(RADIATOR) handling groups of TACACS+ clients

Markus Moeller huaraz at moeller.plus.com
Wed Feb 20 17:14:43 CST 2008


Maybe you could add with AddToRequest an Attribute.

<Client 192.168.1.1>
...
AddToRequest TACACS-GROUP=Group1
</Client>

<Client 192.168.2.1>
...
AddToRequest TACACS-GROUP=Group2
</Client>

and then

<Handler NAS-Identifier=TACACS, Service-Type=Administrative-User,
TACACS-GROUP=Group1>
...
</Handler>

<Handler NAS-Identifier=TACACS, Service-Type=Administrative-User,
TACACS-GROUP=Group2>
...
</Handler>

Markus


----- Original Message ----- 
From: "Andrew D. Clark" <adc at umn.edu>
To: <radiator at open.com.au>
Sent: Wednesday, February 20, 2008 9:07 PM
Subject: (RADIATOR) handling groups of TACACS+ clients


> Is there any mechanism for conveniently grouping TACACS+ clients with an
> identifier as there is for RADIUS clients?
>
> Unfortunately for this case, using RADIUS instead of TACACS+ isn't an 
> option.
>
> I have a large number of TACACS+ clients that need to be grouped for 
> different
> AAA behavior.  If they were RADIUS clients, I'd group them in a <Client 
> ....>
> clause and then give that group an Identifier, which I'd then match on 
> with a
> handler like
>
> <Handler Client-Identifier=blah>
> ...
> </Handler>
>
> For TACACS+ clients, it doesn't appear that an Identifier within a TACACS+
> client clause does anything.  So I'm left with the rather unwieldly
>
> <Handler NAS-Identifier=TACACS, Service-Type=Administrative-User,
> NAS-IP-Address=/192.168.242.108|192.168.244.92|192.168.227.40|192.168.226.37|
> 192.168.243.83|192.168.237.154|192.168.238.90|192.168.238.81|192.168.228.60|
> 192.168.235.251|192.168.240.54|192.168.229.21|192.168.231.134|192.168.239.56|
> 192.168.225.28|192.168.233.108|192.168.224.20|192.168.241.20|192.168.251.250|
> 192.168.251.251|192.168.247.182|192.168.247.183/>
> ...
>
> The NAS-Identifier comes from my Server TACACSPLUS clause
>
> <ServerTACACSPLUS>
>        Key blah
>        AddToRequest NAS-Identifier=TACACS
>        GroupMemberAttr blahblah
>        # authorization configuration
>        Include %D/include/authorization.cfg
> </ServerTACACSPLUS>
>
> Hopefully I'm missing something obvious.
>
> -- 
> Andrew D. Clark, Network Operations Engineer
> University of Minnesota, Networking/Telecom Services
> 2218 University Ave SE
> Minneapolis, MN 55414-3029
> Phone: 612-626-4880
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list