Re: (RADIATOR) New Tacacs+ server ability for Radiator
It is actually very easy to set up. First you have to configure Radiator. Here is the Tacacs+ parts of my beginning config file: Key Test AddToRequestClass=TACACS Identifier Test AcctLogFileName /local/radius/authlog/commands/%g-%i-%f AuthBy Test I have some more work to do on the Radiator config. Since we do no authentication with Tacacs, I will probably send Reject for all auth requests as a safeguard. The AddToRequest is in there so that I can distinguish Tacacs+ to Radius request from other Radius requests. On the Cisco IOS device you have to add the following lines: set tacacs server IP.Of.Server primary set tacacs key Test set accounting commands enable all stop-only tacacs+ In the logfile you will see: Thu Aug 28 14:45:40 2003 NAS-IP-Address = IP.Of.Cisco.Device Timestamp = 1062096340 Class = "TACACS" User-Name = "userid" cisco-avpair = "task_id=64" cisco-avpair = "start_time=1062096340" cisco-avpair = "timezone=EST" cisco-avpair = "service=shell" cisco-avpair = "priv-lvl=15" cisco-avpair = "cmd=show radius " Timestamp = 0 I just now noticed that Timestamp is in there twice. I don't know why that is. I am going to work on extracting the cisco-avpair info out so I can log the info into a DB. Hope this helps. On Mon, 2003-09-01 at 09:55, Nicolai van der Smagt wrote: > Hi, > > We are looking at using Radiator for our Tacacs+ operations. Does > radiator support tacacs+ command accounting, the accounting of user > commands entered on the client? If so, any pointers on how to configure > this? > > Regards, > > Nicolai van der Smagt > BBned NV > > On Tue, 2003-08-19 at 08:48, Mike McCauley wrote: > > Hello all, > > > > We are pleased to announce the release of a new module for Radiator that adds > > the ability for Radiator to act as a Tacacs+ server. > > > > Tacacs+ is an older Authentication, Authorization and Accounting (AAA) > > protocol developed by Cisco, and supported by some Cisco devices. > > > > The new clause tells Radiator to listen for Tacacs+ > > requests and convert them into Radius requests, which can then be satisified > > locally by Radiator, or proxied to another Radius server. > > > > The new module and an example configuration file are included in the latest > > patches for Radiator 3.6. > > > > Feedback, bugs, issues and suggestions to me please. > > > > Cheers. -- --- | Troy Holder[EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies| | North Carolina State University | --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Question about spliting the NAS-IP-ADDRESS for SQL use
We have a DB table with all of our network equipment in it and plan to use that to determine what Authby to use for different types of equipment ( got to love how Cisco wants different reply values to allow a user into enable mode). I plan to have a Handler call an AuthBy SQL to do a query for the Auth-Type the device needs use and then run that AuthBy clause. The problem that I am running into is that we have the equipment's IP address broken up into the octets. I know that I can use %N in the SQL in the config, but how can I get %IP1.%IP2.%IP3.%IP4 (as in %N = %IP1.%IP2.%IP3.%IP4) instead? -- --- | Troy Holder[EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies| | North Carolina State University | --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) TACAS support
Do I understand the new TACAS support correctly? If you have Radiator accepting TACAS requests, it basically converts the TACAS request into a RADIUS request. Then RADIATOR handles the RADIUS request and converts the RADIUS response into a TACAS response. I use a lot of handlers in my config to deal with different pieces of equipment needing different return values or different auth schemes. What kind of info is passed in the RADIUS request that is converted from a TACAS request? -- --- | Troy Holder[EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies| | North Carolina State University | --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Wanting to give certain users a static IP on a Cisco VPN
We are setting up our VPN so that everyone will use a default group when connecting to the concentrator. I then have my radius server set up to check their password with kerberos (via AuthBy NCSU) and then check their classification via Hesiod ( via AuthBy hesiod) to see what group to put them in on the vpn. We want to allow certain users to have a static IP address (user a gets IP a where user b gets IP b). I know that I can use the following to set a users IP address: AddToReply Framed-IP-Address = a.b.c.d What I have not figured out is a scalable way to do this with multiple users. I know I can add a handler for every user and add the AddToReply line there, but I may have a few dozen down the road and do not want my config to grow so much. I would like to either put the users and IPs in a db or in a flat file. The part of my config that is used by the VPN concentrator is below. Does anyone have a suggestion? -- Secret x DupInterval 0 Identifier vpn AuthByPolicy ContinueUntilReject Identifier vpn_groups AuthByPolicy ContinueWhileReject #foo user HesiodAllow foo HesiodDeny disable AddToReply Class="OU=foo;" #bar users HesiodAllow bar HesiodDeny disable StripFromReply Class AddToReply Class="OU=bar;" #dog user HesiodAllow dog HesiodDeny disable StripFromReply Class AddToReply Class="OU=dog;" #cat users HesiodAllow cat HesiodDeny disable StripFromReply Class AddToReply Class="OU=cat;" RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ RewriteUsername tr/A-Za-z0-9//cd AuthBy vpn AcctLogFileName /radius-dir/vpn -- ------- | Troy Holder[EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies| | North Carolina State University | --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) PPTP problem.
We have a Cisco 3000 series VPN that we are trying to use with PPTP and all of our users are in Kerberos (non Microsoft). We use an in house module for our Kerberos authentication that calls decodedPassword. Is there any way that I can get the following scenario to work? PPTP -> VPN -> RADIUS -> Kerberos -- --- | Troy Holder[EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies| | North Carolina State University | --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
