(RADIATOR) Username missing from AuthLog using TACACS
Title: Message
Hi,
We are using TACACS with
AuthLog FILE and logging the username from Access-Requests. Our config file
excerpts are below. The problem is that using %u we never see the username
logged from the User-Name attribute in the radius Access Request. Changing the
%u to %{User-Name} works with no problems.
Config
file:
AuthLog
FILE
Identifier
AuthLogger
Filename
%L/%Y%m%d-auth.log
SuccessFormat
%l:%c:%u:OK
FailureFormat
%l:%c:%u:FAIL
LogSuccess
1
LogFailure
1/AuthLog
ServerTACACSPLUS
Key AddToRequest
NAS-Identifier=TACACS/ServerTACACSPLUS
Realm
DEFAULT AuthLog
AuthLogger AuthBy
FILE
Filename tacacs.users
/AuthBy AcctLogFileName
%L/%Y%m%d-acct.log/Realm
Authlog
result:
Tue Dec 2 16:05:25
2003:192.168.x.x.::OK
After changing the AuthLog
format to use %{User-Name} the logfile looks like:
Wed Dec 3 10:06:21
2003:192.168.x.x:justin:OK
Using radiator 3.7.1 with
latest patches.
Thanks
Steve
(RADIATOR) Propel Dictionary
Hey guys, I want to add some attributes to the dictionary file or create a new one for Propel. Can you guide me please? They Are: VENDOR Propel 14895 ATTRIBUTE Propel-Accelerate 1 integer ATTRIBUTE Propel-Dialed-Digits 2 string ATTRIBUTE Propel-Client-IP-Address 3 ipaddr ATTRIBUTE Propel-Client-NAS-IP-Address 4 ipaddr ATTRIBUTE Propel-Client-Source-ID 5 integer Thanks, Craig. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Propel Dictionary
Hello Craig - I have added these attributes to the dictionary and I will send you the modified version in a seperate mail. It will also be available in the patches area later today. regards Hugh On 04/12/2003, at 7:06 AM, Craig Gittens wrote: Hey guys, I want to add some attributes to the dictionary file or create a new one for Propel. Can you guide me please? They Are: VENDOR Propel 14895 ATTRIBUTE Propel-Accelerate 1 integer ATTRIBUTE Propel-Dialed-Digits 2 string ATTRIBUTE Propel-Client-IP-Address 3 ipaddr ATTRIBUTE Propel-Client-NAS-IP-Address 4 ipaddr ATTRIBUTE Propel-Client-Source-ID 5 integer Thanks, Craig. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Username missing from AuthLog using TACACS
Hello Steve,
On Wed, 3 Dec 2003 10:41 pm, Steve Rogers wrote:
Hi,
We are using TACACS with AuthLog FILE and logging the username from
Access-Requests. Our config file excerpts are below. The problem is that
using %u we never see the username logged from the User-Name attribute
in the radius Access Request. Changing the %u to %{User-Name} works with
no problems.
Thanks for reporting this.
We have issued a patch that should fix this problem, and attached a new
ServerTACACSPLUS.pm for you to test.
We apologise for this problem.
Cheers.
Config file:
AuthLog FILE
Identifier AuthLogger
Filename%L/%Y%m%d-auth.log
SuccessFormat %l:%c:%u:OK
FailureFormat %l:%c:%u:FAIL
LogSuccess 1
LogFailure 1
/AuthLog
ServerTACACSPLUS
Key
AddToRequest NAS-Identifier=TACACS
/ServerTACACSPLUS
Realm DEFAULT
AuthLog AuthLogger
AuthBy FILE
Filename tacacs.users
/AuthBy
AcctLogFileName %L/%Y%m%d-acct.log
/Realm
Authlog result:
Tue Dec 2 16:05:25 2003:192.168.x.x.::OK
After changing the AuthLog format to use %{User-Name} the logfile looks
like:
Wed Dec 3 10:06:21 2003:192.168.x.x:justin:OK
Using radiator 3.7.1 with latest patches.
Thanks
Steve
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
# ServerTACACSPLUS.pm
#
# Object for receiving TACACS+ requests and satisfying them
# Incoming TACACS+ authentication requests are converted into
# Radius requests. ASCII, PAP, CHAP and MSCHAP are supported.
# Incoming TACACS+ authorization requests are always approved,
# and any cisco-avpair reply items from the previous Radius Access-Accept are
# used as authorization attribute-value pairs
# Incoming TACACS+ accounting requests are converted into Radius
# accounting requests.
#
# Based on draft-grant-tacacs-02.txt
#
# Author: Mike McCauley ([EMAIL PROTECTED])
# Copyright (C) 2003 Open System Consultants
# $Id: ServerTACACSPLUS.pm,v 1.15 2003/12/03 22:03:42 mikem Exp mikem $
package Radius::ServerTACACSPLUS;
@ISA = qw(Radius::Configurable);
use Radius::Configurable;
use Radius::Context;
use Digest::MD5;
use Socket;
use strict;
# Version numbers
$Radius::ServerTACACSPLUS::TAC_PLUSMAJOR_VERSION = 0xc;
$Radius::ServerTACACSPLUS::TAC_PLUS_MINOR_VERSION_DEFAULT = 0;
$Radius::ServerTACACSPLUS::TAC_PLUSMINOR_VERSION_ONE = 1;
# Request types
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN= 1;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHOR= 2;
$Radius::ServerTACACSPLUS::TAC_PLUS_ACCT = 3;
# Flags
$Radius::ServerTACACSPLUS::TAC_PLUS_UNENCRYPTED_FLAG = 0x01; # Not really used!
$Radius::ServerTACACSPLUS::TAC_PLUS_SINGLE_CONNECT_FLAG = 0x04;
# Authentication Start actions
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_LOGIN = 1;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_CHPASS = 2;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SENDPASS = 3;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SENDAUTH = 4;
# Authentication Start privelege levels
$Radius::ServerTACACSPLUS::TAC_PLUS_PRIV_LVL_MAX = 0x0f;
$Radius::ServerTACACSPLUS::TAC_PLUS_PRIV_LVL_ROOT = 0x0f;
$Radius::ServerTACACSPLUS::TAC_PLUS_PRIV_LVL_USER = 0x01;
$Radius::ServerTACACSPLUS::TAC_PLUS_PRIV_LVL_MIN = 0x00;
# Authentication Start authentication types
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_TYPE_ASCII = 1;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_TYPE_PAP = 2;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_TYPE_CHAP = 3;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_TYPE_ARAP = 4;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_TYPE_MSCHAP= 5;
# Authentication Start service types
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_NONE = 0;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_LOGIN = 1;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_ENABLE = 2;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_PPP= 3;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_ARAP = 4;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_PT = 5;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_RCMD = 6;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_X25= 7;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_NASI = 8;
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_SVC_FWPROXY= 9;
# Authentication Start status types
$Radius::ServerTACACSPLUS::TAC_PLUS_AUTHEN_STATUS_PASS= 1;
Re: (RADIATOR) Propel Dictionary
Hi. You can include in your dictionary the attibutes in this schema. VENDORATTR 14895 Propel-Accelerate 1 integer JC. On Wed, 2003-12-03 at 15:06, Craig Gittens wrote: Hey guys, I want to add some attributes to the dictionary file or create a new one for Propel. Can you guide me please? They Are: VENDOR Propel 14895 ATTRIBUTE Propel-Accelerate 1 integer ATTRIBUTE Propel-Dialed-Digits2 string ATTRIBUTE Propel-Client-IP-Address3 ipaddr ATTRIBUTE Propel-Client-NAS-IP-Address4 ipaddr ATTRIBUTE Propel-Client-Source-ID 5 integer Thanks, Craig. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Julio Cesar Pinto [EMAIL PROTECTED] IFX NETWORKS === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) defunct processes
Hello Daniel - I can't tell from your configuration file what might be happening. The only thing I can guess is perhpas your startup script is starting more than one instance. What hardware/software platform are you running on and what processes are you seeing? Also, what versions of Radiator and Perl are you running? regards Hugh On 04/12/2003, at 4:21 AM, Daniel Bendersky wrote: Hi, Sorry for be to late to send you the conf file, I was in the middle of a migration without much time and the configuration is splited in a lot of parts, so I did join them to send to you. Let me know if you find something that can cause the defunts. thanks! NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
