(RADIATOR) handling groups of TACACS+ clients

Hugh Irvine hugh at open.com.au
Wed Feb 20 16:17:39 CST 2008


Hello Andrew -

I think you will need to use a PreHandlerHook in the ServerTACACSPLUS  
clause to pull the Identifier out of the Client clause, and add it to  
the RADIUS request.

There is an OSC-Client-Identifier vendor specific defined for this  
sort of thing.

Then you can do this:


<Handler NAS-Identifier = TACACS, Service-Type = Administrative-User,  
OSC-Client-Identfier = Some-Tag>
	......


See the example hooks in "goodies/hooks.txt".

regards

Hugh


On 21 Feb 2008, at 08:07, Andrew D. Clark wrote:

> Is there any mechanism for conveniently grouping TACACS+ clients  
> with an
> identifier as there is for RADIUS clients?
>
> Unfortunately for this case, using RADIUS instead of TACACS+ isn't  
> an option.
>
> I have a large number of TACACS+ clients that need to be grouped  
> for different
> AAA behavior.  If they were RADIUS clients, I'd group them in a  
> <Client ....>
> clause and then give that group an Identifier, which I'd then match  
> on with a
> handler like
>
> <Handler Client-Identifier=blah>
> ...
> </Handler>
>
> For TACACS+ clients, it doesn't appear that an Identifier within a  
> TACACS+
> client clause does anything.  So I'm left with the rather unwieldly
>
> <Handler NAS-Identifier=TACACS, Service-Type=Administrative-User,
> NAS-IP-Address=/192.168.242.108|192.168.244.92|192.168.227.40| 
> 192.168.226.37|
> 192.168.243.83|192.168.237.154|192.168.238.90|192.168.238.81| 
> 192.168.228.60|
> 192.168.235.251|192.168.240.54|192.168.229.21|192.168.231.134| 
> 192.168.239.56|
> 192.168.225.28|192.168.233.108|192.168.224.20|192.168.241.20| 
> 192.168.251.250|
> 192.168.251.251|192.168.247.182|192.168.247.183/>
> ...
>
> The NAS-Identifier comes from my Server TACACSPLUS clause
>
> <ServerTACACSPLUS>
>         Key blah
>         AddToRequest NAS-Identifier=TACACS
>         GroupMemberAttr blahblah
>         # authorization configuration
>         Include %D/include/authorization.cfg
> </ServerTACACSPLUS>
>
> Hopefully I'm missing something obvious.
>
> -- 
> Andrew D. Clark, Network Operations Engineer 	
> University of Minnesota, Networking/Telecom Services 	
> 2218 University Ave SE
> Minneapolis, MN 55414-3029
> Phone: 612-626-4880
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list