(RADIATOR) RE: Trouble getting Tacacs to work

Thu Oct 21 19:57:21 CDT 2004

> Hi Patrick -
> 
> Perhaps you could share an example with us?

Yes, ofcourse :)

The only error I was doing was not understanding the option
"GroupMemberAttr".. but ok.. an example..

in the config file.. in my case radius.cfg:
-- begin --
<ServerTACACSPLUS>
        Key SomeSecretKeyOnlyYouKnowAbout
        AddToRequest NAS-Identifier=TACACS

        # Groups
        GroupMemberAttr RouterGroup

        # Group: user gives privilige level 1
        GroupAuthAttr user priv-lvl=1
        CommandAuth user permit .*

        # Group: manager gives privilige level 7
        GroupAuthAttr manager priv-lvl=7
        CommandAuth manager permit .*

        # Group: SecurityOfficer gives privilige level 15
        GroupAuthAttr securityofficer priv-lvl=15
        CommandAuth securityofficer permit .*
</ServerTACACSPLUS>

<Realm DEFAULT>
        <AuthBy DBFILE>
                Filename %D/tacacs-users
        </AuthBy>
</Realm>
--  end  -- 

in the file tacacs-users:
-- begin --
test    Password = "{MD5}098f6bcd4621d373cade4e832627b4f6", Time =
"Wk0800-1800"
        RouterGroup = "user",
        Session-timeout="until Time"
--  end  -- 

As I'm aculy using this against equipment that doesn't honor the
"CommandAuth" option I'm just setting them as placeholders .. and after
looking over it now I dont think I really need the NAS-Identifier ether
;)

The "GroupMemberAttr" aculy defines what the attribute will be in the
users file for specifying which group the user belongs to.

Best Regards,
Patrik

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.