(RADIATOR) ServerTACACSPLUS and mapping both user and client to AuthorizeGroup statements

Hugh Irvine hugh at open.com.au
Tue Jul 5 17:53:14 CDT 2005


Hello Andrew -

You should probably set up different Handlers to process the radius  
requests according to what you describe below.

regards

Hugh


On 5 Jul 2005, at 11:31, Andrew Fort wrote:

> Hi guys,
>
> We recently updated our radiator (were using 2.07-1 before that ;-)  
> and are now integrating our existing use of the cisco development  
> code tac_plus daemon to use Radiator's ServerTACACSPLUS.  We also  
> have some devices that do exec access via RADIUS (hence using  
> Radiator), but we'll ignore those for now as they have more  
> simplistic demands than the below.
>
> I want to have three or four levels of AuthorizeGroup statements,  
> for various access levels.  Then I want to map users to groups, and  
> then map TACACS+ clients to these.  Effectively a tuple like:
>
> #device_group:user_group:AuthorizeGroup
> border_routers:tier3_engineering:full_enable
>
> I have the user->AuthorizeGroup mappings sorted out, but am having  
> trouble visualing what is the best way to do the combination of  
> device group to user group AND AuthorizeGroup group mapping.
>
> I am thinking perhaps building the configuration dynamically for  
> the AuthorizeGroup statements in <ServerTACACSPLUS>, combining the  
> user_group and device_group into say statements that would have:
>
>     AuthorizeGroup    border_routers_tier3_engineering
>
> Followed by the list of commands for 'full_enable' level of  
> access.  But how do I set the user's GroupAttr based on both the  
> TACACS+ Client and the Username?
>
> -andrew
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB: I am travelling this week, so there may be delays in our  
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list