(RADIATOR) TACACS+ Authorization/Privileges

Hugh Irvine hugh at open.com.au
Mon Jul 30 03:23:30 CDT 2007


Hello Gavin -

You have to specify GroupMemberAttr in the <ServerTACACSPLUS> clause  
- it indicates the name of the RADIUS reply attribute that you are  
going to use in the RADIUS access accept to specify the group the  
user belongs to. Then you specify the different values for the  
attribute in the AuthorizeGroup lines.

Your configuration file should look more like this:


<ServerTACACSPLUS>
     Key mykey
     AddToRequest NAS-Identifier=TACACS
     GroupMemberAttr tacacsgroup
     AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}
     AuthorizeGroup power permit service=shell cmd\* {priv-lvl=14}
</ServerTACACSPLUS>

<Handler NAS-Identifier=TACACS>
     Description Cisco Users
     <AuthBy GROUP>
         AuthByPolicy ContinueUntilReject
         AuthBy AuthByLDAP

         <AuthBy SQL>
             DBSource    dbi:mysql:radius
             DBUsername  user
             DBAuth      pass

             AuthSelect select PRIV_LVL from TACACS where USERNAME =  
"%U"
             AuthColumnDef 0, tacacsgroup, reply
         </AuthBy>
     </AuthBy>
  </Handler>


The tacacsgroup field in the TACACS records would then contain either  
"admin" or "power".

There is a working example of how to do this in "goodies/ 
tacacsplusserver.cfg" in the Radiator 3.17.1 distribution.

Note that the Cisco needs to be configured for TACACS+ authentication  
as well as command authorisation.

hope that helps

regards

Hugh

On 30 Jul 2007, at 16:34, Gavin Norman wrote:

> Afternoon,
>
>
>
> I’m currently trying to setup TACACS+ authentication &  
> authorization on a Cisco 801 router with 12.3 version IOS. I’ve  
> managed to have authentication working fairly quickly (occurs via  
> LDAP). I’m having some trouble however setting up the authorization/ 
> privileged aspect of what I want to achieve (eg. admins are level  
> 15 [enable access], everyone else is 14). Below is my configuration  
> in Radiator:
>
>
>
> <ServerTACACSPLUS>
>
>     Key mykey
>
>     AddToRequest NAS-Identifier=TACACS
>
>     DefaultRealm myhandler
>
>     #AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}
>
>     #AuthorizeGroup power permit service=shell cmd\* {priv-lvl=14}
>
> </ServerTACACSPLUS>
>
>
>
> <Handler NAS-Identifier=TACACS,myhandler>
>
>     Description Cisco Users
>
>     <AuthBy GROUP>
>
>         AuthByPolicy ContinueUntilReject
>
>         AuthBy AuthByLDAP
>
>
>
>         <AuthBy SQL>
>
>             DBSource    dbi:mysql:radius
>
>             DBUsername  user
>
>             DBAuth      pass
>
>
>
>             AuthSelect select PRIV_LVL from TACACS where USERNAME =  
> "%U"
>
>             AuthColumnDef 0, GroupMemberAttr, reply
>
>         </AuthBy>
>
>     </AuthBy>
>
>
>
> As you can see authentication occurs via LDAP, and authorization is  
> obtained from a SQL database. I can actually see the  
> GroupMemberAttr reply in the logs, but this has no effect on the  
> privileges on the router.
>
>
>
> Is anyone aware if any additional configuration on the router needs  
> to occur (or in the TACACS+ server for that matter)?
>
>
>
> Thanks.
>
>
>
> Gavin Norman
>
> Helpdesk Administrator
>
>
>
> Europcar Asia-Pacific
>
>
>
>
>
>
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.
>
>
> This email was scanned for your safety and protection from
> virus's and offensive content.
> mailmarshal at europcar.com.au
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list