -trace 4 -noacct -port 4949 -author_args service=shell,cmd=\* > Here is my radius.cfg: The config looks good and the AuthorizeGroup lines should start matching once the client device starts sending authorization requests. Heikki > <Realm DEFAULT> > > AcctLogFileName %D/acct.log > > AuthByPolicy ContinueWhileIgnore > > > > <AuthBy GROUP> > > Identifier GetUser > > AuthByPolicy ContinueUntilAccept > > > > <AuthBy LSA> > > Domain abc.def.com > > Group networking_staff > > DomainController abcd001 > > EAPType MSCHAP-V2 > > AddToReply tacacsgroup = netadmin > > </AuthBy> > > </Realm> > > > > <ServerTACACSPLUS > > > AddToRequest NAS-Identifier=TACACS > > > > GroupMemberAttr tacacsgroup > > > > AuthorizationTimeout 600 > > AuthorizeGroup netadmin permit service=shell cmd=\* > {cisco-avpair="priv-lvl=15"} > > AuthorizeGroup netadmin permit .* > > AuthorizeGroup users permit service=shell cmd\* {priv-lvl=1} > > AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=0} > > AuthorizeGroup DEFAULT deny .* > > BindAddress 0.0.0.0 > > GroupCacheFile %L/radiator-tacacs-usergroup.cache > > IdleTimeout 180 > > MaxBufferSize 100000 > > PasswordPrompt Password: > > Port 49 > > SingleSession 1 > > UsernamePrompt Username: > > > > <Log FILE> > > Filename %L/tacacs.log > > Trace 4 > > </Log> > > </ServerTACACSPLUS> > > > > <Handler NAS-Identifier=TACACS> > > AuthBy GetUser > > > > </Handler> > > > > LOG: > > > > Mon Nov 14 10:20:53 2011: DEBUG: TACACSPLUS derived Radius request > packet dump: > > Code: Access-Request > > Identifier: UNDEF > > Authentic: <143><162><7>B<16>wd<228><1><251><28><14>C<234>i9 > > Attributes: > > NAS-IP-Address = xx.xx.xx.142 > > NAS-Port-Id = "tty1" > > Calling-Station-Id = "xx.xx.xx.1" > > Service-Type = Login-User > > NAS-Identifier = "TACACS" > > User-Name = "xyz" > > User-Password = **obscured** > > *cisco-avpair = "action=1"* > > * cisco-avpair = "authen_type=1"* > > * cisco-avpair = "priv-lvl=1"* > > * cisco-avpair = "service=1"* > > OSC-Version-Identifier = "192" > > > > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
