(RADIATOR) handling groups of TACACS+ clients

Hugh Irvine hugh at open.com.au
Wed Feb 20 18:30:56 CST 2008


Hi Markus -

In this particular case, Andrew is using TACACS+, and it is the  
ServerTACACSPLUS clause that acts as the Client.

My suggestion to use a PreHandlerHook is designed to do what you  
describe by doing a look-aside into the Client array to find the  
corresponding Identifier and add it into an OSC-Client-Identifier  
attribute.

Otherwise, for simple RADIUS, my suggestion is the same as yours.

regards

Hugh


On 21 Feb 2008, at 10:14, Markus Moeller wrote:

> Maybe you could add with AddToRequest an Attribute.
>
> <Client 192.168.1.1>
> ...
> AddToRequest TACACS-GROUP=Group1
> </Client>
>
> <Client 192.168.2.1>
> ...
> AddToRequest TACACS-GROUP=Group2
> </Client>
>
> and then
>
> <Handler NAS-Identifier=TACACS, Service-Type=Administrative-User,
> TACACS-GROUP=Group1>
> ...
> </Handler>
>
> <Handler NAS-Identifier=TACACS, Service-Type=Administrative-User,
> TACACS-GROUP=Group2>
> ...
> </Handler>
>
> Markus
>
>
> ----- Original Message ----- From: "Andrew D. Clark" <adc at umn.edu>
> To: <radiator at open.com.au>
> Sent: Wednesday, February 20, 2008 9:07 PM
> Subject: (RADIATOR) handling groups of TACACS+ clients
>
>
>> Is there any mechanism for conveniently grouping TACACS+ clients  
>> with an
>> identifier as there is for RADIUS clients?
>>
>> Unfortunately for this case, using RADIUS instead of TACACS+ isn't  
>> an option.
>>
>> I have a large number of TACACS+ clients that need to be grouped  
>> for different
>> AAA behavior.  If they were RADIUS clients, I'd group them in a  
>> <Client ....>
>> clause and then give that group an Identifier, which I'd then  
>> match on with a
>> handler like
>>
>> <Handler Client-Identifier=blah>
>> ...
>> </Handler>
>>
>> For TACACS+ clients, it doesn't appear that an Identifier within a  
>> TACACS+
>> client clause does anything.  So I'm left with the rather unwieldly
>>
>> <Handler NAS-Identifier=TACACS, Service-Type=Administrative-User,
>> NAS-IP-Address=/192.168.242.108|192.168.244.92|192.168.227.40| 
>> 192.168.226.37|
>> 192.168.243.83|192.168.237.154|192.168.238.90|192.168.238.81| 
>> 192.168.228.60|
>> 192.168.235.251|192.168.240.54|192.168.229.21|192.168.231.134| 
>> 192.168.239.56|
>> 192.168.225.28|192.168.233.108|192.168.224.20|192.168.241.20| 
>> 192.168.251.250|
>> 192.168.251.251|192.168.247.182|192.168.247.183/>
>> ...
>>
>> The NAS-Identifier comes from my Server TACACSPLUS clause
>>
>> <ServerTACACSPLUS>
>>        Key blah
>>        AddToRequest NAS-Identifier=TACACS
>>        GroupMemberAttr blahblah
>>        # authorization configuration
>>        Include %D/include/authorization.cfg
>> </ServerTACACSPLUS>
>>
>> Hopefully I'm missing something obvious.
>>
>> -- 
>> Andrew D. Clark, Network Operations Engineer
>> University of Minnesota, Networking/Telecom Services
>> 2218 University Ave SE
>> Minneapolis, MN 55414-3029
>> Phone: 612-626-4880
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list