Hi everyone
I have three dıfferent groups and for TACACS authorization.My radius .cfg is
like that
<ServerTACACSPLUS>
Key *****
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup
AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.*
AuthorizeGroup group1 permit .*
# AuthorizeGroup DEFAULT deny .*
AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15}
</ServerTACACSPLUS>
<Handler>
<AuthBy SQL>
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual. You will also have to
# change the one in <SessionDatabse SQL> below
# so its the same
DBSource dbi:mysql:radius:localhost
DBUsername raduser
DBAuth raduser
# Never look up the DEFAULT user
NoDefault
# You can customise the SQL query used to get user details with the
# AuthSelect parameter:
AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1
group2 group3"' from SUBSCRIBERS where USERNAME=%0
-----
------------
AddToReply tacacsgroup= group1
AddToReply tacacsgroup= group3
AddToReply tacacsgroup= DEFAULT
I try with user mikem in group1.And the trace log
Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select
PASSWORD 'Auth-Type=AuthSQL', 'GroupList="group1 group2 group3"' from
SUBSCRIBERS where USERNAME='mikem'':
Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem
[mikem]
Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select
GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'':
Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]
Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT,
Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost':
'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477,
'mikem', 1)':
Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: p<146><26><192>4H<235><16>\<21><252>v.<142><152><28>
Attributes:
tacacsgroup = DEFAULT
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1,
0, ,
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
93.155.11.54:58517
Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
93.155.11.54:61939
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0,
3529830477, 105
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6,
0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477
task_id=10700 timezone=GMT service=shell
Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:
Code: Accounting-Request
Identifier: UNDEF
Authentic: p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j
Attributes:
NAS-IP-Address = 93.155.11.54
NAS-Port-Id = "/dev/ttyp3"
Calling-Station-Id = "78.169.249.3"
NAS-Identifier = "TACACS"
User-Name = "mikem@local"
Acct-Status-Type = Start
Acct-Session-Id = "3529830477"
cisco-avpair = "start_time=1353011477"
cisco-avpair = "task_id=10700"
cisco-avpair = "timezone=GMT"
cisco-avpair = "service=shell"
OSC-Version-Identifier = "192"
Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '', Identifier ''
Thu Nov 15 22:31:17 2012: DEBUG: Adding session for mikem@local, 93.155.11.54,
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost':
'delete from RADONLINE where NASIDENTIFIER='93.155.11.54' and NASPORT=00':
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost':
'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID,
TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('mikem@local',
'93.155.11.54', 0, '3529830477', 1353011477, '', '', '')':
Thu Nov 15 22:31:17 2012: DEBUG: Handling with Radius::AuthSQL:
Thu Nov 15 22:31:17 2012: DEBUG: Handling accounting with Radius::AuthSQL
Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radius:localhost':
'insert into ACCOUNTING
(ACCTSESSIONID,ACCTSTATUSTYPE,NASIDENTIFIER,TIME_STAMP,USERNAME) values
('3529830477','Start','TACACS',1353011477,'mikem@local')':
Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT,
Thu Nov 15 22:31:17 2012: DEBUG: Accounting accepted
Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Accounting-Response
Identifier: UNDEF
Authentic: p<235><143><10>U<177>d<206>X_Z<168>O<129><31>j
Attributes:
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Accounting-Response
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REPLY 1, ,
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
93.155.11.54:61939
Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
93.155.11.54:64085
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
2033174599, 70
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization REQUEST 6,
0, 1, 1, mikem, /dev/ttyp3, 78.169.249.3, 3, service=shell cmd* command-access*
Thu Nov 15 22:31:17 2012: INFO: Authorization denied for mikem, group DEFAULT.
No matching AuthorizeGroup rule for args service=shell cmd* command-access*
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authorization RESPONSE
16, denied, ,
Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
93.155.11.54:64085
Reply message always say group default.is smt wrong with my AddtoReply
clause.Why always reply says group DEFAULT?
And strange issue if group 3 is at he end of line for AddToReply clause then
the reply message comes as Group3.
MURAT BİLAL
Services Engineer
Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
[email protected]<mailto:[email protected]>
www.ericsson.com
[cid:[email protected]]<http://www.ericsson.com/>
This Communication is Confidential. We only send and receive email on the basis
of the terms set out at
www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>
<<inline: image001.png>>
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
