Questions pam_radius and accounting logs
Junk XL
junkxl at yahoo.com
Mon Jul 24 17:34:56 CEST 2017
I am trying to utilize the pam_radius client (1.4.0) on several RHEL 6 servers for authentication and accounting with ssh and sudo, against a Cisco ACS (ver 5.5)
The authentication works as expected for both, however i am not seeing what i would expect in the accounting.
My first question is, is there a setting that i am missing that enables pam_radius to send the full accounting back to the ACS?
I do see the start/stop packets, however i only ever see the "sudo" issued as a NAS identifier, and never anything else.
==== output from /var/log/messages
Jul 24 10:04:00 secutil sshd[6148]: Accepted password for test_user from XXX.XXX.XXX.XXX port 53291 ssh2
Jul 24 10:04:00 secutil sshd[6148]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Jul 24 10:04:24 secutil sudo: pam_radius_auth: Got user name test_user
Jul 24 10:04:24 secutil sudo: pam_radius_auth: ignore last_pass, force_prompt set
Jul 24 10:04:29 secutil sudo: pam_radius_auth: Sending RADIUS request code 1
Jul 24 10:04:29 secutil sudo: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7f3b816089a0.
Jul 24 10:04:29 secutil sudo: pam_radius_auth: Got RADIUS response code 2
Jul 24 10:04:29 secutil sudo: pam_radius_auth: authentication succeeded
Jul 24 10:04:29 secutil sudo: test_user : TTY=pts/1 ; PWD=/home/test_user ; USER=root ; COMMAND=/bin/cat /etc/named.conf
==== output from ACS Start
Accounting Details : Diagnostics Details
ACS Configuration Changes
Logged At : Jul 24,17 10:04:29.336 AM
ACS Time : Jul 24,17 10:04:29.313 AM
ACS Server : scrubbed
User Name : root
Failure Reason :
Identity Store :
Identity Group :
Network Device Name : Linux_Servers
Network Device Group : Device Type:All Device Types, Location:All Locations
Service Selection Rule Name :
Access Service :
Security Group :
AD Domain :
Authorization Profile:
MAC Address :
Endpoint IP Address :
NAS IP Address : scrubbed
NAS Port : 6171
NAS Port Id:
NAS Identifier : sudo
Account Status Type : Start
Account Session Id : 00006171
Account MultiSession Id :
Audit Session Id :
ACS Session Id : scrubbed/230060300/66963046
Account Authentic : RADIUS
Account Terminate Cause :
Terminate Action :
Account Interim Intervals :
Account Delay Time :
Account Session Time :
Account Input Octets :
Account Output Octets :
Account Input Packets :
Account Output Packets :
Account Tunnel Connection :
Account Tunnel Packet Lost :
Session Timeout :
Idle Timeout :
Event Timestamp :
Service Type :
Response Time : 1
Class :
Framed Protocol :
Tunnel Details :
Cisco H323 :
Cisco SSG :
Cisco-AvPairs :
Other Attributes : ACSVersion=acs-5.5.0.46-B.723
ConfigVersionId=200
NAS-Port-Type=Virtual
Device IP Address=scrubbed
Audit Session Key root:sudo:6171
Steps
Received RADIUS Accounting-Request
RADIUS created a new session
Evaluating Service Selection Policy
Matched rule
Selected Access Service -
Accounting start was received for non-existing session.
Returned RADIUS Accounting-Response
==== output from ACS Stop
Accounting Details : Diagnostics Details
ACS Configuration Changes
Logged At : Jul 24,17 10:04:29.336 AM
ACS Time : Jul 24,17 10:04:29.320 AM
ACS Server : scrubbed
User Name : root
Failure Reason :
Identity Store :
Identity Group :
Network Device Name : Linux_Servers
Network Device Group : Device Type:All Device Types, Location:All Locations
Service Selection Rule Name :
Access Service :
Security Group :
AD Domain :
Authorization Profile:
MAC Address :
Endpoint IP Address :
NAS IP Address : scrubbed
NAS Port : 6171
NAS Port Id:
NAS Identifier : sudo
Account Status Type : Stop
Account Session Id : 00006171
Account MultiSession Id :
Audit Session Id :
ACS Session Id : scrubbed/230060300/66963047
Account Authentic : RADIUS
Account Terminate Cause :
Terminate Action :
Account Interim Intervals :
Account Delay Time :
Account Session Time : 0
Account Input Octets :
Account Output Octets :
Account Input Packets :
Account Output Packets :
Account Tunnel Connection :
Account Tunnel Packet Lost :
Session Timeout :
Idle Timeout :
Event Timestamp :
Service Type :
Response Time : 1
Class :
Framed Protocol :
Tunnel Details :
Cisco H323 :
Cisco SSG :
Cisco-AvPairs :
Other Attributes : ACSVersion=acs-5.5.0.46-B.723
ConfigVersionId=200
NAS-Port-Type=Virtual
Device IP Address=scrubbed
Audit Session Key root:sudo:6171
Received RADIUS Accounting-Request
RADIUS created a new session
Evaluating Service Selection Policy
Matched rule
Selected Access Service -
Audit session was not found.
Returned RADIUS Accounting-Response
==== /etc/pam.d/sshd
auth sufficient pam_radius_auth.so debug
account sufficient pam_radius_auth.so debug
session sufficient pam_radius_auth.so debug
#auth include tacacs
auth required pam_sepermit.so
auth include password-auth
#account include tacacs
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
#session include tacacs
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
==== /etc/pam.d/sudo auth sufficient pam_radius_auth.so debug
account sufficient pam_radius_auth.so debug
session sufficient pam_radius_auth.so debug
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
/etc/raddb/server (scrubbed)
XXX.XXX.XXX.XXX test 3
Am i just incorrect in my assumptions on what i think i should be seeing with the accounting?
I know with other devices, I can see the full accounting commands issued, but i do not know if that is a limitation with Linux and pam_radius, or if i have something set incorrectly.
Thanks in advance,
GR
More information about the Freeradius-Users
mailing list