(RADIATOR) TACACS+ Authorization/Privileges

Gavin Norman gavin.norman at europcar.com.au
Mon Jul 30 01:34:28 CDT 2007 

Afternoon,

 

I'm currently trying to setup TACACS+ authentication & authorization on
a Cisco 801 router with 12.3 version IOS. I've managed to have
authentication working fairly quickly (occurs via LDAP). I'm having some
trouble however setting up the authorization/privileged aspect of what I
want to achieve (eg. admins are level 15 [enable access], everyone else
is 14). Below is my configuration in Radiator:

 

<ServerTACACSPLUS>

    Key mykey

    AddToRequest NAS-Identifier=TACACS

    DefaultRealm myhandler

    #AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}

    #AuthorizeGroup power permit service=shell cmd\* {priv-lvl=14}

</ServerTACACSPLUS>

 

<Handler NAS-Identifier=TACACS,myhandler>

    Description Cisco Users

    <AuthBy GROUP>

        AuthByPolicy ContinueUntilReject

        AuthBy AuthByLDAP

 

        <AuthBy SQL>

            DBSource    dbi:mysql:radius

            DBUsername  user

            DBAuth      pass

 

            AuthSelect select PRIV_LVL from TACACS where USERNAME = "%U"

            AuthColumnDef 0, GroupMemberAttr, reply

        </AuthBy>

    </AuthBy>

 

As you can see authentication occurs via LDAP, and authorization is
obtained from a SQL database. I can actually see the GroupMemberAttr
reply in the logs, but this has no effect on the privileges on the
router. 

 

Is anyone aware if any additional configuration on the router needs to
occur (or in the TACACS+ server for that matter)?

 

Thanks.

 

Gavin Norman

Helpdesk Administrator

 

Europcar Asia-Pacific  

 


This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20070730/ca6fea27/attachment.html>

More information about the radiator mailing list