Re: [RADIATOR] Radiator 4.9 and cisco-avpair

Tue, 15 Nov 2011 09:21:01 -0800 

I think this time it looks better. However, my user tells me that he still gets 
level-1 as below:

Username:connolly
Password:

tacacs-test>
tacacs-test>
tacacs-test>
tacacs-test> 
tacacs-test>enable  (I had to enter this command)
Password: 
tacacs-test#

I am still only being put in level 1.


Here is log that reflect above:

Tue Nov 15 12:10:27 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <216><16><173><169><212><173>l<216>|<163><6><164><11><221>z_
Attributes:
        tacacsgroup = netadmin

Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection result Access-Accept
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, 
0, ,  
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from 
xxx.xxx.11.242:44082
Tue Nov 15 12:10:27 2011: DEBUG: New TacacsplusConnection created for 
xxx.xxx.11.242:62420
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 
2531823864, 51
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 
1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
Tue Nov 15 12:10:27 2011: DEBUG: AuthorizeGroup rule match found: permit 
service=shell cmd\* { cisco-avpair=priv-lvl=15 }
Tue Nov 15 12:10:27 2011: INFO: Authorization permitted for connolly at 
xxx.xxx.11.242, group netadmin, args service=shell cmd*
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, 
, , cisco-avpair=priv-lvl=15
Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from 
xxx.xxx.11.242:62420
Tue Nov 15 12:13:19 2011: DEBUG: New TacacsplusConnection created for 
xxx.xxx.11.242:29509
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 
1514782278, 70
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 
0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=enable cmd-arg=<cr>
Tue Nov 15 12:13:19 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  }
Tue Nov 15 12:13:19 2011: INFO: Authorization permitted for connolly at 
xxx.xxx.11.242, group netadmin, args service=shell cmd=enable cmd-arg=<cr>
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, 
, , 
Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection disconnected from 
xxx.xxx.11.242:29509

-----Original Message-----
From: Heikki Vatiainen [mailto:[email protected]] 
Sent: Tuesday, November 15, 2011 11:59 AM
To: Kim, Steve
Cc: [email protected]
Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair

On 11/15/2011 06:25 PM, Kim, Steve wrote:
> Well... it did not work. The user gets level-1 permission. Here is the 
> initial tacacs+ log.

I think I've got it now. Note the authorization request arguments:

Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 
1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*

The config should have this:
AuthorizeGroup netadmin permit service=shell cmd\* {cisco-avpair="priv-lvl=15"}

instead of this:

AuthorizeGroup netadmin permit service=shell cmd=\* {cisco-avpair="priv-lvl=15"}

Notice Cisco sends cmd*, not cmd=*

Heikki



>  Tue Nov 15 11:14:19 2011: DEBUG: TacacsplusConnection Authentication 
> START 1, 1, 1 for , tty1, xxx.xxx.11.1 Tue Nov 15 11:14:19 2011: 
> DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username:, Tue 
> Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection request 192, 1, 3, 
> 0, 128798430, 13 Tue Nov 15 11:14:22 2011: DEBUG: TacacsplusConnection 
> Authentication CONTINUE 0, connolly, Tue Nov 15 11:14:22 2011: DEBUG: 
> TacacsplusConnection Authentication REPLY 5, 1, Password:, Tue Nov 15 
> 11:14:25 2011: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 128798430, 
> 16 Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection Authentication 
> CONTINUE 0, **obscured**, Tue Nov 15 11:14:25 2011: DEBUG: TACACSPLUS derived 
> Radius request packet dump:

> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
>       NAS-IP-Address = xxx.xxx.11.242
>       NAS-Port-Id = "tty1"
>       Calling-Station-Id = "xxx.xxx.11.1"
>       Service-Type = Login-User
>       NAS-Identifier = "TACACS"
>       User-Name = "connolly"
>       User-Password = **obscured**
>       cisco-avpair = "action=1"
>       cisco-avpair = "authen_type=1"
>       cisco-avpair = "priv-lvl=1"
>       cisco-avpair = "service=1"
>       OSC-Version-Identifier = "192"
> 
> Tue Nov 15 11:14:25 2011: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT', Identifier ''
> Tue Nov 15 11:14:25 2011: DEBUG:  Deleting session for connolly, 
> xxx.xxx.11.242, Tue Nov 15 11:14:25 2011: DEBUG: Handling with 
> Radius::AuthGROUP: GetUser Tue Nov 15 11:14:25 2011: DEBUG: Handling with 
> Radius::AuthLSA:
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthLSA looks for match with 
> connolly [connolly] Tue Nov 15 11:14:25 2011: DEBUG: Checking LSA 
> Group membership for dcny001, networking_staff, connolly Tue Nov 15 
> 11:14:25 2011: DEBUG: Radius::AuthLSA ACCEPT: : connolly [connolly] 
> Tue Nov 15 11:14:25 2011: DEBUG: Radius::AuthGROUP:GetUser  result: 
> ACCEPT, Tue Nov 15 11:14:25 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Tue Nov 15 11:14:25 2011: DEBUG: Access accepted for connolly Tue Nov 15 
> 11:14:25 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <200><26>*LJ<161><170><214><169>'U<180><192><253><24><253>
> Attributes:
>       tacacsgroup = netadmin
> 
> Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection result 
> Access-Accept Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection 
> Authentication REPLY 1, 0, , Tue Nov 15 11:14:25 2011: DEBUG: 
> TacacsplusConnection disconnected from xxx.xxx.11.242:46059 Tue Nov 15 
> 11:14:25 2011: DEBUG: New TacacsplusConnection created for 
> xxx.xxx.11.242:34694 Tue Nov 15 11:14:25 2011: DEBUG: 
> TacacsplusConnection request 192, 2, 1, 0, 1978405596, 51 Tue Nov 15 
> 11:14:25 2011: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 
> 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd* Tue Nov 15 
> 11:14:25 2011: DEBUG: AuthorizeGroup rule match found: permit .* {  } 
> Tue Nov 15 11:14:25 2011: INFO: Authorization permitted for connolly 
> at xxx.xxx.11.242, group netadmin, args service=shell cmd* Tue Nov 15 
> 11:14:25 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , 
> , Tue Nov 15 11:14:25 2011: DEBUG: TacacsplusConnection disconnected 
> from xxx.xxx.11.242:34694 Tue Nov 15 11:16:07 2011: DEBUG: New 
> TacacsplusConnection created for xxx.xxx.11.242:62601 Tue Nov 15 
> 11:16:07 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 
> 2743768762, 68 Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection 
> Authorization REQUEST 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, 
> service=shell cmd=exit cmd-arg=<cr> Tue Nov 15 11:16:07 2011: DEBUG: 
> AuthorizeGroup rule match found: permit .* {  } Tue Nov 15 11:16:07 
> 2011: INFO: Authorization permitted for connolly at xxx.xxx.11.242, 
> group netadmin, args service=shell cmd=exit cmd-arg=<cr> Tue Nov 15 
> 11:16:07 2011: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , 
> , Tue Nov 15 11:16:07 2011: DEBUG: TacacsplusConnection disconnected 
> from xxx.xxx.11.242:62601
> 
> -----Original Message-----
> From: Heikki Vatiainen [mailto:[email protected]]
> Sent: Tuesday, November 15, 2011 10:52 AM
> To: Kim, Steve
> Cc: [email protected]
> Subject: Re: [RADIATOR] Radiator 4.9 and cisco-avpair
> 
> On 11/15/2011 05:42 PM, Kim, Steve wrote:
> 
> Hmm, let's see now. The first authorization request is this:
> 
> Tue Nov 15 10:25:28 2011: DEBUG: TacacsplusConnection Authorization 
> REQUEST 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell 
> cmd*
> 
> The request should be matched by this AuthorizeGroup:
> 
> AuthorizeGroup netadmin permit service=shell cmd=\* 
> {cisco-avpair="priv-lvl=15"}
> 
> 
> 
> Your previous message had this:
> 09:42:02 2011: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 
> 1, 0, connolly, tty1, xxx.xxx.11.1, 4, service=shell cmd=connect 
> cmd-arg=exitr cmd-arg=<cr>
> 
> That would have matched by this:
> 
> AuthorizeGroup netadmin permit service=shell cmd=connect cmd-arg=exitr 
> cmd-arg=<cr> {cisco-avpair="priv-lvl=15"}
> 
> Taking a better look at this, this is just a command with typo (extir) so 
> what you should have is:
> 
> AuthorizeGroup netadmin permit service=shell cmd=\* 
> {cisco-avpair="priv-lvl=15"} AuthorizeGroup netadmin permit .*
> 
> 
> If it will not work, please reply with a log that shows the initial
> TACACAS+ authentication and the authorization that follows.
> 
> Thanks!
> Heikki
> 
> 


--
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. 
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, 
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, 
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, 
Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to