(RADIATOR) CommandAuth with TACACS+

Hugh Irvine hugh at open.com.au
Fri Mar 19 17:05:14 CST 2004 

Hello Nick -

What you describe is what is in the code.

Have a look at "Radius/ServerTACACSPLUS.pm".

regards

Hugh


On 19 Mar 2004, at 17:36, Nick Slager wrote:

> I have a TACACS+ server set up using Radiator 3.9, and am having a 
> small
> problem configuring CommandAuth to work correctly.
>
> In my configuration file, I have the following:
>
>         # support group
>         GroupAuthAttr support priv-lvl=1
>         CommandAuth support permit debug:ppp:.*
>         CommandAuth support deny .*  Access Denied
>
> ie, I want to permit members of the support group to enter 'debug ppp'
> commands, but deny all other exec-level commands, including other debug
> commands.
>
> However, users in this group are able to enter any debug command at 
> all,
> not just 'debug ppp' commands. It seems that only the first part of the
> CommandAuth string is checked (ie, the 'debug' part). In this example,
> I would expect the second debug command to fail:
>
>         router#deb ppp auth
>         PPP authentication debugging is on
>         router#deb bgp ev
>         BGP events debugging is on
>
> However, it clearly works. It appears that only the first "word" of the
> command string is checked. Is anyone able to shed light on why this is
> happening?
>
> Cheers,
>
>
> Nick
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list