(RADIATOR) enable privilege levels for TACACS+ server

Chris Rosan Chris.Rosan at europcar.com.au
Tue Jan 29 17:01:32 CST 2008



One of my techie's solved this a few months ago, but he's left now. I'll
try and explain it as best I can.


We use LDAP auth off our Active directory. We have static entries in a
MYSQL database that correspond to the usernames. It means we have to
maintain the database with the priv levels once (when a new staff member
starts) but not passwords etc.


In the config file:



        Key YOURKEY

        AddToRequest NAS-Identifier=TACACS

        DefaultRealm our.ad.realm or domain

        GroupMemberAttr tacacsgroup

        AuthorizeGroup admin permit service=shell cmd\* {priv-lvl=15}

        AuthorizeGroup power permit service=shell cmd\* {priv-lvl=14}



<Handler NAS-Identifier=TACACS,Realm=my.ad.realm>

        Description IT Admin Accounts

        RewriteUsername s/\@my\.ad\.realm//

        <AuthBy GROUP>

                AuthByPolicy ContinueUntilReject

                AuthBy AuthByLDAP


                <AuthBy SQL>

                        DBSource        dbi:mysql:radius

                        DBUsername      dbusername

                        DBAuth          dbpassword


                        AuthSelect select PRIV_LVL from TACACS where

                        AuthColumnDef 0, tacacsgroup, reply




This should be able to be done by any SQL database that radius supports,
or even just with a flatfile.


We have a database "TACACS" with 2 columns. The first column is
"USERNAME", second "PRIV_LVL". These are self explanatory. 




Chris Rosan



From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Markus Moeller
Sent: Wednesday, 30 January 2008 9:18 AM
To: radiator at open.com.au
Subject: (RADIATOR) enable privilege levels for TACACS+ server


I try to run in addition to the Radius server the TACACS+ server.  On
cisco router you can get into different privilege leves by using enable
# where # is a number between 1 and 15.  On a normal TACACS+ server this
corresponds to users enable#  e.g. 15 different users and passwords. 


The Tacacs+ client sends among others the following AV pairs


Service = ENABLE

Privilege Level = #

User-name = fred

User-password = fred


In the Radiator log  I can only see among others the following


Service-Type = Administrative-Login

User-name = fred

User-password = fred


The Service Type changes from User-Login to Administrative-Login but I
can't identify the privilege level attribute ? 


How can I get access to the privilege level attribute from TACACS+ ?


Thank you



This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080130/bed5baab/attachment.html>

More information about the radiator mailing list