(RADIATOR) additional LDAP/ServerTACACSPLUS

mark mark at dis-europe.nl
Wed Jul 12 06:34:01 CDT 2006 

Foreground
LogStdout
LogDir		.
DbDir		.
# User a lower trace level in production systems:
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
#AuthPort
#AcctPort


<ServerTACACSPLUS>
        Key testing123

        BindAddress 10.0.0.37

        # AuthorizationReplace specifies a authorization attribute-value
pair
        # that will REPLACE the default ones the client want to use.    
        # You can have as many AuthorizationReplace
        # parameters as you want.
        #AuthorizationReplace service=aironet
        #AuthorizationReplace protocol=shell
        #AuthorizationReplace aironet:admin-capability=write+snmp+ident
+firmware+admin
        
        # AuthorizationAdd ADDS a specific authorization attribute-value
pair
        # to all Authorization RESPONSEs. You can have as many
AuthorizationAdd
        # parameters as you want.
        # In addition, any cisco-avpair attributes in the radius reply
resulting
        # from the TACACS+ authenticaiton also be added. So you can add
        # per-user authorization to the users reply items in your user
database
        # This exampleadds authorization for all administrative actions
in an Aironet
        # Consult your client documentation for the specific
authorization
        # your client may need
        #AuthorizationReplace priv-lvl=15

        # AddToRequest can be used to add any Radius attributes to the
Radius
        # requests that this module generates
        #AddToRequest NAS-Identifier=TACACS
	#DefaultRealm DEFAULT
        # Define radius group member attribute
        #GroupMemberAttr 8000 

        # General Authorization format:
        # GroupAuthAttr <group> <avpair>
        # Command authorization format:
        # CommandAuth <group> <permit|deny> <command:args> [<response
message>]

        # General Authorization format:
        # GroupAuthAttr <group> <avpair>
        # Command authorization format:
        # CommandAuth <group> <permit|deny> <command:args> [<response
message>]

        #GroupAuthAttr 8000 priv-lvl=15
        #CommandAuth tier1 permit show:.*
        #CommandAuth tier1 permit ping:.*
        #CommandAuth tier1 permit traceroute:.*
        #CommandAuth tier1 deny .* Only 'show' commands allowed for
tier1

        # allow all for tier3
        #GroupAuthAttr tier1 priv-lvl=15
        #CommandAuth tier3 permit .*
        
</ServerTACACSPLUS>


<Client DEFAULT>
	Secret testing123	
	DupInterval 0
</Client>

<Realm DEFAULT>


<AuthBy LDAP2>
Identifier	marxtest
Host	10.0.0.37
Version 3
AuthDN	cn=admin,dc=test
BaseDN	dc=test
AuthPassword	secret1
UsernameAttr	cn
PasswordAttr	UserPassword
AuthAttrDef	radiusReplyItem,AddReply,reply
Debug 255
</AuthBy>


</Realm>


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list