(RADIATOR) ServerTACACSPLUS and mapping both user and client to AuthorizeGroup statements
Hugh Irvine
hugh at open.com.au
Tue Jul 5 17:53:14 CDT 2005
Hello Andrew -
You should probably set up different Handlers to process the radius
requests according to what you describe below.
regards
Hugh
On 5 Jul 2005, at 11:31, Andrew Fort wrote:
> Hi guys,
>
> We recently updated our radiator (were using 2.07-1 before that ;-)
> and are now integrating our existing use of the cisco development
> code tac_plus daemon to use Radiator's ServerTACACSPLUS. We also
> have some devices that do exec access via RADIUS (hence using
> Radiator), but we'll ignore those for now as they have more
> simplistic demands than the below.
>
> I want to have three or four levels of AuthorizeGroup statements,
> for various access levels. Then I want to map users to groups, and
> then map TACACS+ clients to these. Effectively a tuple like:
>
> #device_group:user_group:AuthorizeGroup
> border_routers:tier3_engineering:full_enable
>
> I have the user->AuthorizeGroup mappings sorted out, but am having
> trouble visualing what is the best way to do the combination of
> device group to user group AND AuthorizeGroup group mapping.
>
> I am thinking perhaps building the configuration dynamically for
> the AuthorizeGroup statements in <ServerTACACSPLUS>, combining the
> user_group and device_group into say statements that would have:
>
> AuthorizeGroup border_routers_tier3_engineering
>
> Followed by the list of commands for 'full_enable' level of
> access. But how do I set the user's GroupAttr based on both the
> TACACS+ Client and the Username?
>
> -andrew
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list