Hello Patrick,
Thanks for the quick reply, your suggestion we implemented like this:
<AuthLog FILE>
Identifier authlog-tac-file
Filename %L/auth-tacacs.log
LogSuccess
LogFailure
LogIgnore
SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}'
nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}'
calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' result='OK'
FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}'
nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}'
calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1'
result='FAIL'
IgnoreFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}'
nas='%N/%{NAS-Identifier}' \
handler='%{Handler:Identifier}'
calling-station='%{Request:Calling-Station-Id}' \
called-station='%{Called-Station-Id}' reason='%1'
result='IGNORE'
</AuthLog>
Result is something like this:
Thu Aug 15 11:28:56 2019 trace_id='fdee3200' user='some-user'
client='router-ip/' nas='router-ip/TACACS' handler=''
calling-station='Radiator_server-ip/protocol' called-station='' result='OK'
So it logs the login attempt, not the tacacs authorization request like, am I
allowed to perform "show ?"
We found funny results, a login with the correct username, but wrong password
the logs show result='OK', but the logins where denied, due to the user not
being added to a Tacacsgroup, so the AuthorizeGroup rules are all failing.
Regards,
Jan Gerrit Kootstra
Van: Patrik Forsberg <patrik.forsb...@ip-only.se>
Verzonden: donderdag 15 augustus 2019 15:37
Aan: BeheerInfra-OT <beheerinfra...@kpn.com>; radiator@lists.open.com.au
Onderwerp: RE: [RADIATOR] Radiator TACACS+: How to log authorizations of user
commands?
Hello,
This is all possible.
Check the goodies directory for
tacacsplusserver.cfg
tacplus.txt
they give good hints on how to set this up.
As for success/fail you can use for example
<AuthLog FILE>
Identifier AuthLogger
Filename %L/fail-authlog
LogSuccess 0
LogFailure 1
FailureFormat %l REJECT user=%u from=%c nas=%N
client=%{Request:Calling-Station-Id}
</AuthLog>
<AuthLog FILE>
Identifier IdentSuccessAuthLogger
LogSuccess 1
LogFailure 0
Filename %L/success-authlog
SuccessFormat %l ACCEPT user=%u from=%c nas=%N
client=%{Request:Calling-Station-Id}
</AuthLog>
Which would create one success logfile and one failure logfile and also pick
out the interesting bits ..
---
Regards,
Patrik Forsberg
From: radiator
<radiator-boun...@lists.open.com.au<mailto:radiator-boun...@lists.open.com.au>>
On Behalf Of beheerinfra...@kpn.com<mailto:beheerinfra...@kpn.com>
Sent: den 15 augusti 2019 14:29
To: radiator@lists.open.com.au<mailto:radiator@lists.open.com.au>
Subject: [RADIATOR] Radiator TACACS+: How to log authorizations of user
commands?
Hello fellow Raditor AAA users,
We like to setup logging of Tacacs+ command authorization. We were only able to
find Authentication an Account logging examples.
Authentication successes and failures in a single line log entry would be a
great feature, instead of having to re-reading a complete user session in
/var/log/radiator/radiator.log to find out which commands where used.
Regards,
Jan Gerrit Kootstra
On behalve of KPN ACN Present BeheerInfra Services.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
