Re: [RADIATOR] Perl module for MikroTik NAS
On 11/15/2012 04:54 PM, John Lodge wrote: Does anyone know of the existence of a perl module to communicate with a MikroTik NAS for auth. I see a number of files in the goodies directory that mention use with MikroTik, but there is no pm file in the nas directory. Hello John, the files in Nas/ directory are only needed when you have simultaneous use limits *and* want to verify from the NAS if the limit really has been exceeded. Any suggestions or help would be greatly appreciated As far as I know, Mikrotik works just like any other RADIUS NAS. The Mikrotik documentation should describe any vendor specific attributes (VSAs) it sends during authentication and accounting and what VSAs it can be sent with Access-Accepts. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Handlers in Radiator
Hi I have different groups with different set of privilege levels and rules.I want to make TACACS auth from radiator mysql database.But reply message always come from one group identifier. Do I need to setup different Handlers for different group priv.? Thanks MURAT BİLAL Services Engineer Ericsson Turkey CU Customer Support Cyber Plaza C Blok Kat:1 No:146 Cyberpark 6800 Bilkent/Ankara Mobile +90 554 898 98 43 murat.bi...@ericsson.commailto:murat.bi...@ericsson.com www.ericsson.com [cid:image001.png@01CDC3F8.78A22390]http://www.ericsson.com/ This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimerhttp://www.ericsson.com/email_disclaimer inline: image001.png___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddToReply tacacsgroup
On 11/15/2012 10:34 PM, Murat Bilal wrote:
I have three dıfferent groups and for TACACS authorization.My radius
.cfg is like that
Hello Murat,
you can have only one AddToReply line in an AuthBy. This is why you get
DEFAULT with the Access-Accept. Try removing all except one that adds
group3.
The authorize arguments the device sends are:
service=shell cmd* command-access*
The matching AuthorizeGroup for group3 would be this:
AuthorizeGroup group3 permit service=shell cmd\* command-access\*
{priv-lvl=15}
Since the patterns, such as cmd\*, are regular expressions, you need to
escape any special characters such as '*'.
I suggest you should re-read the reference manual ServerTACACSPLUS entry
with goodies/servertacacsplus.cfg. I'd you are currently changing too
many things simultaneously fixing some things while breaking others. Now
would be good time to review how TACACS+ authentication and
authorization works with Radiator.
Thanks,
Heikki
ServerTACACSPLUS
Key *
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup
AuthorizeGroup group1 permit service=shell cmd=show cmd-args=.*
AuthorizeGroup group1 permit .*
# AuthorizeGroup DEFAULT deny .*
AuthorizeGroup group3 permit service=shell cmd\* {priv-lvl=15}
/ServerTACACSPLUS
Handler
AuthBy SQL
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual. You will also have to
# change the one in SessionDatabse SQL below
# so its the same
DBSourcedbi:mysql:radius:localhost
DBUsername raduser
DBAuth raduser
# Never look up the DEFAULT user
NoDefault
# You can customise the SQL query used to get user details with the
# AuthSelect parameter:
AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0
-
AddToReply tacacsgroup= group1
AddToReply tacacsgroup= group3
AddToReply tacacsgroup= DEFAULT
*I try with user mikem in group1.And the trace log*
* *
* *
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3'
from SUBSCRIBERS where USERNAME='mikem'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with
mikem [mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select GROUPNAME from GROUPS where USERNAME='mikem' and
GROUPNAME='group1'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem [mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
*Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
*Thu Nov 15 22:31:17 2012: DEBUG: do query to
'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP,
USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
*Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
Reply to TACACSPLUS request:*
*Code: Access-Accept*
*Identifier: UNDEF*
*Authentic: p146261924H23516\21252v.14215228*
*Attributes:*
*tacacsgroup = DEFAULT*
* *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result Access-Accept*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, , *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected from
93.155.11.54:58517*
*Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
93.155.11.54:61939*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3,
1, 0, 3529830477, 105*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting
REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4,
start_time=1353011477 task_id=10700 timezone=GMT service=shell*
*Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request
packet dump:*
*Code: Accounting-Request*
*Identifier: UNDEF*
*Authentic: p23514310U177d206X_Z168O12931j*
*Attributes:*
*NAS-IP-Address = 93.155.11.54*
*NAS-Port-Id = /dev/ttyp3*
*Calling-Station-Id = 78.169.249.3*
*NAS-Identifier = TACACS*
*User-Name = mikem@local*
*Acct-Status-Type = Start*
*Acct-Session-Id = 3529830477*
*cisco-avpair = start_time=1353011477*
*cisco-avpair = task_id=10700*
*cisco-avpair = timezone=GMT*
*cisco-avpair = service=shell*
*OSC-Version-Identifier = 192*
* *
*Thu Nov 15 22:31:17 2012: DEBUG: Handling request with Handler '',
Identifier ''*
*Thu Nov 15 22:31:17 2012: DEBUG: Adding session for mikem@local,
93.155.11.54, *
*Thu Nov 15 22:31:17 2012: DEBUG: do
Re: [RADIATOR] AddToReply tacacsgroup
Actually I mean If I have 2 different privilege level groups.For example one of
the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy
Thanks
-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
Behalf Of Heikki Vatiainen
Sent: 16 Kasım 2012 Cuma 13:31
To: radiator@open.com.au
Subject: Re: [RADIATOR] AddToReply tacacsgroup
On 11/15/2012 10:34 PM, Murat Bilal wrote:
I have three dıfferent groups and for TACACS authorization.My radius
.cfg is like that
Hello Murat,
you can have only one AddToReply line in an AuthBy. This is why you get DEFAULT
with the Access-Accept. Try removing all except one that adds group3.
The authorize arguments the device sends are:
service=shell cmd* command-access*
The matching AuthorizeGroup for group3 would be this:
AuthorizeGroup group3 permit service=shell cmd\* command-access\*
{priv-lvl=15}
Since the patterns, such as cmd\*, are regular expressions, you need to escape
any special characters such as '*'.
I suggest you should re-read the reference manual ServerTACACSPLUS entry with
goodies/servertacacsplus.cfg. I'd you are currently changing too many things
simultaneously fixing some things while breaking others. Now would be good time
to review how TACACS+ authentication and authorization works with Radiator.
Thanks,
Heikki
ServerTACACSPLUS
Key *
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup
AuthorizeGroup group1 permit service=shell cmd=show
cmd-args=.*
AuthorizeGroup group1 permit .*
# AuthorizeGroup DEFAULT deny .*
AuthorizeGroup group3 permit service=shell cmd\*
{priv-lvl=15}
/ServerTACACSPLUS
Handler
AuthBy SQL
# Change DBSource, DBUsername, DBAuth for your
database
# See the reference manual. You will also have to
# change the one in SessionDatabse SQL below
# so its the same
DBSourcedbi:mysql:radius:localhost
DBUsername raduser
DBAuth raduser
# Never look up the DEFAULT user
NoDefault
# You can customise the SQL query used to get user details with the
# AuthSelect parameter:
AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0
-
AddToReply tacacsgroup= group1
AddToReply tacacsgroup= group3
AddToReply tacacsgroup= DEFAULT
*I try with user mikem in group1.And the trace log*
* *
* *
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3'
from SUBSCRIBERS where USERNAME='mikem'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with
mikem [mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select GROUPNAME from GROUPS where USERNAME='mikem' and
GROUPNAME='group1'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem
[mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
*Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
*Thu Nov 15 22:31:17 2012: DEBUG: do query to
'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP,
USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
*Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
Reply to TACACSPLUS request:*
*Code: Access-Accept*
*Identifier: UNDEF*
*Authentic: p146261924H23516\21252v.14215228*
*Attributes:*
*tacacsgroup = DEFAULT*
* *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
Access-Accept*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, , *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected
from
93.155.11.54:58517*
*Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
93.155.11.54:61939*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3,
1, 0, 3529830477, 105*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting
REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4,
start_time=1353011477 task_id=10700 timezone=GMT service=shell*
*Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request
packet dump:*
*Code: Accounting-Request*
*Identifier: UNDEF*
*Authentic: p23514310U177d206X_Z168O12931j*
*Attributes:*
*NAS-IP-Address = 93.155.11.54*
*NAS-Port-Id = /dev/ttyp3*
*Calling-Station-Id = 78.169.249.3*
*NAS-Identifier = TACACS*
*User-Name = mikem@local*
*Acct-Status-Type = Start*
*Acct-Session-Id = 3529830477*
*
Re: [RADIATOR] AddToReply tacacsgroup
On 11/16/2012 01:56 PM, Murat Bilal wrote:
Actually I mean If I have 2 different privilege level groups.For example one
of the have priv-lvl=15, the other is priv-lvl=1 .Do I need 2 different AuthBy
This is done (usually) with one AuthBy. The correct value for
AuthorizeGroupAttr depends on the user. The user has the correct
authorization group configured as the reply attribute.
For AuthBy SQL, see AuthSelect and AuthColumnDef documentation for more
information.
Thanks,
Heikki
Thanks
-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
Behalf Of Heikki Vatiainen
Sent: 16 Kasım 2012 Cuma 13:31
To: radiator@open.com.au
Subject: Re: [RADIATOR] AddToReply tacacsgroup
On 11/15/2012 10:34 PM, Murat Bilal wrote:
I have three dıfferent groups and for TACACS authorization.My radius
.cfg is like that
Hello Murat,
you can have only one AddToReply line in an AuthBy. This is why you get
DEFAULT with the Access-Accept. Try removing all except one that adds group3.
The authorize arguments the device sends are:
service=shell cmd* command-access*
The matching AuthorizeGroup for group3 would be this:
AuthorizeGroup group3 permit service=shell cmd\* command-access\*
{priv-lvl=15}
Since the patterns, such as cmd\*, are regular expressions, you need to
escape any special characters such as '*'.
I suggest you should re-read the reference manual ServerTACACSPLUS entry with
goodies/servertacacsplus.cfg. I'd you are currently changing too many things
simultaneously fixing some things while breaking others. Now would be good
time to review how TACACS+ authentication and authorization works with
Radiator.
Thanks,
Heikki
ServerTACACSPLUS
Key *
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup
AuthorizeGroup group1 permit service=shell cmd=show
cmd-args=.*
AuthorizeGroup group1 permit .*
# AuthorizeGroup DEFAULT deny .*
AuthorizeGroup group3 permit service=shell cmd\*
{priv-lvl=15}
/ServerTACACSPLUS
Handler
AuthBy SQL
# Change DBSource, DBUsername, DBAuth for your
database
# See the reference manual. You will also have to
# change the one in SessionDatabse SQL below
# so its the same
DBSourcedbi:mysql:radius:localhost
DBUsername raduser
DBAuth raduser
# Never look up the DEFAULT user
NoDefault
# You can customise the SQL query used to get user details with the
# AuthSelect parameter:
AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0
-
AddToReply tacacsgroup= group1
AddToReply tacacsgroup= group3
AddToReply tacacsgroup= DEFAULT
*I try with user mikem in group1.And the trace log*
* *
* *
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3'
from SUBSCRIBERS where USERNAME='mikem'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match with
mikem [mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select GROUPNAME from GROUPS where USERNAME='mikem' and
GROUPNAME='group1'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem
[mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
*Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
*Thu Nov 15 22:31:17 2012: DEBUG: do query to
'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP,
USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
*Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
Reply to TACACSPLUS request:*
*Code: Access-Accept*
*Identifier: UNDEF*
*Authentic: p146261924H23516\21252v.14215228*
*Attributes:*
*tacacsgroup = DEFAULT*
* *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
Access-Accept*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, , *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected
from
93.155.11.54:58517*
*Thu Nov 15 22:31:17 2012: DEBUG: New TacacsplusConnection created for
93.155.11.54:61939*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection request 192, 3,
1, 0, 3529830477, 105*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Accounting
REQUEST 2, 6, 0, 1, 1, mikem@local, /dev/ttyp3, 78.169.249.3, 4,
start_time=1353011477 task_id=10700 timezone=GMT service=shell*
*Thu Nov 15 22:31:17 2012: DEBUG: TACACSPLUS derived Radius request
packet dump:*
*Code: Accounting-Request*
*Identifier: UNDEF*
*Authentic: p23514310U177d206X_Z168O12931j*
Re: [RADIATOR] AddToReply tacacsgroup
Then how to define AddToReply OSC-Group-Identifier clause if you have two
different priv groups.AuthSQL accepts only one AddToReply clause.If you do not
define AddToReply clause I got this:
Authorization denied for user, group DEFAULT. No matching AuthorizeGroup rule
for args service=shell cmd* command-access*
-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
Behalf Of Heikki Vatiainen
Sent: 16 Kasım 2012 Cuma 16:03
To: radiator@open.com.au
Subject: Re: [RADIATOR] AddToReply tacacsgroup
On 11/16/2012 01:56 PM, Murat Bilal wrote:
Actually I mean If I have 2 different privilege level groups.For
example one of the have priv-lvl=15, the other is priv-lvl=1 .Do I
need 2 different AuthBy
This is done (usually) with one AuthBy. The correct value for
AuthorizeGroupAttr depends on the user. The user has the correct authorization
group configured as the reply attribute.
For AuthBy SQL, see AuthSelect and AuthColumnDef documentation for more
information.
Thanks,
Heikki
Thanks
-Original Message-
From: radiator-boun...@open.com.au
[mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen
Sent: 16 Kasım 2012 Cuma 13:31
To: radiator@open.com.au
Subject: Re: [RADIATOR] AddToReply tacacsgroup
On 11/15/2012 10:34 PM, Murat Bilal wrote:
I have three dıfferent groups and for TACACS authorization.My radius
.cfg is like that
Hello Murat,
you can have only one AddToReply line in an AuthBy. This is why you get
DEFAULT with the Access-Accept. Try removing all except one that adds group3.
The authorize arguments the device sends are:
service=shell cmd* command-access*
The matching AuthorizeGroup for group3 would be this:
AuthorizeGroup group3 permit service=shell cmd\* command-access\*
{priv-lvl=15}
Since the patterns, such as cmd\*, are regular expressions, you need to
escape any special characters such as '*'.
I suggest you should re-read the reference manual ServerTACACSPLUS entry with
goodies/servertacacsplus.cfg. I'd you are currently changing too many things
simultaneously fixing some things while breaking others. Now would be good
time to review how TACACS+ authentication and authorization works with
Radiator.
Thanks,
Heikki
ServerTACACSPLUS
Key *
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup
AuthorizeGroup group1 permit service=shell cmd=show
cmd-args=.*
AuthorizeGroup group1 permit .*
# AuthorizeGroup DEFAULT deny .*
AuthorizeGroup group3 permit service=shell cmd\*
{priv-lvl=15}
/ServerTACACSPLUS
Handler
AuthBy SQL
# Change DBSource, DBUsername, DBAuth for your
database
# See the reference manual. You will also have to
# change the one in SessionDatabse SQL below
# so its the same
DBSourcedbi:mysql:radius:localhost
DBUsername raduser
DBAuth raduser
# Never look up the DEFAULT user
NoDefault
# You can customise the SQL query used to get user details with the
# AuthSelect parameter:
AuthSelect select PASSWORD 'Auth-Type=AuthSQL',
'GroupList=group1 group2 group3' from SUBSCRIBERS where USERNAME=%0
-
AddToReply tacacsgroup= group1
AddToReply tacacsgroup= group3
AddToReply tacacsgroup= DEFAULT
*I try with user mikem in group1.And the trace log*
* *
* *
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select PASSWORD 'Auth-Type=AuthSQL', 'GroupList=group1 group2 group3'
from SUBSCRIBERS where USERNAME='mikem'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL looks for match
with mikem [mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: Query to 'dbi:mysql:radius:localhost':
'select GROUPNAME from GROUPS where USERNAME='mikem' and
GROUPNAME='group1'': *
*Thu Nov 15 22:31:17 2012: DEBUG: Radius::AuthSQL ACCEPT: : mikem
[mikem]*
*Thu Nov 15 22:31:17 2012: DEBUG: AuthBy SQL result: ACCEPT, *
*Thu Nov 15 22:31:17 2012: DEBUG: Access accepted for mikem*
*Thu Nov 15 22:31:17 2012: DEBUG: do query to
'dbi:mysql:radmin:localhost': 'insert into RADAUTHLOG (TIME_STAMP,
USERNAME, TYPE) values (1353011477, 'mikem', 1)': *
*Thu Nov 15 22:31:17 2012: DEBUG: Packet dump:*
Reply to TACACSPLUS request:*
*Code: Access-Accept*
*Identifier: UNDEF*
*Authentic: p146261924H23516\21252v.14215228*
*Attributes:*
*tacacsgroup = DEFAULT*
* *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection result
Access-Accept*
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection Authentication
REPLY 1, 0, , *
*Thu Nov 15 22:31:17 2012: DEBUG: TacacsplusConnection disconnected
from
93.155.11.54:58517*
*Thu Nov 15 22:31:17 2012:
