On 11/15/2011 07:20 PM, Kim, Steve wrote:
> I think this time it looks better. However, my user tells me that he still
> gets level-1 as below:
Radiator is now sending cisco-avpair=priv-lvl=15 back to the client. If
this does not work you could try changing the last parameter of
AuthorizeGroup to {priv-lvl=15}
If that still does not work, you need to check the client device's
manual to see what it expects back when changing the privilege level.
Thanks!
Heikki
> Username:connolly
> Password:
>
> tacacs-test>
> tacacs-test>
> tacacs-test>
> tacacs-test>
> tacacs-test>enable (I had to enter this command)
> Password:
> tacacs-test#
>
> I am still only being put in level 1.
>
>
> Here is log that reflect above:
>
> Tue Nov 15 12:10:27 2011: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: <216><16><173><169><212><173>l<216>|<163><6><164><11><221>z_
> Attributes:
> tacacsgroup = netadmin
>
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection result Access-Accept
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authentication REPLY 1,
> 0, ,
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:44082
> Tue Nov 15 12:10:27 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:62420
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
> 2531823864, 51
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization REQUEST
> 6, 1, 1, 1, connolly, tty1, xxx.xxx.11.1, 2, service=shell cmd*
> Tue Nov 15 12:10:27 2011: DEBUG: AuthorizeGroup rule match found: permit
> service=shell cmd\* { cisco-avpair=priv-lvl=15 }
> Tue Nov 15 12:10:27 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd*
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection Authorization RESPONSE
> 1, , , cisco-avpair=priv-lvl=15
> Tue Nov 15 12:10:27 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:62420
> Tue Nov 15 12:13:19 2011: DEBUG: New TacacsplusConnection created for
> xxx.xxx.11.242:29509
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
> 1514782278, 70
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization REQUEST
> 1, 0, 1, 0, connolly, tty1, xxx.xxx.11.1, 3, service=shell cmd=enable
> cmd-arg=<cr>
> Tue Nov 15 12:13:19 2011: DEBUG: AuthorizeGroup rule match found: permit .* {
> }
> Tue Nov 15 12:13:19 2011: INFO: Authorization permitted for connolly at
> xxx.xxx.11.242, group netadmin, args service=shell cmd=enable cmd-arg=<cr>
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection Authorization RESPONSE
> 1, , ,
> Tue Nov 15 12:13:19 2011: DEBUG: TacacsplusConnection disconnected from
> xxx.xxx.11.242:29509
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
