(RADIATOR) additional LDAP/ServerTACACSPLUS

Hugh Irvine hugh at open.com.au
Wed Jul 12 17:22:51 CDT 2006 

Hello Mark -

Can you send me a trace 4 debug showing what is happening in both cases?

And can you please tell me what hardware/software platform you are  
running on and what version of Radiator?

regards

Hugh


On 12 Jul 2006, at 21:34, mark wrote:

> Foreground
> LogStdout
> LogDir		.
> DbDir		.
> # User a lower trace level in production systems:
> Trace 		4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> #AuthPort
> #AcctPort
>
>
> <ServerTACACSPLUS>
>         Key testing123
>
>         BindAddress 10.0.0.37
>
>         # AuthorizationReplace specifies a authorization attribute- 
> value
> pair
>         # that will REPLACE the default ones the client want to use.
>         # You can have as many AuthorizationReplace
>         # parameters as you want.
>         #AuthorizationReplace service=aironet
>         #AuthorizationReplace protocol=shell
>         #AuthorizationReplace aironet:admin-capability=write+snmp 
> +ident
> +firmware+admin
>
>         # AuthorizationAdd ADDS a specific authorization attribute- 
> value
> pair
>         # to all Authorization RESPONSEs. You can have as many
> AuthorizationAdd
>         # parameters as you want.
>         # In addition, any cisco-avpair attributes in the radius reply
> resulting
>         # from the TACACS+ authenticaiton also be added. So you can  
> add
>         # per-user authorization to the users reply items in your user
> database
>         # This exampleadds authorization for all administrative  
> actions
> in an Aironet
>         # Consult your client documentation for the specific
> authorization
>         # your client may need
>         #AuthorizationReplace priv-lvl=15
>
>         # AddToRequest can be used to add any Radius attributes to the
> Radius
>         # requests that this module generates
>         #AddToRequest NAS-Identifier=TACACS
> 	#DefaultRealm DEFAULT
>         # Define radius group member attribute
>         #GroupMemberAttr 8000
>
>         # General Authorization format:
>         # GroupAuthAttr <group> <avpair>
>         # Command authorization format:
>         # CommandAuth <group> <permit|deny> <command:args> [<response
> message>]
>
>         # General Authorization format:
>         # GroupAuthAttr <group> <avpair>
>         # Command authorization format:
>         # CommandAuth <group> <permit|deny> <command:args> [<response
> message>]
>
>         #GroupAuthAttr 8000 priv-lvl=15
>         #CommandAuth tier1 permit show:.*
>         #CommandAuth tier1 permit ping:.*
>         #CommandAuth tier1 permit traceroute:.*
>         #CommandAuth tier1 deny .* Only 'show' commands allowed for
> tier1
>
>         # allow all for tier3
>         #GroupAuthAttr tier1 priv-lvl=15
>         #CommandAuth tier3 permit .*
>
> </ServerTACACSPLUS>
>
>
> <Client DEFAULT>
> 	Secret testing123	
> 	DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>
>
> <AuthBy LDAP2>
> Identifier	marxtest
> Host	10.0.0.37
> Version 3
> AuthDN	cn=admin,dc=test
> BaseDN	dc=test
> AuthPassword	secret1
> UsernameAttr	cn
> PasswordAttr	UserPassword
> AuthAttrDef	radiusReplyItem,AddReply,reply
> Debug 255
> </AuthBy>
>
>
> </Realm>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list