On 11/15/2011 06:25 PM, Kim, Steve wrote:
> Well... it did not work. The user gets level-1 permission. Here is the
> initial tacacs+ log.
I think I've got it now. Note the authorization request arguments:
Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization
REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
The config should have this:
AuthorizeGroup netadmin permit service=shell cmd\*
{cisco-avpair="priv-lvl=15"}
instead of this:
AuthorizeGroup netadmin permit service=shell cmd=\*
{cisco-avpair="priv-lvl=15"}
Notice Cisco sends cmd*, not cmd=*
Heikki
> Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication START
> 1, 1, 1 for , tty1, xxx.xxx.11.1
> Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication REPLY 4,
> 0, Username:,
> Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
> 128798430, 13
> Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication CONTINUE
> 0, connolly,
> Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection Authentication REPLY 5,
> 1, Password:,
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 1, 5, 0,
> 128798430, 16
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication CONTINUE
> 0, **obscured**,
> Tue Nov 15 11:14:25 2011: DEBUG: TACACSPLUS derived Radius request packet
> dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
> NAS-IP-Address = xxx.xxx.11.242
> NAS-Port-Id = "tty1"
> Calling-Station-Id = "xxx.xxx.11.1"
> Service-Type = Login-User
> NAS-Identifier = "TACACS"
> User-Name = "connolly"
> User-Password = **obscured**
> cisco-avpair = "action=1"
> cisco-avpair = "authen_type=1"
> cisco-avpair = "priv-lvl=1"
> cisco-avpair = "service=1"
> OSC-Version-Identifier = "192"
>
> Tue Nov 15 11:14:25 2011: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 11:14:25 2011: DEBUG: Deleting session for connolly,
> xxx.xxx.11.242,
> Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthGROUP: GetUser
> Tue Nov 15 11:14:25 2011: DEBUG: Handling with Radius::AuthLSA:
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA looks for match with
> connolly [connolly]
> Tue Nov 15 11:14:25 2011: DEBUG: Checking LSA Group membership for dcny001,
> networking_staff, connolly
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly [connolly]
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthGROUP:GetUser result: ACCEPT,
> Tue Nov 15 11:14:25 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Nov 15 11:14:25 2011: DEBUG: Access accepted for connolly
> Tue Nov 15 11:14:25 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
> tacacsgroup = netadmin
>
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection result Access-Accept
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication REPLY 1,
> 0, ,
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:46059
> Tue Nov 15 11:14:25 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:34694
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
> 1978405596, 51
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST
> 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
> Tue Nov 15 11:14:25 2011: DEBUG: AuthorizeGroup rule match found: permit .* {
> }
> Tue Nov 15 11:14:25 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd*
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization RESPONSE
> 1, , ,
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:34694
> Tue Nov 15 11:16:07 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:62601
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
> 2743768762, 68
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization REQUEST
> 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=exit
> cmd-arg=<cr>
> Tue Nov 15 11:16:07 2011: DEBUG: AuthorizeGroup rule match found: permit .* {
> }
> Tue Nov 15 11:16:07 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd=exit cmd-arg=<cr>
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection Authorization RESPONSE
> 1, , ,
> Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:62601
>
> -----Original Message-----
> From: Heikki Vatiainen [mailto:[email protected]]
> Sent: Tuesday, November 15, 2011 10:52 AM
> To: Kim, Steve
> Cc: [email protected]
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
>
> On 11/15/2011 05:42 PM, Kim, Steve wrote:
>
> Hmm, let's see now. The first authorization request is this:
>
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization REQUEST
> 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
>
> The request should be matched by this AuthorizeGroup:
>
> AuthorizeGroup netadmin permit service=shell cmd=\*
> {cisco-avpair="priv-lvl=15"}
>
>
>
> Your previous message had this:
> 09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 1, 0,
> connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect cmd-arg=exitr
> cmd-arg=<cr>
>
> That would have matched by this:
>
> AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr
> cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
>
> Taking a better look at this, this is just a command with typo (extir) so
> what you should have is:
>
> AuthorizeGroup netadmin permit service=shell cmd=\*
> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*
>
>
> If it will not work, please reply with a log that shows the initial
> TACACAS+ authentication and the authorization that follows.
>
> Thanks!
> Heikki
>
>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
