(RADIATOR) ServerTACACSPLUS and mapping both user and client to AuthorizeGroup statements

Andrew Fort afort at choqolat.org
Mon Jul 4 21:31:28 CDT 2005


Hi guys,

We recently updated our radiator (were using 2.07-1 before that ;-) and 
are now integrating our existing use of the cisco development code 
tac_plus daemon to use Radiator's ServerTACACSPLUS.  We also have some 
devices that do exec access via RADIUS (hence using Radiator), but we'll 
ignore those for now as they have more simplistic demands than the below.

I want to have three or four levels of AuthorizeGroup statements, for 
various access levels.  Then I want to map users to groups, and then map 
TACACS+ clients to these.  Effectively a tuple like:

#device_group:user_group:AuthorizeGroup
border_routers:tier3_engineering:full_enable

I have the user->AuthorizeGroup mappings sorted out, but am having 
trouble visualing what is the best way to do the combination of device 
group to user group AND AuthorizeGroup group mapping.

I am thinking perhaps building the configuration dynamically for the 
AuthorizeGroup statements in <ServerTACACSPLUS>, combining the 
user_group and device_group into say statements that would have:

	AuthorizeGroup	border_routers_tier3_engineering

Followed by the list of commands for 'full_enable' level of access.  But 
how do I set the user's GroupAttr based on both the TACACS+ Client and 
the Username?

-andrew

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list