Re: [RADIATOR] Perl module for MikroTik NAS
On 11/15/2012 04:54 PM, John Lodge wrote: Does anyone know of the existence of a perl module to communicate with a MikroTik NAS for auth. I see a number of files in the goodies directory that mention use with MikroTik, but there is no pm file in the nas directory. Hello John, the files in Nas/ directory are only needed when you have simultaneous use limits *and* want to verify from the NAS if the limit really has been exceeded. Any suggestions or help would be greatly appreciated As far as I know, Mikrotik works just like any other RADIUS NAS. The Mikrotik documentation should describe any vendor specific attributes (VSAs) it sends during authentication and accounting and what VSAs it can be sent with Access-Accepts. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Handlers in Radiator
Hi I have different groups with different set of privilege levels and rules.I want to make TACACS auth from radiator mysql database.But reply message always come from one group identifier. Do I need to setup different Handlers for different group priv.? Thanks MURAT BİLAL Services Engineer Ericsson Turkey CU Customer Support Cyber Plaza C Blok Kat:1 No:146 Cyberpark 6800 Bilkent/Ankara Mobile +90 554 898 98 43 murat.bi...@ericsson.commailto:murat.bi...@ericsson.com www.ericsson.com [cid:image001.png@01CDC3F8.78A22390]http://www.ericsson.com/ This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimerhttp://www.ericsson.com/email_disclaimer inline: image001.png___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply tacacsgroup
On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell* *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:* *Code: Accounting-Request* *Identifier: UNDEF* *Authentic: p23514310U177d206X_Z168O12931j* *Attributes:* *NAS-IP-Address = 93.155.11.54* *NAS-Port-Id = /dev/ttyp3* *Calling-Station-Id = 78.169.249.3* *NAS-Identifier = TACACS* *User-Name = mikem@local* *Acct-Status-Type = Start* *Acct-Session-Id = 3529830477* *cisco-avpair = start_time=1353011477* *cisco-avpair = task_id=10700* *cisco-avpair = timezone=GMT* *cisco-avpair = service=shell* *OSC-Version-Identifier = 192* * * *Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '', Identifier ''* *Thu Nov 15 22:31:17 2012: DEBUG: Adding session for mikem@local, 93.155.11.54, * *Thu Nov 15 22:31:17 2012: DEBUG: do
Re: [RADIATOR] AddToReply tacacsgroup
Actually I mean If I have 2 different privilege level groups.For example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy Thanks -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 13:31 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell* *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:* *Code: Accounting-Request* *Identifier: UNDEF* *Authentic: p23514310U177d206X_Z168O12931j* *Attributes:* *NAS-IP-Address = 93.155.11.54* *NAS-Port-Id = /dev/ttyp3* *Calling-Station-Id = 78.169.249.3* *NAS-Identifier = TACACS* *User-Name = mikem@local* *Acct-Status-Type = Start* *Acct-Session-Id = 3529830477* *
Re: [RADIATOR] AddToReply tacacsgroup
On 11/16/2012 01:56 PM, Murat Bilal wrote: Actually I mean If I have 2 different privilege level groups.For example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy This is done (usually) with one AuthBy. The correct value for AuthorizeGroupAttr depends on the user. The user has the correct authorization group configured as the reply attribute. For AuthBy SQL, see AuthSelect and AuthColumnDef documentation for more information. Thanks, Heikki Thanks -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 13:31 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for 93.155.11.54:61939* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3, 1, 0, 3529830477, 105* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4, start_time=1353011477 task_id=10700 timezone=GMT service=shell* *Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request packet dump:* *Code: Accounting-Request* *Identifier: UNDEF* *Authentic: p23514310U177d206X_Z168O12931j*
Re: [RADIATOR] AddToReply tacacsgroup
Then how to define AddToReply OSC-Group-Identifier clause if you have two different priv groups.AuthSQL accepts only one AddToReply clause.If you do not define AddToReply clause I got this: Authorization denied for user, group DEFAULT. No matching AuthorizeGroup rule for args service=shell cmd* command-access* -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 16:03 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/16/2012 01:56 PM, Murat Bilal wrote: Actually I mean If I have 2 different privilege level groups.For example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy This is done (usually) with one AuthBy. The correct value for AuthorizeGroupAttr depends on the user. The user has the correct authorization group configured as the reply attribute. For AuthBy SQL, see AuthSelect and AuthColumnDef documentation for more information. Thanks, Heikki Thanks -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: 16 Kasım 2012 Cuma 13:31 To: radiator@open.com.au Subject: Re: [RADIATOR] AddToReply tacacsgroup On 11/15/2012 10:34 PM, Murat Bilal wrote: I have three dıfferent groups and for TACACS authorization.My radius .cfg is like that Hello Murat, you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT with the Access-Accept. Try removing all except one that adds group3. The authorize arguments the device sends are: service=shell cmd* command-access* The matching AuthorizeGroup for group3 would be this: AuthorizeGroup group3 permit service=shell cmd\* command-access\* {priv-lvl=15} Since the patterns, such as cmd\*, are regular expressions, you need to escape any special characters such as '*'. I suggest you should re-read the reference manual ServerTACACSPLUS entry with goodies/servertacacsplus.cfg. I'd you are currently changing too many things simultaneously fixing some things while breaking others. Now would be good time to review how TACACS+ authentication and authorization works with Radiator. Thanks, Heikki ServerTACACSPLUS Key * AddToRequest NAS-Identifier=TACACS GroupMemberAttr tacacsgroup AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.* AuthorizeGroup group1 permit .* # AuthorizeGroup DEFAULT deny .* AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15} /ServerTACACSPLUS Handler AuthBy SQL # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radius:localhost DBUsername raduser DBAuth raduser # Never look up the DEFAULT user NoDefault # You can customise the SQL query used to get user details with the # AuthSelect parameter: AuthSelect select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0 - AddToReply tacacsgroup= group1 AddToReply tacacsgroup= group3 AddToReply tacacsgroup= DEFAULT *I try with user mikem in group1.And the trace log* * * * * *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME='mikem'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select GROUPNAME from GROUPS where USERNAME='mikem' and GROUPNAME='group1'': * *Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]* *Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, * *Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem* *Thu Nov 15 22:31:17 2012: DEBUG: do query to 'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1353011477, 'mikem', 1)': * *Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:* Reply to TACACSPLUS request:* *Code: Access-Accept* *Identifier: UNDEF* *Authentic: p146261924H23516\21252v.14215228* *Attributes:* *tacacsgroup = DEFAULT* * * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept* *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, , * *Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from 93.155.11.54:58517* *Thu Nov 15 22:31:17 2012: