<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6001.18063" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I try to setup tacacs+ authentication/authorization
for the http sever on a cisco 7200. I read (<A
href="http://www.cisco.com/warp/public/480/http-1.pdf) I">http://www.cisco.com/warp/public/480/http-1.pdf)
I</A> need to return a priv-lvl=15 (not sure if during authentication reply or
authorization reply). I tried to add a reply attribute to both, but
looking at a decrypted wireshark trace I don't see the reply attribute with the
replies. Is that not implemented for tacacs+ requests ?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thank you</FONT></DIV>
<DIV><FONT face=Arial size=2>Markus</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Config file:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial
size=2><ServerTACACSPLUS><BR>
#<BR> # Attribute for Tacacs
Group<BR>
#<BR> GroupMemberAttr
Group-Name<BR>
#<BR> # cisco group
permissions<BR>
#<BR> AuthorizeGroup ciscoadmin permit
service=shell<BR> AuthorizeGroup
ciscoadmin permit service=exec cmd=.* cmd-arg=.*
{cisco-avpair="priv-lvl=15"}<BR></ServerTACACSPLUS></FONT></DIV>
<DIV><FONT face=Arial size=2><BR><AuthBy
FILE><BR> Identifier
UserAuth<BR> Filename
%D/Users<BR></AuthBy></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><Handler><BR> AuthBy UserAuth<BR>
PostProcessingHook file:"/etc/radiator/set_authorize_group.pl"<BR>
AcctLogFileName %L/accounting-%d-%v-%Y.log<BR></Handler></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Users file:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>markus User-Password=markus<BR>
cisco-avpair="priv-lvl=15"</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Log output</FONT></DIV>
<DIV><FONT face=Arial size=2> </DIV></FONT>
<DIV><FONT face=Arial size=2>Mon Jul 7 21:00:21 2008: DEBUG: New
TacacsplusConnection created for 192.168.1.200:11198<BR>Mon Jul 7 21:00:21
2008: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 4271424462, 23<BR>Mon
Jul 7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication START 1,
1, 1 for , tty2, 192.168.1.8<BR>Mon Jul 7 21:00:21 2008: DEBUG:
TacacsplusConnection Authentication REPLY 4, 0, Username: ,<BR>Mon Jul 7
21:00:21 2008: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 4271424462,
11<BR>Mon Jul 7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, markus,<BR>Mon Jul 7 21:00:21 2008: DEBUG:
TacacsplusConnection Authentication REPLY 5, 1, Password: ,<BR>Mon Jul 7
21:00:21 2008: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 4271424462,
11<BR>Mon Jul 7 21:00:21 2008: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, markus,<BR>Mon Jul 7 21:00:21 2008: DEBUG: TACACSPLUS derived
Radius request packet dump:<BR>Code:
Access-Request<BR>Identifier: UNDEF<BR>Authentic:
J<140><156><235><243><225>P<166>6<2><29>Pk<157>B&<BR>Attributes:<BR>
NAS-IP-Address = 192.168.1.200<BR>
NAS-Port-Id = "tty2"<BR>
Calling-Station-Id = "192.168.1.8"<BR>
Service-Type = Login-User<BR>
User-Name = "markus"<BR> User-Password
= markus</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Mon Jul 7 21:00:21 2008: DEBUG: Handling
request with Handler ''<BR>Mon Jul 7 21:00:21 2008: DEBUG: Deleting
session for markus, 192.168.1.200,<BR>Mon Jul 7 21:00:21 2008: DEBUG:
Handling with Radius::AuthFILE: UserAuth<BR>Mon Jul 7 21:00:21 2008:
DEBUG: Radius::AuthFILE looks for match with markus [markus]<BR>Mon Jul 7
21:00:21 2008: DEBUG: Radius::AuthFILE ACCEPT: : markus [markus]<BR>Mon
Jul 7 21:00:21 2008: DEBUG: AuthBy FILE result: ACCEPT,<BR>Mon Jul 7
21:00:21 2008: DEBUG: Access accepted for markus<BR>Mon Jul 7 21:00:21
2008: DEBUG: Packet dump:<BR>*** Reply to TACACSPLUS
request:<BR>Code:
Access-Accept<BR>Identifier: UNDEF<BR>Authentic:
J<140><156><235><243><225>P<166>6<2><29>Pk<157>B&<BR>Attributes:<BR>
Group-Name = ciscoadmin</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Mon Jul 7 21:00:21 2008: DEBUG:
TacacsplusConnection result Access-Accept<BR>Mon Jul 7 21:00:21 2008:
DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,<BR>Mon Jul 7
21:00:21 2008: DEBUG: TacacsplusConnection disconnected from
192.168.1.200:11198<BR>Mon Jul 7 21:00:21 2008: DEBUG: New
TacacsplusConnection created for 192.168.1.200:11199<BR>Mon Jul 7 21:00:21
2008: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 1922248824, 48<BR>Mon
Jul 7 21:00:21 2008: DEBUG: TacacsplusConnection Authorization REQUEST 6,
0, 1, 1, markus, tty2, 192.168.1.8, 2, service=shell cmd*<BR>Mon Jul 7
21:00:21 2008: DEBUG: AuthorizeGroup rule match found: permit service=shell
{ }<BR>Mon Jul 7 21:00:21 2008: INFO: Authorization permitted for
markus, group ciscoadmin, args service=shell cmd*<BR>Mon Jul 7 21:00:21
2008: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,<BR>Mon Jul
7 21:00:21 2008: DEBUG: TacacsplusConnection disconnected from
192.168.1.200:11199<BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Cisco Tacacs config:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ip http server<BR>ip http authentication
aaa<BR></DIV></FONT>
<DIV><FONT face=Arial size=2>aaa new-model<BR>aaa authentication login default
group tacacs+ local<BR>aaa authentication enable default group tacacs+
enable<BR>aaa authorization console<BR>aaa authorization config-commands<BR>aaa
authorization exec default group tacacs+ if-authenticated<BR>aaa authorization
commands 1 default group tacacs+ if-authenticated<BR>aaa authorization commands
15 default group tacacs+ if-authenticated<BR>aaa accounting exec default
start-stop group tacacs+<BR>aaa accounting commands 0 default stop-only group
tacacs+<BR>aaa accounting commands 1 default stop-only group tacacs+<BR>aaa
accounting commands 15 default stop-only group tacacs+<BR>aaa accounting network
default start-stop group tacacs+<BR>aaa accounting connection default start-stop
group tacacs+<BR></FONT><FONT face=Arial size=2>tacacs-server host
192.168.1.7<BR>tacacs-server key cisco<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Cisco authentication/authorization
debug:</FONT></DIV>
<DIV><FONT face=Arial size=2> </DIV></FONT>
<DIV><FONT face=Arial size=2>1d05h: HTTP: Authentication for url '/' '/' level
15 privless '/'<BR>1d05h: HTTP: Authentication username = 'markus'
priv-level = 15 auth-type = aaa<BR>1d05h: AAA: parse name=tty2 idb type=-1
tty=-1<BR>1d05h: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0
port=2 channel=0<BR>1d05h: AAA/MEMORY: create_user (0x625866A8) user='' ruser=''
port='tty2' rem_addr='192.168.1.8' authen_type=ASCII service=LOGIN
priv=0<BR>1d05h: AAA/AUTHEN/START (4271424462): port='tty2' list='' action=LOGIN
service=LOGIN<BR>1d05h: AAA/AUTHEN/START (4271424462): using "default"
list<BR>1d05h: AAA/AUTHEN/START (4271424462): Method=tacacs+ (tacacs+)<BR>1d05h:
TAC+: send AUTHEN/START packet ver=192 id=4271424462<BR>1d05h: TAC+: ver=192
id=4271424462 received AUTHEN status = GETUSER<BR>1d05h: AAA/AUTHEN
(4271424462): status = GETUSER<BR>1d05h: AAA/AUTHEN/CONT (4271424462):
continue_login (user='(undef)')<BR>1d05h: AAA/AUTHEN (4271424462): status =
GETUSER<BR>1d05h: AAA/AUTHEN (4271424462): Method=tacacs+ (tacacs+)<BR>1d05h:
TAC+: send AUTHEN/CONT packet id=4271424462<BR>1d05h: TAC+: ver=192
id=4271424462 received AUTHEN status = GETPASS<BR>1d05h: AAA/AUTHEN
(4271424462): status = GETPASS<BR>1d05h: AAA/AUTHEN/CONT (4271424462):
continue_login (user='markus')<BR>1d05h: AAA/AUTHEN (4271424462): status =
GETPASS<BR>1d05h: AAA/AUTHEN (4271424462): Method=tacacs+ (tacacs+)<BR>1d05h:
TAC+: send AUTHEN/CONT packet id=4271424462<BR>1d05h: TAC+: ver=192
id=4271424462 received AUTHEN status = PASS<BR>1d05h: AAA/AUTHEN (4271424462):
status = PASS<BR>1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): Port='tty2' list=''
service=EXEC<BR>1d05h: AAA/AUTHOR/HTTP: tty2 (1922248824)
user='markus'<BR>1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): send AV
service=shell<BR>1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): send AV
cmd*<BR>1d05h: tty2 AAA/AUTHOR/HTTP (1922248824): found list "default"<BR>1d05h:
tty2 AAA/AUTHOR/HTTP (1922248824): Method=tacacs+ (tacacs+)<BR>1d05h:
AAA/AUTHOR/TAC+: (1922248824): user=markus<BR>1d05h: AAA/AUTHOR/TAC+:
(1922248824): send AV service=shell<BR>1d05h: AAA/AUTHOR/TAC+: (1922248824):
send AV cmd*<BR>1d05h: TAC+: (1922248824): received author response status =
PASS_ADD<BR>1d05h: AAA/AUTHOR (1922248824): Post authorization status =
PASS_ADD<BR>1d05h: HTTP: Authentication failed<BR>1d05h: AAA/MEMORY: free_user
(0x625866A8) user='markus' ruser='' port='tty2' rem_addr='192.168.1.8'
authen_type=ASCII service=LOGIN priv=0<BR></DIV></FONT></BODY></HTML>