Re: [RADIATOR] Tacacsplus and OSC-Authorize-Group

Wed, 28 Apr 2021 08:48:49 -0700 

On 28.4.2021 10.41, Patrik Forsberg wrote:
I’m looking at using AuthorizeGroupAttr and the attribute OSC-Authorize-Group to add commands a user is (not )allowed to run when using tacacs.. but I can’t find any documentation on how to add multiple rules to this attribute ? 


Adding the same multiple times are, of course, not working and just 
adding a comma(,) between the permit/deny clauses doesn’t work.. ?


Here's an example. First Radiator configuration:

<ServerTACACSPLUS>
        Identifier default-tacacs-server
        Key mysecret
        AddToRequest NAS-Identifier=TACACS
        AuthorizeGroupAttr OSC-Authorize-Group
        GroupMemberAttr tacacsgroup

        AuthorizeGroup group2 permit service=shell cmd=show cmd-arg=line
        AuthorizeGroup group2 deny .*
</ServerTACACSPLUS>


The users file for AuthBy FILE is:

mikem User-Password = fred
        OSC-Authorize-Group = "deny   service=shell cmd=show cmd-arg=line",

        OSC-Authorize-Group = "permit service=shell 
cmd=someallowedcommand",
        OSC-Authorize-Group = "deny   service=shell 
cmd=someforbiddencommand",

        OSC-Authorize-Group = "permit service=shell cmd=show cmd-arg=run",
        tacacsgroup = group2



Then test. Note that authorisation fails. The reason is that user 
specific rules have 'show line' denied while the configuration has this 
explicitly allowed. The user specific rules override the configuration 
file group specific rules. The end result is that the user can run 
'someallowedcommand' and 'show run'.



% perl goodies/tacacsplustest -trace 4 -key somekey -noacct -author_args 
service=shell,cmd=show,cmd-arg=line

Connecting to TACACS+ server localhost:49
sending Authentication request...
authentication response: 193, 1, 2, 0, 1234, 1, 0, ,
Disconnect from localhost:49
OK
sending Authorization request...
authorization response: 192, 2, 2, 0, 1234, 16, denied, ,
Disconnect from localhost:49
FAIL



Here's Radiator's log. First shown is authentication and then authorisation:

200d64b0 Wed Apr 28 18:39:45 2021 178522: DEBUG: Reading users file ./users

200d64b0 Wed Apr 28 18:39:45 2021 188117: DEBUG: Radius::AuthFILE looks 
for match with 'mikem' [mikem]
200d64b0 Wed Apr 28 18:39:45 2021 188487: DEBUG: Radius::AuthFILE 
ACCEPT: : 'mikem' [mikem]
200d64b0 Wed Apr 28 18:39:45 2021 188812: DEBUG: AuthBy FILE result: 
ACCEPT,

200d64b0 Wed Apr 28 18:39:45 2021 188998: DEBUG: Access accepted for mikem
200d64b0 Wed Apr 28 18:39:45 2021 189237: DEBUG: Packet dump:
200d64b0 *** Reply to TACACSPLUS request:
200d64b0 Code:       Access-Accept
200d64b0 Identifier: UNDEF
200d64b0 Authentic:  <19>:<165><233><192><247><181>9z<5>-<159>K<226>oY
200d64b0 Attributes:

200d64b0        OSC-Authorize-Group = "deny   service=shell cmd=show 
cmd-arg=line"
200d64b0        OSC-Authorize-Group = "permit service=shell 
cmd=someallowedcommand"
200d64b0        OSC-Authorize-Group = "deny   service=shell 
cmd=someforbiddencommand"
200d64b0        OSC-Authorize-Group = "permit service=shell cmd=show 
cmd-arg=run"

200d64b0        tacacsgroup = group2
200d64b0

00000000 Wed Apr 28 18:39:45 2021 189426: DEBUG: TacacsplusConnection 
result Access-Accept
00000000 Wed Apr 28 18:39:45 2021 189804: DEBUG: TacacsplusConnection 
Authentication REPLY 1, 0, ,



00000000 Wed Apr 28 18:39:45 2021 192004: DEBUG: TacacsplusConnection 
request 192, 2, 1, 0, 1234, 62
00000000 Wed Apr 28 18:39:45 2021 192270: DEBUG: TacacsplusConnection 
Authorization REQUEST 6, 0, 2, 0, mikem, 123, testclient, 3, 
service=shell cmd=show cmd-arg=line
00000000 Wed Apr 28 18:39:45 2021 192565: DEBUG: AuthorizeGroup rule 
match found: deny service=shell cmd=show cmd-arg=line {  } {  }
00000000 Wed Apr 28 18:39:45 2021 192713: INFO: Authorization denied for 
mikem at 127.0.0.1, group group2, args service=shell cmd=show cmd-arg=line
00000000 Wed Apr 28 18:39:45 2021 192902: DEBUG: TacacsplusConnection 
Authorization RESPONSE 16, denied, ,



Thanks,
Heikki

--
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator





















					Reply via email to