(RADIATOR) handling groups of TACACS+ clients

[Andrew D. Clark]

On Thursday 21 February 2008 02:43:38 pm Andrew D. Clark wrote:
> On Thursday 21 February 2008 02:14:00 pm Andrew D. Clark wrote:
> > On Wednesday 20 February 2008 04:17:39 pm Hugh Irvine wrote:
> > > Hello Andrew -
> > >
> > > I think you will need to use a PreHandlerHook in the ServerTACACSPLUS
> > > clause to pull the Identifier out of the Client clause, and add it to
> > > the RADIUS request.
> > >
> > > There is an OSC-Client-Identifier vendor specific defined for this
> > > sort of thing.
> > >
> > > Then you can do this:
> > >
> > >
> > > <Handler NAS-Identifier = TACACS, Service-Type = Administrative-User,
> > > OSC-Client-Identfier = Some-Tag>
> > > 	......
> > >
> > >
> > > See the example hooks in "goodies/hooks.txt".
> >
> > Should the identifier be accessible within the request reference passed
> > to the hook via something like ${$_[0]}->get_attr('Identifier')
> > or 'Client-Identifier' or will I need to dig it out of the configuration?
>
> Disregard that.  Discovered Radius::Client::findAddress().

Here's the hook code in case it is useful for anyone else who has a bunch of 
TACACS+ clients that require different behavior and wants to refer to them by 
a convenient identifier.  Is assumes you listed the clients by IP address in 
the <Client ...> clause(s).

The hook is called in here:

<ServerTACACSPLUS>
        Key blah
        AddToRequest NAS-Identifier=TACACS
        GroupMemberAttr blahblah

        # authorization configuration
        Include %D/include/authorization.cfg

        # PreHandlerHook to get client identifier
        PreHandlerHook file:"%D/hooks/tacacs_client_identifier"
</ServerTACACSPLUS>

And here's the hook:

# PreHandlerHook to pull the Identifier out of the client clause
# for TACACS+ clients.  The Identifier is then added to the request
# in the 'OSC-Client-Identifier' VSA

sub {
        my $p = ${$_[0]};
        my $hook_name = 'tacacs_client_identifier';

        &main::log($main::LOG_DEBUG, "Hook $hook_name called");

        my $client = 
Radius::Client::findAddress($p->get_attr('NAS-IP-Address'));

        &main::log($main::LOG_DEBUG, "Hook $hook_name searching for client 
<$client>");
        &main::log($main::LOG_DEBUG, "Hook $hook_name got client ident 
<$client->{'Identifier'}>");

        $p->add_attr('OSC-Client-Identifier', $client->{'Identifier'});

        return;
}

As Hugh wrote above, you can then just match on OSC-Client-Identifier in your 
handler(s).

-- 
Andrew D. Clark, Network Operations Engineer 	
University of Minnesota, Networking/Telecom Services 	
2218 University Ave SE
Minneapolis, MN 55414-3029      
Phone: 612-626-4880

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.