(RADIATOR) ServerTACACSPLUS and mapping both user and client to AuthorizeGroup statements
Andrew Fort
afort at choqolat.org
Mon Jul 4 21:31:28 CDT 2005
Hi guys,
We recently updated our radiator (were using 2.07-1 before that ;-) and
are now integrating our existing use of the cisco development code
tac_plus daemon to use Radiator's ServerTACACSPLUS. We also have some
devices that do exec access via RADIUS (hence using Radiator), but we'll
ignore those for now as they have more simplistic demands than the below.
I want to have three or four levels of AuthorizeGroup statements, for
various access levels. Then I want to map users to groups, and then map
TACACS+ clients to these. Effectively a tuple like:
#device_group:user_group:AuthorizeGroup
border_routers:tier3_engineering:full_enable
I have the user->AuthorizeGroup mappings sorted out, but am having
trouble visualing what is the best way to do the combination of device
group to user group AND AuthorizeGroup group mapping.
I am thinking perhaps building the configuration dynamically for the
AuthorizeGroup statements in <ServerTACACSPLUS>, combining the
user_group and device_group into say statements that would have:
AuthorizeGroup border_routers_tier3_engineering
Followed by the list of commands for 'full_enable' level of access. But
how do I set the user's GroupAttr based on both the TACACS+ Client and
the Username?
-andrew
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list