On 11/01/2012 06:08 PM, Jim Tyrrell wrote: > I'm just getting started with TACACS and have just tried to configure > support in Radiator 4.10, I think I have followed the examples but I > cant get it to match the correct group. I have configured > "GroupMemberAttr tacacsgroup" under the ServerTACACSPLUS, and I can see > the Access-Accept includes 'tacacsgroup = group2', yet radiator uses the > group 'DEFAULT'?
Try this: # Radius attribute (real or pseudo) in the Access-Accept to # deduce the tacacs group name for user GroupMemberAttr tacacsgroup instead of having the comment on the same line as the option. The hash mark must be the first non-whitespace character on the line. This allows you to have hash marks in secrets and literal strings. Thanks, Heikki > Relevant config below: > > --------------------- > <ServerTACACSPLUS> > Key tictactoe2 > AddToRequest NAS-Identifier=TACACS > GroupMemberAttr tacacsgroup #Radius attribute (real > or pseudo) in the Access-Accept to deduce the tacacs group name for user > AuthorizeGroup group2 permit .* > </ServerTACACSPLUS> > > <Handler NAS-Identifier=TACACS> > AcctLogFileName /var/log/radius/tacacs > <AuthBy FILE> > Filename %D/users/tacacs_users.cfg > </AuthBy> > </Handler> > > > ==== %D/users/tacacs_users.cfg =============== > tac2 User-Password=tac2 > tacacsgroup=group2 > > > The incoming request is coming from a Cisco router and the debugging > shows the following: > > Thu Nov 1 14:58:46 2012: DEBUG: TACACSPLUS derived Radius request > packet dump: > Code: Access-Request > Identifier: UNDEF > Authentic: 5TL<206><13><151><206><180>cZ#<17>L*<193>i > Attributes: > NAS-IP-Address = 192.168.32.104 > NAS-Port-Id = "tty581" > Calling-Station-Id = "10.11.0.2" > Service-Type = Login-User > NAS-Identifier = "TACACS" > User-Name = "tac2" > User-Password = **obscured** > cisco-avpair = "action=1" > cisco-avpair = "authen_type=1" > cisco-avpair = "priv-lvl=1" > cisco-avpair = "service=1" > OSC-Version-Identifier = "192" > > Thu Nov 1 14:58:46 2012: DEBUG: Reading users file > /etc/radiator/authentication/users/tacacs_users.cfg > > Thu Nov 1 14:58:46 2012: DEBUG: Packet dump: > *** Reply to TACACSPLUS request: > Code: Access-Accept > Identifier: UNDEF > Authentic: 5TL<206><13><151><206><180>cZ#<17>L*<193>i > Attributes: > tacacsgroup = group2 > > Thu Nov 1 14:58:46 2012: DEBUG: TacacsplusConnection result Access-Accept > Thu Nov 1 14:58:46 2012: DEBUG: TacacsplusConnection Authentication > REPLY 1, 0, , > Thu Nov 1 14:58:46 2012: DEBUG: TacacsplusConnection disconnected from > 192.168.32.104:37033 > Thu Nov 1 14:58:46 2012: DEBUG: New TacacsplusConnection created for > 192.168.32.104:62437 > Thu Nov 1 14:58:46 2012: WARNING: Could not find a Client for > 192.168.32.104:62437. Falling back to default Key > Thu Nov 1 14:58:46 2012: DEBUG: TacacsplusConnection request 192, 2, 1, > 0, 3528935939, 47 > Thu Nov 1 14:58:46 2012: DEBUG: TacacsplusConnection Authorization > REQUEST 6, 1, 1, 1, tac2, tty581, 10.11.0.2, 2, service=shell cmd* > Thu Nov 1 14:58:46 2012: INFO: Authorization denied for tac2, group > DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd* > Thu Nov 1 14:58:46 2012: DEBUG: TacacsplusConnection Authorization > RESPONSE 16, denied, , > Thu Nov 1 14:58:46 2012: DEBUG: TacacsplusConnection disconnected from > 192.168.32.104:62437 > > > If I change the AuthorizeGroup to DEFAULT then it works, but why is it > not using and matching group2? I'm sure its something obvious but I > cant see what? > > Thanks. > > Jim. > > > > > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator > -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
