Well... it did not work. The user gets level-1 permission. Here is the initial
tacacs+ log.
Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication START 1,
1, 1 for , tty1, xxx.xxx.11.1
Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication REPLY 4,
0, Username:,
Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
128798430, 13
Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication CONTINUE
0, connolly,
Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication REPLY 5,
1, Password:,
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 1, 5, 0,
128798430, 16
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication CONTINUE
0, **obscured**,
Tue Nov 15 11:14:25 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
Attributes:
NAS-IP-Address = xxx.xxx.11.242
NAS-Port-Id = "tty1"
Calling-Station-Id = "xxx.xxx.11.1"
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "connolly"
User-Password = **obscured**
cisco-avpair = "action=1"
cisco-avpair = "authen_type=1"
cisco-avpair = "priv-lvl=1"
cisco-avpair = "service=1"
OSC-Version-Identifier = "192"
Tue Nov 15 11:14:25 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT',
Identifier ''
Tue Nov 15 11:14:25 2011: DEBUG: Deleting session for connolly,
xxx.xxx.11.242,
Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthLSA:
Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA looks for match with connolly
[connolly]
Tue Nov 15 11:14:25 2011: DEBUG: Checking LSA Group membership for dcny001,
networking_staff, connolly
Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly [connolly]
Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
Tue Nov 15 11:14:25 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Nov 15 11:14:25 2011: DEBUG: Access accepted for connolly
Tue Nov 15 11:14:25 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
Attributes:
tacacsgroup = netadmin
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection result Access-Accept
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication REPLY 1,
0, ,
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from
xxx.xxx.11.242:46059
Tue Nov 15 11:14:25 2011: DEBUG: New TacacsplusConnection created for
xxx.xxx.11.242:34694
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
1978405596, 51
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6,
1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
Tue Nov 15 11:14:25 2011: DEBUG: AuthorizeGroup rule match found: permit .* { }
Tue Nov 15 11:14:25 2011: INFO: Authorization permitted for connolly at
xxx.xxx.11.242, group netadmin, args service=shell cmd*
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1,
, ,
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from
xxx.xxx.11.242:34694
Tue Nov 15 11:16:07 2011: DEBUG: New TacacsplusConnection created for
xxx.xxx.11.242:62601
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
2743768762, 68
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1,
0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 11:16:07 2011: DEBUG: AuthorizeGroup rule match found: permit .* { }
Tue Nov 15 11:16:07 2011: INFO: Authorization permitted for connolly at
xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1,
, ,
Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection disconnected from
xxx.xxx.11.242:62601
-----Original Message-----
From: Heikki Vatiainen [mailto:[email protected]]
Sent: Tuesday, November 15, 2011 10:52 AM
To: Kim, Steve
Cc: [email protected]
Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
On 11/15/2011 05:42 PM, Kim, Steve wrote:
Hmm, let's see now. The first authorization request is this:
Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6,
1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
The request should be matched by this AuthorizeGroup:
AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"}
Your previous message had this:
09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 1, 0,
connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect cmd-arg=exitr
cmd-arg=<cr>
That would have matched by this:
AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr
cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
Taking a better look at this, this is just a command with typo (extir) so what
you should have is:
AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*
If it will not work, please reply with a log that shows the initial
TACACAS+ authentication and the authorization that follows.
Thanks!
Heikki
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
