Hello Markus -
Radiator is operating as intended.
See section 5.86 in the Radiator 4.7 reference manual ("doc/ref.pdf").
regards
Hugh
On 18 Oct 2010, at 07:27, Markus Moeller wrote:
> With bug I mean is it intended to add the av pair to the authorisation
> exchange ? I would have thought this would be only done as part of the
> authorisationgroup command
>
> Thank you
> Markus
> ----- Original Message -----
> From: Markus Moeller
> To: radiator@open.com.au
> Sent: Sunday, October 17, 2010 1:35 PM
> Subject: [RADIATOR] TACACS+ authorisation problem
>
>
> I have a problem with TACACS+ command authorisation.
>
> If I add am attribute to the authentication reply as shown below it seems
> that it is also added to the authorisation reply (see RESPONSE line). This
> creates a problem on the cisco router and the command is denied. Is this a
> bug ?
>
> Thank you
> Markus
>
> <Handler Service-Type=Administrative-User>
> AuthByPolicy ContinueUntilAccept
> AuthBy Users
> AuthLog LogAuthentication
> AddToReply cisco-avpair="priv-lvl=15"
> </Handler>
>
>
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: <217><2><221>F<29><240><4>w<208>(<242>^<4>W:/
> Attributes:
> cisco-avpair = "priv-lvl=15"
>
> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection result Access-Accept
> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection Authentication REPLY 1,
> 0, ,
> Sun Oct 17 12:33:06 2010: DEBUG: TacacsplusConnection disconnected from
> 10.10.10.10:37060
> Sun Oct 17 12:33:09 2010: DEBUG: New TacacsplusConnection created for
> 10.10.10.10:37061
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
> 4287547660, 88
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST
> 6, 1, 1, 1, xxx, tty1, 10.20.1.1, 4, service=
> shell cmd=show cmd-arg=running-config cmd-arg=<cr>
> Sun Oct 17 12:33:09 2010: DEBUG: AuthorizeGroup rule match found: permit
> service=shell { }
> Sun Oct 17 12:33:09 2010: INFO: Authorization permitted for xxx, group test,
> args service=shell cmd=show cmd-arg=running-c
> onfig cmd-arg=<cr>
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE
> 1, , , priv-lvl=15
> Sun Oct 17 12:33:09 2010: DEBUG: TacacsplusConnection disconnected from
> 10.10.10.10:37061
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
